adal 1.0.0

data/spec/adal/authentication_parameters_spec.rb

@@ -0,0 +1,107 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+require 'uri'
+
+describe ADAL::AuthenticationParameters do
+  describe '::create_from_resource_url' do
+    it 'should make an request to the resource server and parse the response' do
+      expect(Net::HTTP).to receive(:post_form).once.and_return(
+        'www-authenticate' => 'Bearer authorization_uri="sample.com"')
+      params = ADAL::AuthenticationParameters.create_from_resource_url('a.io')
+      expect(params.authority_uri).to eq(URI.parse('sample.com'))
+    end
+
+    it 'should fail if the url is not a valid url' do
+      bad_url = 'this is not a valid url'
+      expect do
+        ADAL::AuthenticationParameters.create_from_resource_url(bad_url)
+      end.to raise_error(URI::InvalidURIError)
+    end
+
+    it 'should fail if the response does not contain an authenticate header' do
+      allow(Net::HTTP).to receive(:post_form).and_return(
+        body: 'abc', 'content-type' => 'application/json')
+      expect do
+        ADAL::AuthenticationParameters.create_from_resource_url('myurl.com')
+      end.to raise_error(ArgumentError)
+    end
+
+    it 'should fail if the resource server does not response' do
+      allow(Net::HTTP).to receive(:post_form).and_raise(Timeout::Error)
+      expect do
+        ADAL::AuthenticationParameters.create_from_resource_url('myurl.com')
+      end.to raise_error(Timeout::Error)
+    end
+  end
+
+  describe '::create_from_authenticate_header' do
+    it 'should successfully parse a valid authentication header' do
+      params = ADAL::AuthenticationParameters.create_from_authenticate_header(
+        'Bearer authorization_uri="foobar,lj,;l,", resource="a( res&*^ource"')
+      expect(params.authority_uri).to eq(URI.parse('foobar,lj,;l,'))
+      expect(params.resource).to eq('a( res&*^ource')
+    end
+
+    it 'should return nil if the input is nil' do
+      expect(
+        ADAL::AuthenticationParameters.create_from_authenticate_header(nil)
+      ).to be_nil
+    end
+
+    it 'should return nil if the header does not contain an authority key' do
+      expect(
+        ADAL::AuthenticationParameters.create_from_authenticate_header(
+          'Bearer: resource="http://graph.windows.net"')
+      ).to be_nil
+    end
+  end
+
+  describe '#create_context' do
+    before(:each) do
+      auth_uri = 'https://login.windows.net/mytenant.onmicrosoft.com'
+      @auth_params = ADAL::AuthenticationParameters.new(auth_uri)
+    end
+
+    it 'should return an AuthenticationContext object' do
+      expect(@auth_params.create_context).to be_a(ADAL::AuthenticationContext)
+    end
+
+    it 'should extract the host and tenant from the authorize uri' do
+      # @authority does not have a getter, so we have to use Ruby voodoo.
+      authority = @auth_params.create_context.instance_variable_get(:@authority)
+      expect(authority.host).to eq('login.windows.net')
+      expect(authority.tenant).to eq('mytenant.onmicrosoft.com')
+    end
+  end
+
+  describe '#initialize' do
+    it 'should fail if the authorize uri is not a valid uri' do
+      bad_auth_uri = 'not a real parsable uri'
+      expect do
+        ADAL::AuthenticationParameters.new(bad_auth_uri)
+      end.to raise_error(URI::InvalidURIError)
+    end
+  end
+end

data/spec/adal/authority_spec.rb

@@ -0,0 +1,122 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+
+describe ADAL::Authority do
+  let(:auth_host) { 'login.windows.net' }
+  let(:tenant) { 'atenant.onmicrosoft.com' }
+
+  describe '#token_endpoint' do
+    it 'should correctly construct token endpoints' do
+      auth = ADAL::Authority.new(auth_host, tenant)
+      expect(auth.token_endpoint.to_s).to eq(
+        "https://#{auth_host}/#{tenant}/oauth2/token")
+    end
+  end
+
+  describe '#authorize_endpoint' do
+    context 'with additional params' do
+      it 'should correctly construct the authorize endpoint' do
+        auth = ADAL::Authority.new(auth_host, tenant)
+        expect(auth.authorize_endpoint(foo: :bar).to_s).to eq(
+          "https://#{auth_host}/#{tenant}/oauth2/authorize?foo=bar")
+      end
+    end
+
+    context 'with no additional params' do
+      it 'should correctly construct the authorize endpoint' do
+        auth = ADAL::Authority.new(auth_host, tenant)
+        expect(auth.authorize_endpoint.to_s).to eq(
+          "https://#{auth_host}/#{tenant}/oauth2/authorize")
+      end
+    end
+  end
+
+  describe '#validate' do
+    it 'should not do anything if validate_authority was set to false in the ' \
+       ' constructor' do
+      auth = ADAL::Authority.new(auth_host, tenant)
+      expect(auth).to_not receive(:validated_statically?)
+      expect(auth).to_not receive(:validated_dynamically?)
+      expect(auth.validate).to be_truthy
+    end
+
+    it 'should attempt static validation before dynamic validation' do
+      auth = ADAL::Authority.new(
+        auth_host, tenant, true)
+      expect(auth).to receive(:validated_statically?).once.and_return true
+      expect(auth).to_not receive(:validated_dynamically?)
+      expect(auth.validate).to be_truthy
+    end
+
+    it 'should successfully validate statically with a well known host' do
+      auth = ADAL::Authority.new(
+        auth_host, tenant, true)
+      expect(auth).to_not receive(:validated_dynamically?)
+      expect(auth.validate).to be_truthy
+    end
+
+    it 'should successully validate dynamically with the discovery endpoint' do
+      auth = ADAL::Authority.new(
+        'someothersite.net', tenant, true)
+      expect(Net::HTTP).to receive(:get).once.and_return('{"tenant_discovery_' \
+        'endpoint": "https://login.windows.net/atenant.onmicrosoft.com/.well-' \
+        'known/openid-configuration"}')
+      expect(auth.validate).to be_truthy
+    end
+
+    it 'should not make a network connection after it validates once' do
+      auth = ADAL::Authority.new(
+        'someothersite.net', tenant, true)
+      expect(Net::HTTP).to receive(:get).once.and_return(
+        '{"tenant_discovery_endpoint": "endpoint"}')
+      expect(auth.validate).to be_truthy
+      expect(auth.validate).to be_truthy
+      expect(auth.validate).to be_truthy
+      expect(auth.validate).to be_truthy
+    end
+
+    it 'should be false if dynamic validation does not respond' do
+      auth_host = 'notvalid.com'
+      dynamic_validation_endpoint =
+        'https://login.microsoftonline.com/common/discovery/instance?api-vers' \
+        "ion=1.0&authorization_endpoint=https://#{auth_host}/#{tenant}/oauth2" \
+        '/authorize'
+      auth = ADAL::Authority.new('notvalid.com', tenant, true)
+      stub_request(:get, dynamic_validation_endpoint).to_return(status: 500)
+      expect(auth.validate).to be_falsey
+    end
+
+    it 'should be false if dynamic validation response is invalid' do
+      auth_host = 'notvalid.com'
+      dynamic_validation_endpoint =
+        'https://login.microsoftonline.com/common/discovery/instance?api-vers' \
+        "ion=1.0&authorization_endpoint=https://#{auth_host}/#{tenant}/oauth2" \
+        '/authorize'
+      auth = ADAL::Authority.new('notvalid.com', tenant, true)
+      stub_request(:get, dynamic_validation_endpoint)
+        .to_return(status: 200, body: '{}')
+      expect(auth.validate).to be_falsey
+    end
+  end
+end

data/spec/adal/cache_driver_spec.rb

@@ -0,0 +1,191 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../spec_helper'
+require_relative '../support/fake_data'
+
+include FakeData
+
+describe ADAL::CacheDriver do
+  let(:authority) { ADAL::Authority.new(AUTHORITY, TENANT) }
+  let(:client_id) { CLIENT_ID }
+  let(:client) { ADAL::ClientCredential.new(client_id) }
+  let(:driver) { ADAL::CacheDriver.new(authority, client, token_cache) }
+  let(:success_response) { ADAL::SuccessResponse.new }
+
+  describe '#add' do
+    let(:token_cache) { ADAL::MemoryCache.new }
+
+    context 'with an empty memory cache' do
+      before(:each) { driver.add(success_response) }
+
+      it 'should leave the cache with exactly one entry' do
+        expect(token_cache.entries.size).to eq 1
+      end
+
+      it 'should put the token response in the token cache' do
+        expect(token_cache.entries.map(&:token_response))
+          .to include success_response
+      end
+    end
+
+    context 'when the cache already contains the entry' do
+      before(:each) do
+        driver.add(success_response)
+        driver.add(success_response)
+      end
+
+      it 'should not put a duplicate in the cache' do
+        expect(token_cache.entries.uniq).to match_array(token_cache.entries)
+      end
+
+      it 'should leave the cache with the same number of entries' do
+        expect(token_cache.entries.size).to eq 1
+      end
+    end
+
+    context 'when the cache contains non-matching entries' do
+      let(:idtoken1) { JWT.encode({ upn: 'user1' }, '') }
+      let(:idtoken2) { JWT.encode({ upn: 'user2' }, '') }
+      let(:token1) { ADAL::SuccessResponse.new(id_token: idtoken1) }
+      let(:token2) { ADAL::SuccessResponse.new(id_token: idtoken2) }
+      before(:each) do
+        driver.add(token1)
+        driver.add(token2)
+        driver.add(ADAL::SuccessResponse.new(refresh_token: REFRESH_TOKEN,
+                                             resource: RESOURCE,
+                                             id_token: idtoken1))
+      end
+
+      it 'should update the refresh tokens of the matching entries' do
+        expect(token1.refresh_token).to eq(REFRESH_TOKEN)
+      end
+
+      it 'should not update the refresh tokens of the non-matching entries' do
+        expect(token2.refresh_token).to be nil
+      end
+    end
+  end
+
+  describe '#find' do
+    let(:token_cache) { ADAL::MemoryCache.new }
+    let(:resource1) { 'resource1' }
+    let(:resource2) { 'resource2' }
+    let(:user1) { 'user1' }
+    let(:user2) { 'user2' }
+    let(:user3) { 'user3' }
+    let(:expiry) { 100 }
+    let(:response1) do
+      ADAL::SuccessResponse.new(resource: resource1,
+                                user_info: user1,
+                                expires_in: expiry)
+    end
+    let(:response2) do
+      ADAL::SuccessResponse.new(resource: resource1,
+                                user_info: user2,
+                                expires_in: expiry,
+                                refresh_token: REFRESH_TOKEN)
+    end
+    before(:each) do
+      driver.add(response1)
+      driver.add(response2)
+    end
+
+    let(:query) { { user_info: user, resource: resource } }
+    subject { driver.find(query) }
+
+    context 'with a user that is not in the cache' do
+      let(:resource) { resource1 }
+      let(:user) { user3 }
+      it { is_expected.to be nil }
+    end
+
+    context 'with a user that is in the cache' do
+      let(:user) { user2 }
+
+      context 'with a resource that is in the cache' do
+        let(:resource) { resource1 }
+
+        context 'which is expired' do
+          let(:expiry) { -10 }
+          let(:updated_access_token) { 'some access token' }
+          let(:refresh_response) do
+            double(body: "{\"access_token\": \"#{updated_access_token}\", \"r" \
+                         "esource\": \"#{resource1}\"}")
+          end
+          before(:each) do
+            allow_any_instance_of(Net::HTTP).to receive(:request)
+              .and_return(refresh_response)
+          end
+
+          it { is_expected.to_not be_nil }
+          it 'should refresh the access token' do
+            expect(subject.access_token).to eq(updated_access_token)
+          end
+        end
+
+        context 'which is not expired' do
+          it { is_expected.to be response2 }
+        end
+      end
+
+      context 'with a resource that is not in the cache' do
+        let(:resource) { resource2 }
+
+        context 'without an mrrt' do
+          let(:user) { user1 }
+          it { is_expected.to be nil }
+        end
+
+        context 'with an mrrt' do
+          it { is_expected.to_not be nil }
+          it 'should fetch a new access token from OAuth' do
+            expect(subject.access_token).to eq(RETURNED_TOKEN)
+          end
+        end
+      end
+    end
+
+    context 'with no cache' do
+      let(:token_cache) { ADAL::NoopCache.new }
+      let(:user) { user1 }
+      let(:resource) { resource1 }
+
+      it { is_expected.to be_nil }
+      it { expect { subject }.to_not raise_error }
+    end
+  end
+
+  context 'with a nonmatching client' do
+    describe '#find' do
+      let(:query) { { resource: RESOURCE, client_id: client.client_id } }
+      subject { driver.find(query) }
+
+      let(:token_cache) { ADAL::MemoryCache.new }
+      before(:each) do
+        driver.add(ADAL::SuccessResponse.new(client_id: 'different client id'))
+      end
+
+      it { is_expected.to be_nil }
+    end
+  end
+end

data/spec/adal/cached_token_response_spec.rb

@@ -0,0 +1,148 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative '../support/fake_data'
+require_relative '../spec_helper'
+
+include FakeData
+
+describe ADAL::CachedTokenResponse do
+  let(:authority) { ADAL::Authority.new(AUTHORITY, TENANT) }
+  let(:client) { ADAL::ClientCredential.new(CLIENT_ID) }
+  let(:expires_in) { 100 }
+  let(:resource) { RESOURCE }
+  let(:refresh_token) { REFRESH_TOKEN }
+  let(:response) do
+    ADAL::SuccessResponse.new(
+      resource: resource, refresh_token: refresh_token, expires_in: expires_in)
+  end
+
+  describe '#initialize' do
+    subject { -> { ADAL::CachedTokenResponse.new(client, authority, resp) } }
+
+    context 'with a SuccessResponse' do
+      let(:resp) { ADAL::SuccessResponse.new }
+
+      it { is_expected.to_not raise_error }
+    end
+
+    context 'with an ErrorResponse' do
+      let(:resp) { ADAL::ErrorResponse.new }
+
+      it { is_expected.to raise_error ArgumentError }
+    end
+  end
+
+  describe '#validate' do
+    subject do
+      ADAL::CachedTokenResponse.new(client, authority, response).validate
+    end
+
+    context 'with a non expired token' do
+      let(:expires_in) { 100 }
+
+      it { is_expected.to be_truthy }
+    end
+
+    context 'with an expired token' do
+      let(:expires_in) { -100 }
+
+      context 'with no refresh token' do
+        let(:refresh_token) { nil }
+
+        it { is_expected.to be_falsey }
+      end
+
+      context 'with a refresh token that fails to refresh' do
+        let(:refresh_token) { REFRESH_TOKEN }
+        before(:each) { stub_request(:post, /.*/).and_return(status: 500) }
+
+        it { is_expected.to be_falsey }
+      end
+    end
+  end
+
+  describe '#mrrt?' do
+    subject { ADAL::CachedTokenResponse.new(client, authority, response) }
+
+    context 'with a refresh_token' do
+      let(:refresh_token) { REFRESH_TOKEN }
+
+      context 'with a resource' do
+        let(:resource) { RESOURCE }
+        it { is_expected.to be_mrrt }
+      end
+
+      context 'without a resource' do
+        let(:resource) { nil }
+        it { is_expected.to_not be_mrrt }
+      end
+    end
+
+    context 'wihout a refresh_token' do
+      let(:refresh_token) { nil }
+
+      context 'with a resource' do
+        let(:resource) { RESOURCE }
+        it { is_expected.to_not be_mrrt }
+      end
+
+      context 'without a resource' do
+        let(:resource) { nil }
+        it { is_expected.to_not be_mrrt }
+      end
+    end
+  end
+
+  describe '#can_refresh?' do
+    let(:other) { ADAL::CachedTokenResponse.new(client, oauthority, response) }
+    subject do
+      ADAL::CachedTokenResponse.new(client, authority, response)
+        .can_refresh?(other)
+    end
+
+    context 'when not an mrrt' do
+      let(:oauthority) { authority }
+      let(:refresh_token) { nil }
+
+      it { is_expected.to be_falsey }
+    end
+
+    context 'when an mrrt' do
+      context 'when fields match' do
+        let(:oauthority) { authority }
+        it { is_expected.to be_truthy }
+      end
+
+      context 'when fields do not match' do
+        let(:oauthority) { 'some other authority' }
+        it { is_expected.to be_falsey }
+      end
+    end
+  end
+
+  it 'provides proxy access to token response fields' do
+    expect(
+      ADAL::CachedTokenResponse.new(client, AUTHORITY, response).resource
+    ).to eq RESOURCE
+  end
+end