aker 3.0.0.pre

data/spec/aker/ldap/ldap-users.ldif

@@ -0,0 +1,197 @@
+version: 1
+
+# These records were derived from the NU LDAP servers on 2010-10-28.
+# They've been obscured slightly.
+
+dn: ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: People
+
+dn: uid=sbw, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: b
+cn: b whitaker
+cn: sean
+cn: sean b whitaker
+cn: sean whitaker
+cn: whitaker
+cn: whitaker,sean
+cn: whitaker,sean b
+displayName: Sean B Whitaker
+givenName: Sean
+sn: Whitaker
+uid: sbw
+employeeNumber: 103
+mail: s-whitaker@northwestern.edu
+ou: NU Clinical and Translational Sciences Institute, Feinberg School of Med
+ icine
+ou: People
+telephoneNumber: +1 312 555 2310
+title: Project Manager IT
+# Password is 'sean'
+userpassword: {SHA}1+GZMMwfQsLQeB9Nnm8f5Ykb+c8=
+
+dn: uid=cbrinson, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: brinson
+cn: brinson,cate
+cn: brinson,kate
+cn: brinson,l catherine
+cn: cate
+cn: cate brinson
+cn: cate kate
+cn: catherine
+cn: kate
+cn: kate brinson
+cn: l
+cn: l catherine
+cn: l catherine brinson
+cn: l catherine cate
+cn: l catherine cate kate brinson
+cn: l catherine kate
+displayName: L Catherine Brinson
+givenName: L Catherine
+sn: Brinson
+uid: cbrinson
+employeeNumber: 100
+facsimileTelephoneNumber: +1 847 555 0540
+mail: cbrinson@northwestern.edu
+ou: McC Mechanical Engineering
+ou: People
+postalAddress: TECH 2145 Sheridan Rd$B226$EV 3111
+telephoneNumber: +1 847 555 2347
+title: Professor
+title: Chairperson
+# Password is 'cate'
+userpassword: {SHA}9MmlgfQ7prbm5Zyjotth2/pu4ks=
+
+dn: uid=wakibbe, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: a
+cn: a kibbe
+cn: kibbe
+cn: kibbe,wak
+cn: kibbe,warren
+cn: kibbe,warren a
+cn: wak
+cn: wak kibbe
+cn: warren
+cn: warren a kibbe
+cn: warren a wak
+cn: warren a wak kibbe
+cn: warren kibbe
+displayName: Warren A Kibbe
+givenName: Warren
+sn: Kibbe
+uid: wakibbe
+employeeNumber: 101
+mail: wakibbe@northwestern.edu
+ou: NU Clinical and Translational Sciences Institute, Feinberg School of Med
+ icine
+ou: Center for Genetic Medicine, Feinberg School of Medicine
+ou: People
+postalAddress: RUBLOFF 750 N Lake Shore Dr$11th Floor$CH
+telephoneNumber: +1 312 555 3229
+title: Research Associate Professor
+# Password is 'warren'
+userpassword: {SHA}VV0B3Wo8+hIFksgRljY3LtlRWOQ=
+
+dn: uid=rms, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+cn: m
+cn: m sutphin
+cn: rhett
+cn: rhett m sutphin
+cn: rhett sutphin
+cn: sutphin
+cn: sutphin,rhett
+cn: sutphin,rhett m
+displayName: Rhett M Sutphin
+givenName: Rhett
+sn: Sutphin
+uid: rms377
+employeeNumber: 105
+mail: r-sutphin@northwestern.edu
+ou: NU Clinical and Translational Sciences Institute, Feinberg School of Med
+ icine
+ou: People
+telephoneNumber: +1 312 555 2324
+title: Systems Analyst/Programmer Senior
+# Password is 'rhett'
+userpassword: {SHA}0iimqqf1K2J9byT/Y60bE1o9vSE=
+
+dn: uid=ega, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: edgar
+cn: edgar garcia
+cn: garcia
+cn: garcia,edgar
+displayName: Edgar Garcia
+givenName: Edgar
+sn: Garcia
+uid: ega
+employeeNumber: 106
+mail: edgar-garcia@northwestern.edu
+ou: Lurie Cancer Center, Feinberg School of Medicine
+ou: People
+postalAddress: RUBLOFF 750 N Lake Shore Drive$11th Floor$CH
+telephoneNumber: +1 312 555 2389
+# Password is 'edgar'
+userpassword: {SHA}njIw/etsfKsBVDVrwOcpTMvqKDE=
+
+dn: uid=blc, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: brian
+cn: brian chamberlain
+cn: brian lee chamberlain
+cn: chamberlain
+cn: chamberlain,brian
+cn: chamberlain,brian lee
+cn: lee
+cn: lee chamberlain
+displayName: Brian Lee Chamberlain
+givenName: Brian
+sn: Chamberlain
+uid: blc
+employeeNumber: 107
+mail: b-chamberlain@northwestern.edu
+ou: NU Clinical and Translational Sciences Institute, Feinberg School of Med
+ icine
+ou: People
+postalAddress: RUBLOFF 750 N Lake Shore Dr$11th Floor$CH
+# Password is 'brian'
+userpassword: {SHA}dg59qyg2hTxjgFAz5RRmgwH6nEc=
+
+# User with bad sn/givenName
+dn: uid=jka, ou=People, dc=northwestern, dc=edu
+objectClass: top
+objectClass: person
+objectClass: organizationalPerson
+objectClass: inetOrgPerson
+cn: Jennifer Karp
+cn: Jennifer
+cn: Karp
+displayName: Jennifer Karp
+givenName: UNKNOWN
+sn: UNKNOWN
+uid: jka
+ou: People

data/spec/aker/ldap_spec.rb

@@ -0,0 +1,11 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+module Aker
+  describe Ldap::Slice do
+    let(:configuration) { Aker::Configuration.new(:slices => [Ldap::Slice.new]) }
+
+    it 'registers :ldap as an alias for the LDAP authority' do
+      configuration.authority_aliases[:ldap].should be Aker::Ldap::Authority
+    end
+  end
+end

data/spec/aker/modes/a_aker_mode.rb

@@ -0,0 +1,41 @@
+require File.expand_path("../../../spec_helper", __FILE__)
+require 'warden'
+
+##
+# Expects the following instance variables to be set:
+#
+# * @mode: an instance of the mode under test
+# * @env: a Rack environment used by the mode
+shared_examples_for "a aker mode" do
+  it "is a Warden strategy" do
+    (@mode.class < Warden::Strategies::Base).should be_true
+  end
+
+  describe '#interactive?' do
+    it "is true if 'aker.interactive' is true" do
+      @env['aker.interactive'] = true
+
+      @mode.interactive?.should == true
+    end
+
+    it "is false if 'aker.interactive' is false" do
+      @env['aker.interactive'] = false
+
+      @mode.interactive?.should == false
+    end
+  end
+
+  describe '#store?' do
+    it 'is true if #interactive? is true' do
+      @mode.stub!(:interactive? => true)
+
+      @mode.store?.should == true
+    end
+
+    it 'is false if #interactive? is false' do
+      @mode.stub!(:interactive? => false)
+
+      @mode.store?.should == false
+    end
+  end
+end

data/spec/aker/modes/http_basic_spec.rb

@@ -0,0 +1,127 @@
+require File.expand_path("../../../spec_helper", __FILE__)
+require File.expand_path("a_aker_mode", File.dirname(__FILE__))
+require 'base64'
+require 'rack'
+
+module Aker::Modes
+  describe HttpBasic do
+    before do
+      @env = ::Rack::MockRequest.env_for("/")
+      @scope = mock
+      @mode = HttpBasic.new(@env, @scope)
+      @env['aker.configuration'] = Aker::Configuration.new
+    end
+
+    it_should_behave_like "a aker mode"
+
+    describe "#key" do
+      it "is :http_basic" do
+        HttpBasic.key.should == :http_basic
+      end
+    end
+
+    describe "#kind" do
+      it "is :user" do
+        @mode.kind.should == :user
+      end
+    end
+
+    describe "#credentials" do
+      it "returns username and password given an Authorization header" do
+        @env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("foo:bar")
+
+        @mode.credentials.should == ["foo", "bar"]
+      end
+
+      it "returns an empty array when no Authorization header is present" do
+        @mode.credentials.should == []
+      end
+
+      it "returns an empty array when the Authorization header isn't a valid response to a Basic challenge" do
+        @env["HTTP_AUTHORIZATION"] = "garbage"
+
+        @mode.credentials.should == []
+      end
+    end
+
+    describe "#valid?" do
+      it "is not valid if the Authorization header is blank" do
+        @mode.should_not be_valid
+      end
+
+      it "is not valid if the Authorization header does not contain 'Basic'" do
+        @env["HTTP_AUTHORIZATION"] = "Fake auth"
+
+        @mode.should_not be_valid
+      end
+
+      it "is not valid if the Authorization header contains malformed credentials" do
+        @env["HTTP_AUTHORIZATION"] = "Basic :?$"
+
+        @mode.should_not be_valid
+      end
+
+      it "is valid if the Authorization header contains 'Basic' followed by base64-encoded credentials" do
+        credentials = Base64.encode64("foo:bar")
+        @env["HTTP_AUTHORIZATION"] = "Basic #{credentials}"
+
+        @mode.should be_valid
+      end
+    end
+
+    describe "#authenticate!" do
+      before do
+        @authority = mock
+        @env['aker.authority'] = @authority
+      end
+
+      it "signals success if the username and password are good" do
+        @env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("foo:bar")
+        user = stub
+        @authority.should_receive(:valid_credentials?).with(:user, 'foo', 'bar').and_return(user)
+        @mode.should_receive(:success!).with(user)
+
+        @mode.authenticate!
+      end
+
+      it "does not signal success if the username or password are bad" do
+        @authority.stub(:valid_credentials? => nil)
+        @mode.should_not_receive(:success!)
+
+        @mode.authenticate!
+      end
+    end
+
+    describe "#realm" do
+      it "prefers the portal attribute of the configuration" do
+        @env['aker.configuration'].portal = "Realm"
+
+        @mode.realm.should == "Realm"
+      end
+
+      it "defaults to 'Aker'" do
+        @mode.realm.should == "Aker"
+      end
+    end
+
+    describe "#scheme" do
+      it "is Basic" do
+        @mode.scheme.should == "Basic"
+      end
+    end
+
+    describe "#on_ui_failure" do
+      before do
+        @response = @mode.on_ui_failure
+      end
+
+      it "returns 401 Unauthorized" do
+        @response.status.should == 401
+      end
+
+      it "returns a WWW-Authenticate header containing the Basic authentication scheme" do
+        @response.headers['WWW-Authenticate'].should == %q{Basic realm="Aker"}
+      end
+    end
+  end
+end

data/spec/aker/modes/support/attempted_path_spec.rb

@@ -0,0 +1,32 @@
+require File.expand_path("../../../../spec_helper", __FILE__)
+
+module Aker::Modes::Support
+  describe AttemptedPath do
+    before do
+      @object = Object.new
+      @object.extend(AttemptedPath)
+      @env = {}
+      @object.stub!(:env => @env)
+    end
+
+    describe "#attempted_path" do
+      it "returns the value of :attempted_path in warden.options" do
+        @env["warden.options"] = {
+          :attempted_path => "http://www.example.edu"
+        }
+
+        @object.attempted_path.should == "http://www.example.edu"
+      end
+
+      it "returns nil if :attempted_path is nil" do
+        @env["warden.options"] = {}
+
+        @object.attempted_path.should be_nil
+      end
+
+      it "returns nil if warden.options is not in the Rack environment" do
+        @object.attempted_path.should be_nil
+      end
+    end
+  end
+end

data/spec/aker/modes_spec.rb

@@ -0,0 +1,11 @@
+require File.expand_path('../../spec_helper', __FILE__)
+
+module Aker
+  describe Modes::Slice do
+    let(:configuration) { Configuration.new(:slices => [Modes::Slice.new]) }
+
+    it "registers the basic mode" do
+      configuration.registered_modes.should include(Aker::Modes::HttpBasic)
+    end
+  end
+end

data/spec/aker/rack/authenticate_spec.rb

@@ -0,0 +1,78 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+module Aker::Rack
+  describe Authenticate do
+    let(:app) { lambda { |x| x } }
+
+    let(:configuration) do
+      Aker::Configuration.new do
+        ui_mode :cas
+        api_modes :basic, :cas_proxy
+      end
+    end
+
+    let(:middleware) { Aker::Rack::Authenticate.new(app) }
+
+    let(:env) do
+      { "aker.configuration" => configuration, "warden" => warden }
+    end
+
+    let(:warden) { mock }
+
+    def call
+      middleware.call(env)
+    end
+
+    describe "#call" do
+      before do
+        warden.stub!(:user)
+      end
+
+      it "calls the ui mode if interactive" do
+        env['aker.interactive'] = true
+
+        warden.should_receive(:authenticate).with(:cas)
+
+        call
+      end
+
+      it "calls all the api modes if not interactive" do
+        env['aker.interactive'] = false
+
+        warden.should_receive(:authenticate).with(:basic, :cas_proxy)
+
+        call
+      end
+
+      it "invokes the app" do
+        warden.stub!(:authenticate)
+
+        app.should_receive(:call)
+
+        call
+      end
+    end
+
+    describe "env['aker.check']" do
+      let(:user) { Aker::User.new("jo") }
+
+      before do
+        warden.stub!(:user => user, :authenticate => nil)
+      end
+
+      let(:facade) { call['aker.check'] }
+
+      it "is a facade" do
+        facade.should be_a(Facade)
+      end
+
+      it "has the user" do
+        facade.user.should == user
+      end
+
+      it "has the configuration" do
+        facade.configuration.should == configuration
+      end
+    end
+  end
+end

data/spec/aker/rack/default_logout_responder_spec.rb

@@ -0,0 +1,67 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+require 'rack/test'
+
+module Aker::Rack
+  describe DefaultLogoutResponder do
+    include Rack::Test::Methods
+
+    let(:app) do
+      Rack::Builder.new do
+        use DefaultLogoutResponder
+        run lambda { |env|
+          if env['PATH_INFO'] == '/missing/logout'
+            [404, {'Content-Type' => 'text/html'}, ['missing']]
+          elsif env['PATH_INFO'] == '/present/logout'
+            [200, {'Content-Type' => 'text/html'}, ['app logout']]
+          else
+            [200, {'Content-Type' => 'text/html'}, ['app']]
+          end
+        }
+      end
+    end
+
+    let(:configuration) do
+      p = path
+      Aker::Configuration.new {
+        rack_parameters :logout_path => p
+      }
+    end
+
+    let(:env) do
+      { 'aker.configuration' => configuration }
+    end
+
+    let(:path) { '/missing/logout' }
+
+    describe '#call' do
+      it 'responds to GET {the configured logout path} if the application 404s' do
+        get path, {}, env
+
+        last_response.status.should == 200
+        last_response.body.should == "You have been logged out."
+      end
+
+      it "leaves the application's logout response alone if there is one" do
+        configuration.parameters_for(:rack)[:logout_path] = '/present/logout'
+
+        get '/present/logout', {}, env
+
+        last_response.status.should == 200
+        last_response.body.should == "app logout"
+      end
+
+      it 'does not respond to other methods' do
+        post path, {}, env
+
+        last_response.body.should == 'missing'
+      end
+
+      it 'does not respond to other paths' do
+        get '/', {}, env
+
+        last_response.body.should == 'app'
+      end
+    end
+  end
+end