aker 3.0.0.pre

data/spec/aker/rack/facade_spec.rb

@@ -0,0 +1,154 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+module Aker::Rack
+  describe Facade do
+    ##
+    # @return [Object] the options passed to the warden throw
+    # @raise RuntimeError if :warden is never thrown
+    def catch_warden_throw(&block)
+      opts = catch(:warden) do
+        block.call
+      end
+      if opts
+        opts
+      else
+        fail ":warden not thrown (or thrown without options)"
+      end
+    end
+
+    before do
+      @user = Aker::User.new("jo")
+      @user.portals << :ENU
+      @user.default_portal = :ENU
+      @user.group_memberships << Aker::GroupMembership.new(Aker::Group.new("User"))
+
+      @config = Aker::Configuration.new {
+        portal :ENU
+      }
+
+      @with_user = Facade.new(@config, @user)
+      @without_user = Facade.new(@config, nil)
+    end
+
+    describe "#authentication_required!" do
+      it "throws to warden if there's no user" do
+        catch_warden_throw {
+          @without_user.authentication_required!
+        }.should == { :login_required => true }
+      end
+
+      describe "with a user" do
+        it "does not throw to warden if the user is authenticated and in the proper portal" do
+          lambda { @with_user.authentication_required! }.should_not raise_error
+        end
+
+        it "throws to warden if the user isn't permitted to access the configured portal" do
+          @config.portal = :NOTIS
+          catch_warden_throw {
+            @with_user.authentication_required!
+          }.should == { :portal_required => :NOTIS }
+        end
+
+        it "does not throw to warden if there's no configured portal" do
+          @config.portal = nil
+          lambda { @with_user.authentication_required! }.should_not raise_error
+        end
+      end
+    end
+
+    describe "#authenticated?" do
+      it "returns false if there's not a user" do
+        @without_user.should_not be_authenticated
+      end
+
+      describe "with a user" do
+        it "returns true if the user is in the configured portal" do
+          @with_user.should be_authenticated
+        end
+
+        it "returns false if the user is not in the configured portal" do
+          @config.portal = :NOTIS
+          @with_user.should_not be_authenticated
+        end
+
+        it "returns true if there is no configured portal" do
+          @config.portal = nil
+          @with_user.should be_authenticated
+        end
+      end
+    end
+
+    describe "#permit?" do
+      describe "without a block" do
+        it "returns true if the facade user is in the group" do
+          @with_user.permit?(:User).should be_true
+        end
+
+        it "returns false if the user is not in the group" do
+          @with_user.permit?(:Admin).should be_false
+        end
+
+        it "returns false without a user" do
+          @without_user.permit?(:User).should be_false
+        end
+      end
+
+      describe "with a block" do
+        it "evaluates the block if the facade user is in the group" do
+          executed = false
+          @with_user.permit?(:User) do
+            executed = true
+          end
+
+          executed.should be_true
+        end
+
+        it "does not evaluate the block if the facade user is not in the group" do
+          executed = false
+          @with_user.permit?(:Admin) do
+            executed = true
+          end
+
+          executed.should be_false
+        end
+
+        it "does not evaluate the block if there is no user" do
+          executed = false
+          @without_user.permit?(:User) do
+            executed = true
+          end
+
+          executed.should be_false
+        end
+      end
+
+      it "is aliased as permit (without the question mark)" do
+        @with_user.permit(:User).should be_true
+      end
+    end
+
+    describe "#permit!" do
+      it "tells warden authentication is required if there's no user" do
+        catch_warden_throw {
+          @without_user.permit!(:User)
+        }.should == { :login_required => true }
+      end
+
+      it "tells warden that particular groups are required if the user isn't in any of them" do
+        catch_warden_throw {
+          @with_user.permit!(:Developer, :Admin)
+        }.should == { :groups_required => [:Developer, :Admin] }
+      end
+    end
+
+    describe "#user" do
+      it "returns the user if there's a user" do
+        @with_user.user.username.should == "jo"
+      end
+
+      it "returns nil if there's no user" do
+        @without_user.user.should be_nil
+      end
+    end
+  end
+end

data/spec/aker/rack/failure_spec.rb

@@ -0,0 +1,151 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+require 'rack/mock'
+
+module Aker::Rack
+  describe Failure do
+    before do
+      @config = Aker::Configuration.new
+      @config.logger = spec_logger
+      @env = ::Rack::MockRequest.env_for("/", "aker.configuration" => @config)
+      @app = Failure.new
+    end
+
+    after do
+      Warden::Strategies.clear!
+    end
+
+    def call
+      @app.call(@env)
+    end
+
+    def actual_code
+      call[0]
+    end
+
+    def actual_headers
+      call[1]
+    end
+
+    def actual_body
+      actual_lines = []
+      call[2].each { |l| actual_lines << l }
+      actual_lines.join
+    end
+
+    describe "of authorization" do
+      before do
+        @env['aker.check'] = Facade.new(@env["aker.configuration"], Aker::User.new("jo"))
+      end
+
+      shared_examples_for "an authorization failure" do
+        it "403s" do
+          actual_code.should == 403
+        end
+
+        it "returns HTML" do
+          actual_headers["Content-Type"].should == "text/html"
+        end
+
+        it "returns a somewhat friendly message" do
+          actual_body.should ==
+            "<html><head><title>Authorization denied</title></head><body>jo may not use this page.</body></html>"
+        end
+      end
+
+      describe "at the portal level" do
+        before do
+          @env['warden.options'] = { :portal_required => :ENU }
+        end
+
+        it_should_behave_like "an authorization failure"
+
+        it "logs the failure appropriately" do
+          call
+          actual_log.should =~ /Resource authorization failure: User "jo" is not in the :ENU portal./
+        end
+      end
+
+      describe "at the group level" do
+        before do
+          @env['warden.options'] = { :groups_required => [:Admin, :Developer] }
+        end
+
+        it_should_behave_like "an authorization failure"
+
+        it "logs the failure appropriately" do
+          call
+          actual_log.should =~ /Resource authorization failure: User "jo" is not in any of the required groups \[:Admin, :Developer\]./
+        end
+      end
+    end
+
+    describe "of authentication" do
+      before do
+        @env['warden.options'] = { :login_required => true }
+      end
+
+      describe "when interactive" do
+        before do
+          Warden::Strategies.add(:fake_ui) do
+            def authenticate!; nil; end
+            def on_ui_failure
+              ::Rack::Response.new(["UI failed!"], 403, {})
+            end
+          end
+
+          @env['aker.interactive'] = true
+          @env['aker.configuration'].ui_mode = :fake_ui
+        end
+
+        it "invokes #on_ui_failure on the appropriate mode" do
+          actual_code.should == 403
+          actual_body.should == "UI failed!"
+        end
+      end
+
+      describe "when not interactive" do
+        before do
+          @env['aker.interactive'] = false
+
+          %w(Alpha Beta).each do |n|
+            cls = Class.new(Aker::Modes::Base)
+            cls.class_eval <<-RUBY
+              include Aker::Modes::Support::Rfc2617
+              def authenticate!; nil; end
+              def scheme; #{n.inspect}; end
+            RUBY
+            Warden::Strategies.add(n.downcase.to_sym, cls)
+          end
+        end
+
+        it "responds with a challenge" do
+          @env['aker.configuration'].api_mode = :beta
+
+          actual = call
+          actual[0].should == 401
+          actual[1]["WWW-Authenticate"].should == 'Beta realm="Aker"'
+        end
+
+        it "responds for with challenges for all modes" do
+          @env['aker.configuration'].api_mode = [:beta, :alpha]
+
+          actual_headers["WWW-Authenticate"].should == %Q{Beta realm="Aker"\nAlpha realm="Aker"}
+        end
+
+        it "uses the portal as the realm if it is set" do
+          @env['aker.configuration'].portal = :ENU
+          @env['aker.configuration'].api_mode = [:alpha]
+
+          actual_headers["WWW-Authenticate"].should == %Q{Alpha realm="ENU"}
+        end
+
+        it "gives a human-readable message in the body for debugging" do
+          @env['aker.configuration'].api_mode = :beta
+          actual_headers["Content-Type"].should == "text/plain"
+          actual_body.should == "Authentication required"
+        end
+      end
+    end
+  end
+end

data/spec/aker/rack/logout_spec.rb

@@ -0,0 +1,63 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+require 'rack/test'
+
+module Aker::Rack
+  describe Logout do
+    include Rack::Test::Methods
+
+    let(:path) { '/auth/logout' }
+
+    let(:app) do
+      Rack::Builder.new do
+        use Aker::Rack::Logout
+        run lambda { |env| [200, {'Content-Type' => 'text/html'}, ['from the app']] }
+      end
+    end
+
+    let(:warden) { stub.as_null_object }
+
+    let(:config) do
+      p = path
+      Aker::Configuration.new {
+        rack_parameters :logout_path => p
+      }
+    end
+
+    let(:env) do
+      {
+        'warden' => warden,
+        'aker.configuration' => config
+      }
+    end
+
+    describe '#call' do
+      context 'given GET {the configured path}' do
+        it 'instructs Warden to log out' do
+          warden.should_receive(:logout)
+
+          get path, {}, env
+        end
+
+        it 'passes control to the rest of the app' do
+          get path, {}, env
+
+          last_response.body.should == 'from the app'
+        end
+      end
+
+      context 'given GET (some other path)' do
+        it 'does not instruct Warden to log out' do
+          warden.should_receive(:logout).never
+
+          get '/', {}, env
+        end
+
+        it 'passes control to the rest of the app' do
+          get '/', {}, env
+
+          last_response.body.should == 'from the app'
+        end
+      end
+    end
+  end
+end

data/spec/aker/rack/request_ext_spec.rb

@@ -0,0 +1,29 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+require 'rack'
+
+module Aker::Rack
+  describe RequestExt do
+    let(:request_class) do
+      Class.new(Rack::Request) do
+        include RequestExt
+      end
+    end
+
+    let(:request) { request_class.new({}) }
+
+    describe '#interactive?' do
+      it 'returns true if the request is interactive' do
+        request.env['aker.interactive'] = true
+
+        request.should be_interactive
+      end
+
+      it 'returns false if the request is non-interactive' do
+        request.env['aker.interactive'] = false
+
+        request.should_not be_interactive
+      end
+    end
+  end
+end

data/spec/aker/rack/session_timer_spec.rb

@@ -0,0 +1,134 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+require 'rack/test'
+
+module Aker::Rack
+  describe SessionTimer do
+    let(:app) { stub.as_null_object }
+    let(:configuration) { Aker::Configuration.new { rack_parameters :logout_path => '/a/logout' } }
+    let(:env) {
+      {
+        'aker.configuration' => configuration,
+        'rack.session' => session,
+        'warden' => warden
+      }
+    }
+    let(:expected_timeout) { 600 }
+    let(:session) { {} }
+    let(:timer) { SessionTimer.new(app) }
+    let(:warden) { mock }
+
+    before do
+      configuration.add_parameters_for(:policy, %s(session-timeout-seconds) => expected_timeout)
+    end
+
+    describe "#call" do
+      let(:current_request_time) { 1234567890 }
+
+      before do
+        Time.stub!(:now => Time.at(current_request_time))
+      end
+
+      it "sets aker.timeout_at" do
+        timer.call(env)
+
+        env['aker.timeout_at'].should == current_request_time + expected_timeout
+      end
+
+      context 'if no session timeout is given' do
+        before do
+          configuration.add_parameters_for(:policy, %s(session-timeout-seconds) => nil)
+        end
+
+        it 'passes control down the Rack stack' do
+          app.should_receive(:call)
+
+          timer.call(env)
+        end
+      end
+
+      context 'if no last request timestamp is present' do
+        before do
+          session['aker.last_request_at'] = nil
+        end
+
+        it 'sets last request time to the current request time' do
+          timer.call(env)
+
+          session['aker.last_request_at'].should == current_request_time
+        end
+
+        it 'passes control down the Rack stack' do
+          app.should_receive(:call)
+
+          timer.call(env)
+        end
+      end
+
+      context 'if a last request timestamp is present' do
+        context 'and the current request is within the timeout window' do
+          before do
+            #
+            # The below calculation places the current request time in the
+            # middle of the session timeout window:
+            #
+            #     prv    cur
+            #      |      |
+            #      |------|
+            #      |e.t./2|
+            #      |------------
+            #      |    e.t.
+            #
+            session['aker.last_request_at'] = current_request_time - (expected_timeout / 2)
+          end
+
+          it 'sets the last request timestamp' do
+            timer.call(env)
+
+            session['aker.last_request_at'].should == current_request_time
+          end
+
+          it 'passes control down the Rack stack' do
+            app.should_receive(:call)
+
+            timer.call(env)
+          end
+        end
+
+        context 'and the current request is outside the timeout window' do
+          before do
+            #
+            # The below calculation places the current request time at the edge
+            # of the session timeout window:
+            #
+            #     prv          cur
+            #      |            |
+            #      |------------|
+            #      |    e.t.    |
+            #
+            session['aker.last_request_at'] = current_request_time - expected_timeout
+
+            warden.stub!(:logout)
+          end
+
+          it 'passes control down the Rack stack' do
+            app.should_receive(:call)
+
+            timer.call(env)
+          end
+
+          it 'resets the session' do
+            warden.should_receive(:logout)
+
+            timer.call(env)
+          end
+
+          it 'sets the session expired flag in the environment' do
+            timer.call(env)
+
+            env['aker.session_expired'].should == true
+          end
+        end
+      end
+    end
+  end
+end

data/spec/aker/rack/setup_spec.rb

@@ -0,0 +1,87 @@
+require File.expand_path('../../../spec_helper', __FILE__)
+
+module Aker::Rack
+  describe Setup do
+    let(:app) { lambda { |x| x } }
+    let(:configuration) { Aker::Configuration.new }
+    let(:middleware) { Setup.new(app, configuration) }
+
+    def call(env = {})
+      middleware.call(env)
+    end
+
+    describe "env['aker.configuration']" do
+      it "is the configuration provided in its constructor" do
+        env = call
+
+        env['aker.configuration'].should == configuration
+      end
+    end
+
+    describe "env['aker.authority']" do
+      it "is the authority from the configuration" do
+        authority = stub
+        configuration.stub!(:composite_authority => authority)
+
+        env = call
+
+        env['aker.authority'].should == authority
+      end
+    end
+
+    describe "env['aker.interactive']" do
+      it "is true if the Accept header includes text/html" do
+        env = call("HTTP_ACCEPT" =>
+                   "application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5")
+
+        env['aker.interactive'].should be_true
+      end
+
+      describe "when there are any API modes" do
+        let(:configuration) do
+          Aker::Configuration.new do
+            api_mode :http_basic
+          end
+        end
+
+        it "is false if the Accept header does not include text/html" do
+          env = call("HTTP_ACCEPT" => "*/*")
+
+          env['aker.interactive'].should be_false
+        end
+
+        it "is false if there is no Accept header" do
+          env = call
+
+          env['aker.interactive'].should be_false
+        end
+
+        it "is true if the User-Agent header contains 'Mozilla'" do
+          env = call("HTTP_USER_AGENT" => "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)")
+
+          env['aker.interactive'].should be_true
+        end
+      end
+
+      describe "when there are no API modes" do
+        it "is true if the Accept header does not include text/html" do
+          env = call("HTTP_ACCEPT" => "*/*")
+
+          env['aker.interactive'].should be_true
+        end
+
+        it "is true if there is no Accept header" do
+          env = call
+
+          env['aker.interactive'].should be_true
+        end
+      end
+    end
+
+    it "always invokes the app" do
+      app.should_receive(:call)
+
+      middleware.call({})
+    end
+  end
+end