cf-uaa-lib 1.3.0

data/lib/uaa/version.rb

@@ -0,0 +1,18 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+module CF
+  module UAA
+    VERSION = "1.3.0"
+  end
+end

data/spec/http_spec.rb

@@ -0,0 +1,37 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'spec_helper'
+require 'uaa/http'
+require 'uaa/version'
+
+module CF::UAA
+
+describe Http do
+
+  include Http
+  include SpecHelper
+
+  it "sets a request handler" do
+    set_request_handler do |req|
+      [200, "body", {"content-type" => "text/plain"}]
+    end
+    status, body, resp_headers = http_get("http://example.com")
+    status.should == 200
+    body.should == "body"
+    resp_headers["content-type"].should == "text/plain"
+  end
+
+end
+
+end

data/spec/misc_spec.rb

@@ -0,0 +1,42 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'spec_helper'
+require 'uaa/misc'
+
+module CF::UAA
+
+describe Misc do
+
+  include SpecHelper
+
+  before :all do
+    #Util.default_logger(:trace)
+  end
+
+  it "gets server info" do
+    Misc.set_request_handler do |url, method, body, headers|
+      url.should == "https://uaa.cloudfoundry.com/login"
+      method.should == :get
+      headers["content-type"].should be_nil
+      headers["accept"].should =~ /application\/json/
+      [200, '{"commit_id":"12345","prompts":["one","two"]}', {"content-type" => "application/json"}]
+    end
+    result = Misc.server("https://uaa.cloudfoundry.com")
+    result["prompts"].should_not be_nil
+    result["commit_id"].should_not be_nil
+  end
+
+end
+
+end

data/spec/scim_spec.rb

@@ -0,0 +1,117 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'spec_helper'
+require 'uaa/scim'
+
+module CF::UAA
+
+describe Scim do
+
+  include SpecHelper
+
+  before :all do
+    #Util.default_logger(:trace)
+    @authheader, @target = "bEareR xyz", "https://test.target"
+    @scim = Scim.new(@target, @authheader)
+  end
+
+  subject { @scim }
+
+  def check_headers(headers, content, accept)
+    headers["content-type"].should =~ /application\/json/ if content == :json
+    headers["content-type"].should be_nil unless content
+    headers["accept"].should =~ /application\/json/ if accept == :json
+    headers["accept"].should be_nil unless accept
+    headers["authorization"].should =~ /^(?i:bearer)\s+xyz$/
+  end
+
+  it "adds an object" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/Users"
+      method.should == :post
+      check_headers(headers, :json, :json)
+      [200, '{"ID":"id12345"}', {"content-type" => "application/json"}]
+    end
+    result = subject.add(:user, hair: "brown", shoe_size: "large", 
+        eye_color: ["blue", "green"], name: "fred")
+    result["id"].should == "id12345"
+  end
+
+  it "replaces an object" do
+    obj = {hair: "black", shoe_size: "medium", eye_color: ["hazel", "brown"], 
+          name: "fredrick", meta: {version: 'v567'}, id: "id12345"}
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/Users/id12345"
+      method.should == :put
+      check_headers(headers, :json, :json)
+      headers["if-match"].should == "v567"
+      [200, '{"ID":"id12345"}', {"content-type" => "application/json"}]
+    end
+    result = subject.put(:user, obj)
+    result["id"].should == "id12345"
+  end
+
+  it "gets an object" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/Users/id12345"
+      method.should == :get
+      check_headers(headers, nil, :json)
+      [200, '{"id":"id12345"}', {"content-type" => "application/json"}]
+    end
+    result = subject.get(:user, "id12345")
+    result['id'].should == "id12345"
+  end
+
+  it "pages through all objects" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should =~ %r{^#{@target}/Users\?attributes=id&startIndex=[12]$}
+      method.should == :get
+      check_headers(headers, nil, :json)
+      reply = url =~ /1$/ ? 
+        '{"TotalResults":2,"ItemsPerPage":1,"StartIndex":1,"RESOURCES":[{"id":"id12345"}]}' :
+        '{"TotalResults":2,"ItemsPerPage":1,"StartIndex":2,"RESOURCES":[{"id":"id67890"}]}'
+      [200, reply, {"content-type" => "application/json"}]
+    end
+    result = subject.all_pages(:user, attributes: 'id')
+    result[0]['id'].should == "id12345"
+    result[1]['id'].should == "id67890"
+  end
+
+  it "changes a user's password" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/Users/id12345/password"
+      method.should == :put
+      check_headers(headers, :json, :json)
+      body.should == '{"password":"newpwd","oldPassword":"oldpwd"}'
+      [200, '{"id":"id12345"}', {"content-type" => "application/json"}]
+    end
+    result = subject.change_password("id12345", "newpwd", "oldpwd")
+    result['id'].should == "id12345"
+  end
+
+  it "changes a client's secret" do
+    subject.set_request_handler do |url, method, body, headers|
+      url.should == "#{@target}/oauth/clients/id12345/secret"
+      method.should == :put
+      check_headers(headers, :json, :json)
+      body.should == '{"secret":"newpwd","oldSecret":"oldpwd"}'
+      [200, '{"id":"id12345"}', {"content-type" => "application/json"}]
+    end
+    result = subject.change_secret("id12345", "newpwd", "oldpwd")
+    result['id'].should == "id12345"
+  end
+
+end
+
+end

data/spec/spec_helper.rb

@@ -0,0 +1,28 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+if ENV['COVERAGE']
+  require "simplecov"
+  if ENV['COVERAGE'] =~ /rcov/
+    require "simplecov-rcov"
+    SimpleCov.formatter = SimpleCov::Formatter::RcovFormatter
+  end
+  SimpleCov.add_filter "^#{File.dirname(__FILE__)}" if ENV['COVERAGE'] =~ /exclude-spec/
+  SimpleCov.add_filter "^#{File.expand_path(File.join(File.dirname(__FILE__), "..", "vendor"))}" if ENV['COVERAGE'] =~ /exclude-vendor/
+  SimpleCov.start
+end
+
+require 'rspec'
+
+module SpecHelper
+end

data/spec/token_coder_spec.rb

@@ -0,0 +1,128 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'spec_helper'
+require 'uaa/token_coder'
+
+module CF::UAA
+
+describe TokenCoder do
+
+  subject { TokenCoder.new("test_resource", "test_secret", OpenSSL::PKey::RSA.generate(512) ) }
+
+  before :each do
+    @tkn_body = {'foo' => "bar"}
+    @tkn_secret = "test_secret"
+  end
+
+  it "raises a decode error if the given auth header is bad" do
+    expect { subject.decode(nil) }.to raise_exception(DecodeError)
+    expect { subject.decode("one two three") }.to raise_exception(DecodeError)
+  end
+
+  it "encodes/decodes a token using a symmetrical key" do
+    tkn = subject.encode(@tkn_body, 'HS512')
+    result = subject.decode("bEaReR #{tkn}")
+    result.should_not be_nil
+    result["foo"].should == "bar"
+  end
+
+  it "encodes/decodes a token using pub/priv key" do
+    tkn = subject.encode(@tkn_body, 'RS256')
+    result = subject.decode("bEaReR #{tkn}")
+    result.should_not be_nil
+    result["foo"].should == "bar"
+  end
+
+  it "encodes/decodes a token using pub/priv key from PEM" do
+    pem = <<-DATA.gsub(/^ +/, '')
+      -----BEGIN RSA PRIVATE KEY-----
+      MIIBOwIBAAJBAN+5O6n85LSs/fj46Ht1jNbc5e+3QX+suxVPJqICvuV6sIukJXXE
+      zfblneN2GeEVqgeNvglAU9tnm3OIKzlwM5UCAwEAAQJAEhJ2fV7OYsHuqiQBM6fl
+      Pp4NfPXCtruPSUNhjYjHPuYpnqo6cpuUNAzRvqAdDkJJsPCPt1E5AWOYUYOmLE+d
+      AQIhAO/XxMb9GrTDyqJDvS8T1EcJpLCaUIReae0jSg1RnBrhAiEA7st6WLmOyTxX
+      JgLcO6LUfW6RsE3pgi9NGL25P3eOAzUCIQDUFKi1CJR36XWh/GIqYc9grX9KhnnS
+      QqZKAd12X4a5IQIhAMTOJKaNP/Xwai7kupfX6mL6Rs5UWDg4PcU/UDbTlNJlAiBv
+      2yrlT5h164jGCxqe7++1kIl4ollFCgz6QJ8lcmb/2Q==
+      -----END RSA PRIVATE KEY-----
+    DATA
+    coder = TokenCoder.new("test_resource", nil, pem)
+    tkn = coder.encode(@tkn_body, 'RS256')
+    result = coder.decode("bEaReR #{tkn}")
+    result.should_not be_nil
+    result["foo"].should == "bar"
+  end
+
+  it "encodes/decodes with 'none' signature" do
+    tkn = subject.encode(@tkn_body, 'none')
+    result = subject.decode("bEaReR #{tkn}")
+    result.should_not be_nil
+    result["foo"].should == "bar"
+  end
+
+  it "raises an error if the signing algorithm is not supported" do
+    expect { subject.encode(@tkn_body, 'baz') }.to raise_exception(ArgumentError)
+  end
+
+  it "raises an auth error if the token is for another resource server" do
+    tkn = subject.encode({'aud' => ["other_resource"], 'foo' => "bar"})
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(AuthError)
+  end
+
+  it "raises a decode error if the token is signed by an unknown signing key" do
+    other = TokenCoder.new("test_resource", "other_secret", nil)
+    tkn = other.encode(@tkn_body)
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+  end
+
+  it "raises a decode error if the token is an unknown signing algorithm" do
+    segments = [Util.json_encode64(typ: "JWT", alg:"BADALGO")]
+    segments << Util.json_encode64(@tkn_body)
+    segments << Util.encode64("BADSIG")
+    tkn = segments.join('.')
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+  end
+
+  it "raises a decode error if the token is malformed" do
+    tkn = "one.two.three.four"
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+    tkn = "onlyone"
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+  end
+
+  it "raises a decode error if a token segment is malformed" do
+    segments = [Util.encode64("this is not json")]
+    segments << Util.encode64("n/a")
+    segments << Util.encode64("n/a")
+    tkn = segments.join('.')
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(DecodeError)
+  end
+
+  it "raises an auth error if the token has expired" do
+    tkn = subject.encode({'foo' => "bar", 'exp' => Time.now.to_i - 60 })
+    expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(AuthError)
+  end
+
+  it "decodes a token without validation" do
+    token = "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImY1MTgwMjExLWVkYjItNGQ4OS1hNmQwLThmNGVjMTE0NTE4YSIsInJlc291cmNlX2lkcyI6WyJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXSwiZXhwaXJlc19hdCI6MTMzNjU1MTc2Niwic2NvcGUiOlsicmVhZCJdLCJlbWFpbCI6Im9sZHNAdm13YXJlLmNvbSIsImNsaWVudF9hdXRob3JpdGllcyI6WyJST0xFX1VOVFJVU1RFRCJdLCJleHBpcmVzX2luIjo0MzIwMCwidXNlcl9hdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwidXNlcl9pZCI6Im9sZHNAdm13YXJlLmNvbSIsImNsaWVudF9pZCI6InZtYyIsInRva2VuX2lkIjoiZWRlYmYzMTctNWU2Yi00YmYwLWFmM2ItMTA0OWRjNmFlYjc1In0.XoirrePfEujnZ9Vm7SRRnj3vZEfRp2tkjkS_OCVz5Bs"
+    info = TokenCoder.decode(token, nil, nil, false)
+    info["id"].should_not be_nil
+    info["email"].should == "olds@vmware.com"
+    #puts Time.at(info[:exp].to_i)
+    #BaseCli.pp info
+  end
+
+
+end
+
+end

data/spec/token_issuer_spec.rb

@@ -0,0 +1,190 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'set'
+require 'spec_helper'
+require 'uaa/token_issuer'
+
+module CF::UAA
+
+describe TokenIssuer do
+
+  include SpecHelper
+
+  before :all do
+    #Util.default_logger(:trace)
+    @issuer = TokenIssuer.new("http://test.uaa.target", "test_client", "test_secret")
+  end
+
+  subject { @issuer }
+
+  context "with client credentials grant" do
+
+    it "gets a token with client credentials" do
+      subject.set_request_handler do |url, method, body, headers|
+        headers["content-type"].should =~ /application\/x-www-form-urlencoded/
+        headers["accept"].should =~ /application\/json/
+        # TODO check basic auth header
+        url.should == "http://test.uaa.target/oauth/token"
+        method.should == :post
+        reply = {access_token: "test_access_token", token_type: "BEARER", scope: "logs.read", expires_in: 98765}
+        [200, Util.json(reply), {"content-type" => "application/json"}]
+      end
+      token = subject.client_credentials_grant("logs.read")
+      token.should be_an_instance_of Token
+      token.info["access_token"].should == "test_access_token"
+      token.info["token_type"].should =~ /^bearer$/i
+      token.info["scope"].should == "logs.read"
+      token.info["expires_in"].should == 98765
+    end
+
+    it "gets all granted scopes if none specified" do
+      subject.set_request_handler do |url, method, body, headers|
+        reply = {access_token: "test_access_token", token_type: "BEARER", scope: "openid logs.read", expires_in: 98765}
+        [200, Util.json(reply), {"content-type" => "application/json"}]
+      end
+      token = subject.client_credentials_grant
+      Util.arglist(token.info["scope"]).to_set.should == Util.arglist("openid logs.read").to_set
+    end
+
+    it "raises a bad response error if response content type is not json" do
+      subject.set_request_handler { [200, "not json", {"content-type" => "text/html"}] }
+      expect {subject.client_credentials_grant}.to raise_exception BadResponse
+    end
+
+    it "raises a bad response error if the response is not proper json" do
+      subject.set_request_handler { [200, "bad json", {"content-type" => "application/json"}] }
+      expect {subject.client_credentials_grant}.to raise_exception BadResponse
+    end
+
+    it "raises a target error if the response is 400 with valid oauth json error" do
+      subject.set_request_handler { [400, '{"error":"invalid scope"}', {"content-type" => "application/json"}] }
+      expect {subject.client_credentials_grant("bad.scope")}.to raise_exception TargetError
+    end
+
+  end
+
+  context "with owner password grant" do
+
+    it "gets a token with owner password" do
+      subject.set_request_handler do |url, method, body, headers|
+        headers["content-type"].should =~ /application\/x-www-form-urlencoded/
+        headers["accept"].should =~ /application\/json/
+        # TODO check basic auth header
+        url.should == "http://test.uaa.target/oauth/token"
+        method.should == :post
+        reply = {access_token: "test_access_token", token_type: "BEARER", scope: "openid", expires_in: 98765}
+        [200, Util.json(reply), {"content-type" => "application/json"}]
+      end
+      token = subject.owner_password_grant("joe+admin", "?joe's%password$@ ", "openid")
+      token.should be_an_instance_of Token
+      token.info["access_token"].should == "test_access_token"
+      token.info["token_type"].should =~ /^bearer$/i
+      token.info["scope"].should == "openid"
+      token.info["expires_in"].should == 98765
+    end
+
+  end
+
+  context "with implicit grant" do
+
+    it "gets the prompts for credentials used to authenticate implicit grant" do
+      subject.set_request_handler do |url, method, body, headers|
+        info = { prompts: {username: ["text", "Username"], password: ["password","Password"]} }
+        [200, Util.json(info), {"content-type" => "application/json"}]
+      end
+      result = subject.prompts
+      result.should_not be_empty
+    end
+
+    it "raises a bad target error if no prompts are received" do
+      subject.set_request_handler do |url, method, body, headers|
+        [200, Util.json({}), {"content-type" => "application/json"}]
+      end
+      expect { subject.prompts }.to raise_exception BadResponse
+    end
+
+    it "gets an access token" do
+      subject.set_request_handler do |url, method, body, headers|
+        headers["content-type"].should =~ /application\/x-www-form-urlencoded/
+        headers["accept"].should =~ /application\/json/
+        url.should match "http://test.uaa.target/oauth/authorize"
+        (state = /state=([^&]+)/.match(url)[1]).should_not be_nil
+        method.should == :post
+        location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
+            "access_token=test_access_token&token_type=bearer&" +
+            "expires_in=98765&scope=openid+logs.read&state=#{state}"
+        [302, nil, {"content-type" => "application/json", "location" => location}]
+      end
+      token = subject.implicit_grant_with_creds(username: "joe+admin", password: "?joe's%password$@ ")
+      token.should be_an_instance_of Token
+      token.info["access_token"].should == "test_access_token"
+      token.info["token_type"].should =~ /^bearer$/i
+      Util.arglist(token.info["scope"]).to_set.should == Util.arglist("openid logs.read").to_set
+      token.info["expires_in"].should == 98765
+    end
+
+    it "rejects an access token with wrong state" do
+      subject.set_request_handler do |url, method, body, headers|
+        location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
+            "access_token=test_access_token&token_type=bearer&" +
+            "expires_in=98765&scope=openid+logs.read&state=bad_state"
+        [302, nil, {"content-type" => "application/json", "location" => location}]
+      end
+      expect {token = subject.implicit_grant_with_creds(username: "joe+admin", 
+              password: "?joe's%password$@ ")}.to raise_exception BadResponse
+    end
+
+  end
+
+  context "with auth code grant" do
+
+    it "gets the authcode uri to be sent to the user agent for an authcode" do
+      redir_uri = "http://call.back/uri_path"
+      uri_parts = subject.authcode_uri(redir_uri).split('?')
+      uri_parts[0].should == "http://test.uaa.target/oauth/authorize"
+      params = Util.decode_form_to_hash(uri_parts[1])
+      params["response_type"].should == "code"
+      params["client_id"].should == "test_client"
+      params["scope"].should be_nil
+      params["redirect_uri"].should == redir_uri
+      params["state"].should_not be_nil
+    end
+
+    it "gets an access token with an authorization code" do
+      subject.set_request_handler do |url, method, body, headers|
+        headers["content-type"].should =~ /application\/x-www-form-urlencoded/
+        headers["accept"].should =~ /application\/json/
+        # TODO check basic auth header
+        url.should match "http://test.uaa.target/oauth/token"
+        method.should == :post
+        reply = {access_token: "test_access_token", token_type: "BEARER", scope: "openid", expires_in: 98765}
+        [200, Util.json(reply), {"content-type" => "application/json"}]
+      end
+      cburi = "http://call.back/uri_path"
+      redir_uri = subject.authcode_uri(cburi)
+      state = /state=([^&]+)/.match(redir_uri)[1]
+      reply_query = "state=#{state}&code=kz8%2F5gQZ2pc%3D"
+      token = subject.authcode_grant(redir_uri, reply_query)
+      token.should be_an_instance_of Token
+      token.info["access_token"].should == "test_access_token"
+      token.info["token_type"].should =~ /^bearer$/i
+      token.info["scope"].should == "openid"
+      token.info["expires_in"].should == 98765
+    end
+
+  end
+
+end
+
+end