cf-uaa-lib 3.14.1 → 4.0.1

data/lib/uaa/util.rb

@@ -145,7 +145,7 @@ class Util
 
   # Converts +obj+ to nicely formatted JSON
   # @return [String] obj in formatted json
-  def self.json_pretty(obj) MultiJson.dump(obj, :pretty => true) end
+  def self.json_pretty(obj) MultiJson.dump(obj, pretty: true) end
 
   # Converts +obj+ to a URL-safe base 64 encoded string
   # @return [String]

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = '3.14.1'
+    VERSION = '4.0.1'
   end
 end

data/spec/info_spec.rb

@@ -34,7 +34,7 @@ module CF::UAA
     end
 
     describe 'initialize' do
-      let(:options) { {:skip_ssl_validation => true} }
+      let(:options) { {skip_ssl_validation: true} }
 
       it 'sets proxy information' do
         uaa_info.skip_ssl_validation == true
@@ -52,7 +52,7 @@ module CF::UAA
       end
 
       context 'with symbolize_keys keys true' do
-        let(:options) { {:symbolize_keys => true} }
+        let(:options) { {symbolize_keys: true} }
 
         it 'gets server info' do
           result = uaa_info.server
@@ -84,7 +84,7 @@ module CF::UAA
       end
 
       context 'with symbolize_keys keys true' do
-        let(:options) { {:symbolize_keys => true} }
+        let(:options) { {symbolize_keys: true} }
 
         it 'gets UAA target' do
           result = uaa_info.discover_uaa

data/spec/integration_spec.rb

@@ -41,14 +41,14 @@ module CF::UAA
     target = ENV['UAA_CLIENT_TARGET']
 
     admin_token_issuer = TokenIssuer.new(target, admin_client, admin_secret, options)
-    Scim.new(target, admin_token_issuer.client_credentials_grant.auth_header, options.merge(:symbolize_keys => true))
+    Scim.new(target, admin_token_issuer.client_credentials_grant.auth_header, options.merge(symbolize_keys: true))
   end
 
   describe 'when UAA does not respond' do
     let(:http_timeout) { 0.01 }
     let(:default_http_client_timeout) { 60 }
-    let(:scim) { Scim.new(@target, "", {:http_timeout => http_timeout}) }
-    let(:token_issuer) { TokenIssuer.new(@target, "", "", {:http_timeout => http_timeout}) }
+    let(:scim) { Scim.new(@target, "", {http_timeout: http_timeout}) }
+    let(:token_issuer) { TokenIssuer.new(@target, "", "", {http_timeout: http_timeout}) }
     let(:blackhole_ip) { '10.255.255.1'}
 
     before do
@@ -60,7 +60,7 @@ module CF::UAA
         Timeout.timeout(default_http_client_timeout - 1) do
           scim.get(:user, "admin")
         end
-      }.to raise_error HTTPClient::TimeoutError
+      }.to raise_error HTTPException
     end
 
     it 'times out the connection at the configured time for the token issuer' do
@@ -68,7 +68,7 @@ module CF::UAA
         Timeout.timeout(default_http_client_timeout - 1) do
           token_issuer.client_credentials_grant
         end
-      }.to raise_error HTTPClient::TimeoutError
+      }.to raise_error HTTPException
     end
   end
 
@@ -77,20 +77,20 @@ module CF::UAA
 
       let(:options)  { @options }
       let(:token_issuer) { TokenIssuer.new(@target, @test_client, @test_secret, options) }
-      let(:scim) { Scim.new(@target, token_issuer.client_credentials_grant.auth_header, options.merge(:symbolize_keys => true)) }
+      let(:scim) { Scim.new(@target, token_issuer.client_credentials_grant.auth_header, options.merge(symbolize_keys: true)) }
 
       before :all do
         @options = {}
         if ENV['SKIP_SSL_VALIDATION']
-          @options = {:skip_ssl_validation => true}
+          @options = {skip_ssl_validation: true}
         end
         @target = ENV['UAA_CLIENT_TARGET']
         @test_client = "test_client_#{Time.now.to_i}"
         @test_secret = '+=tEsTsEcRet~!@'
         gids = ['clients.read', 'scim.read', 'scim.write', 'uaa.resource', 'password.write']
-        test_client = CF::UAA::admin_scim(@options).add(:client, :client_id => @test_client, :client_secret => @test_secret,
-                                     :authorities => gids, :authorized_grant_types => ['client_credentials', 'password'],
-                                     :scope => ['openid', 'password.write'])
+        test_client = CF::UAA::admin_scim(@options).add(:client, client_id: @test_client, client_secret: @test_secret,
+                                     authorities: gids, authorized_grant_types: ['client_credentials', 'password'],
+                                     scope: ['openid', 'password.write'])
         expect(test_client[:client_id]).to eq(@test_client)
       end
 
@@ -102,7 +102,7 @@ module CF::UAA
 
       if ENV['SKIP_SSL_VALIDATION']
         context 'when ssl certificate is self-signed' do
-          let(:options)  { {:skip_ssl_validation => false} }
+          let(:options)  { {skip_ssl_validation: false} }
 
           it 'fails if skip_ssl_validation is false' do
             expect{ scim }.to raise_exception(CF::UAA::SSLException)
@@ -113,7 +113,7 @@ module CF::UAA
       if ENV['SSL_CA_FILE']
         context 'when you do not skip SSL validation' do
           context 'when you provide cert' do
-            let(:options)  { {:ssl_ca_file => ENV['SSL_CA_FILE']} }
+            let(:options)  { {ssl_ca_file: ENV['SSL_CA_FILE']} }
 
             it 'works' do
               expect(token_issuer.prompts).to_not be_nil
@@ -139,7 +139,7 @@ module CF::UAA
               cert_store
             end
 
-            let(:options)  { {:ssl_cert_store => cert_store} }
+            let(:options)  { {ssl_cert_store: cert_store} }
             it 'works' do
               expect(token_issuer.prompts).to_not be_nil
             end
@@ -166,7 +166,7 @@ module CF::UAA
       it 'gets a token with client credentials' do
         tkn = token_issuer.client_credentials_grant
         expect(tkn.auth_header).to match(/^bearer\s/i)
-        info = TokenCoder.decode(tkn.info['access_token'], :verify => false, :symbolize_keys => true)
+        info = TokenCoder.decode(tkn.info['access_token'], verify: false, symbolize_keys: true)
         expect(info[:exp]).to be
         expect(info[:jti]).to be
       end
@@ -179,9 +179,9 @@ module CF::UAA
         before :each do
           @username = "sam_#{Time.now.to_i}"
           @user_pwd = "sam's P@55w0rd~!`@\#\$%^&*()_/{}[]\\|:\";',.<>?/"
-          usr = scim.add(:user, :username => @username, :password => @user_pwd,
-                         :emails => [{:value => 'sam@example.com'}],
-                         :name => {:givenname => 'none', :familyname => 'none'})
+          usr = scim.add(:user, username: @username, password: @user_pwd,
+                         emails: [{value: 'sam@example.com'}],
+                         name: {givenname: 'none', familyname: 'none'})
           @user_id = usr[:id]
         end
 
@@ -222,8 +222,8 @@ module CF::UAA
 
           it 'should get a uri to be sent to the user agent to initiate autologin' do
             redir_uri = 'http://call.back/uri_path'
-            uri_parts = token_issuer.autologin_uri(redir_uri, :username => @username,
-                                                   :password =>@user_pwd ).split('?')
+            uri_parts = token_issuer.autologin_uri(redir_uri, username: @username,
+                                                   password: @user_pwd ).split('?')
             expect(uri_parts[0]).to eq("#{ENV['UAA_CLIENT_TARGET']}/oauth/authorize")
             params = Util.decode_form(uri_parts[1], :sym)
             expect(params[:response_type]).to eq('code')

data/spec/scim_spec.rb

@@ -39,7 +39,7 @@ describe Scim do
   end
 
   describe 'initialize' do
-    let(:options) { {:http_proxy => 'http-proxy.com', :https_proxy => 'https-proxy.com', :skip_ssl_validation => true} }
+    let(:options) { {http_proxy: 'http-proxy.com', https_proxy: 'https-proxy.com', skip_ssl_validation: true} }
 
     it 'sets skip_ssl_validation' do
       subject.skip_ssl_validation == true
@@ -53,8 +53,8 @@ describe Scim do
       check_headers(headers, :json, :json, nil)
       [200, '{"ID":"id12345"}', {'content-type' => 'application/json'}]
     end
-    result = subject.add(:user, :hair => 'brown', :shoe_size => 'large',
-        :eye_color => ['blue', 'green'], :name => 'fred')
+    result = subject.add(:user, hair: 'brown', shoe_size: 'large',
+        eye_color: ['blue', 'green'], name: 'fred')
     result['id'].should == 'id12345'
   end
 
@@ -71,8 +71,8 @@ describe Scim do
   end
 
   it 'replaces an object' do
-    obj = {:hair => 'black', :shoe_size => 'medium', :eye_color => ['hazel', 'brown'],
-          :name => 'fredrick', :meta => {:version => 'v567'}, :id => 'id12345'}
+    obj = {hair: 'black', shoe_size: 'medium', eye_color: ['hazel', 'brown'],
+          name: 'fredrick', meta: {version: 'v567'}, id: 'id12345'}
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345"
       method.should == :put
@@ -85,8 +85,8 @@ describe Scim do
   end
 
   it 'modifies an object' do
-    obj = {:hair => 'black', :shoe_size => 'medium', :eye_color => ['hazel', 'brown'],
-          :name => 'fredrick', :meta => {:version => 'v567'}, :id => 'id12345'}
+    obj = {hair: 'black', shoe_size: 'medium', eye_color: ['hazel', 'brown'],
+          name: 'fredrick', meta: {version: 'v567'}, id: 'id12345'}
     subject.set_request_handler do |url, method, body, headers|
       url.should == "#{@target}/Users/id12345"
       method.should == :patch
@@ -122,7 +122,7 @@ describe Scim do
         '{"TotalResults":2,"ItemsPerPage":1,"StartIndex":2,"RESOURCES":[{"id":"id67890"}]}'
       [200, reply, {'content-type' => 'application/json'}]
     end
-    result = subject.all_pages(:user, :attributes => 'id', :includeInactive => true)
+    result = subject.all_pages(:user, attributes: 'id', includeInactive: true)
     [result[0]['id'], result[1]['id']].to_set.should == ['id12345', 'id67890'].to_set
   end
 
@@ -221,7 +221,7 @@ describe Scim do
   end
 
   describe 'users in a zone' do
-    let(:options) { {:http_proxy => 'http-proxy.com', :https_proxy => 'https-proxy.com', :skip_ssl_validation => true, :zone => 'derpzone'} }
+    let(:options) { {http_proxy: 'http-proxy.com', https_proxy: 'https-proxy.com', skip_ssl_validation: true, zone: 'derpzone'} }
 
     it 'sends zone header' do
         subject.set_request_handler do |url, method, body, headers|
@@ -230,8 +230,8 @@ describe Scim do
           check_headers(headers, :json, :json, 'derpzone')
           [200, '{"ID":"id12345"}', {'content-type' => 'application/json'}]
         end
-        result = subject.add(:user, :hair => 'brown', :shoe_size => 'large',
-                             :eye_color => ['blue', 'green'], :name => 'fred')
+        result = subject.add(:user, hair: 'brown', shoe_size: 'large',
+                             eye_color: ['blue', 'green'], name: 'fred')
         result['id'].should == 'id12345'
       end
   end

data/spec/spec_helper.rb

@@ -22,4 +22,10 @@ if ENV['COVERAGE']
   SimpleCov.start
 end
 
-require 'rspec'
+require 'rspec'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    expectations.syntax = [:expect, :should]
+  end
+end

data/spec/token_coder_spec.rb

@@ -18,8 +18,8 @@ module CF::UAA
 
 describe TokenCoder do
 
-  subject { TokenCoder.new(:audience_ids => "test_resource",
-      :skey => "test_secret", :pkey => OpenSSL::PKey::RSA.generate(512) ) }
+  subject { TokenCoder.new(audience_ids: "test_resource",
+      skey: "test_secret", pkey: OpenSSL::PKey::RSA.generate(512) ) }
 
   before :each do
     @tkn_body = {'foo' => "bar"}
@@ -57,7 +57,7 @@ describe TokenCoder do
       2yrlT5h164jGCxqe7++1kIl4ollFCgz6QJ8lcmb/2Q==
       -----END RSA PRIVATE KEY-----
     DATA
-    coder = TokenCoder.new(:audience_ids => "test_resource", :pkey => pem)
+    coder = TokenCoder.new(audience_ids: "test_resource", pkey: pem)
     tkn = coder.encode(@tkn_body, 'RS256')
     result = coder.decode("bEaReR #{tkn}")
     result.should_not be_nil
@@ -66,7 +66,7 @@ describe TokenCoder do
 
   it "encodes/decodes with 'none' signature if explicitly accepted" do
     tkn = subject.encode(@tkn_body, 'none')
-    result = TokenCoder.decode(tkn, :accept_algorithms => "none")
+    result = TokenCoder.decode(tkn, accept_algorithms: "none")
     result.should_not be_nil
     result["foo"].should == "bar"
   end
@@ -86,7 +86,7 @@ describe TokenCoder do
   end
 
   it "raises an error if the token is signed by an unknown signing key" do
-    other = TokenCoder.new(:audience_ids => "test_resource", :skey => "other_secret")
+    other = TokenCoder.new(audience_ids: "test_resource", skey: "other_secret")
     tkn = other.encode(@tkn_body)
     expect { subject.decode("bEaReR #{tkn}") }.to raise_exception(InvalidSignature)
   end
@@ -103,8 +103,8 @@ describe TokenCoder do
       2yrlT5h164jGCxqe7++1kIl4ollFCgz6QJ8lcmb/2Q==
       -----END RSA PRIVATE KEY-----
     DATA
-    coder = TokenCoder.new(:audience_ids => "test_resource", :pkey => pem)
-    coder2 = TokenCoder.new(:audience_ids => "test_resource", :skey => 'randomness')
+    coder = TokenCoder.new(audience_ids: "test_resource", pkey: pem)
+    coder2 = TokenCoder.new(audience_ids: "test_resource", skey: 'randomness')
 
     tkn = coder.encode(@tkn_body, 'RS256')
 
@@ -123,21 +123,21 @@ describe TokenCoder do
       2yrlT5h164jGCxqe7++1kIl4ollFCgz6QJ8lcmb/2Q==
       -----END RSA PRIVATE KEY-----
     DATA
-    coder = TokenCoder.new(:audience_ids => "test_resource", :pkey => pem)
-    coder2 = TokenCoder.new(:audience_ids => "test_resource", :skey => 'randomness')
+    coder = TokenCoder.new(audience_ids: "test_resource", pkey: pem)
+    coder2 = TokenCoder.new(audience_ids: "test_resource", skey: 'randomness')
     tkn = coder2.encode(@tkn_body)
 
     expect { coder.decode("bEaReR #{tkn}") }.to raise_exception(InvalidSignature)
   end
 
   it "raises an error if the token is an unknown signing algorithm" do
-    segments = [Util.json_encode64(:typ => "JWT", :alg =>"BADALGO")]
+    segments = [Util.json_encode64(typ: "JWT", alg:"BADALGO")]
     segments << Util.json_encode64(@tkn_body)
     segments << Util.encode64("BADSIG")
     tkn = segments.join('.')
-    tc = TokenCoder.new(:audience_ids => "test_resource",
-        :skey => "test_secret", :pkey => OpenSSL::PKey::RSA.generate(512),
-        :accept_algorithms => "BADALGO")
+    tc = TokenCoder.new(audience_ids: "test_resource",
+        skey: "test_secret", pkey: OpenSSL::PKey::RSA.generate(512),
+        accept_algorithms: "BADALGO")
     expect { tc.decode("bEaReR #{tkn}") }.to raise_exception(SignatureNotSupported)
   end
 
@@ -179,10 +179,16 @@ describe TokenCoder do
 
   it "decodes a token without validation" do
     token = "eyJhbGciOiJIUzI1NiJ9.eyJpZCI6ImY1MTgwMjExLWVkYjItNGQ4OS1hNmQwLThmNGVjMTE0NTE4YSIsInJlc291cmNlX2lkcyI6WyJjbG91ZF9jb250cm9sbGVyIiwicGFzc3dvcmQiXSwiZXhwaXJlc19hdCI6MTMzNjU1MTc2Niwic2NvcGUiOlsicmVhZCJdLCJlbWFpbCI6Im9sZHNAdm13YXJlLmNvbSIsImNsaWVudF9hdXRob3JpdGllcyI6WyJST0xFX1VOVFJVU1RFRCJdLCJleHBpcmVzX2luIjo0MzIwMCwidXNlcl9hdXRob3JpdGllcyI6WyJST0xFX1VTRVIiXSwidXNlcl9pZCI6Im9sZHNAdm13YXJlLmNvbSIsImNsaWVudF9pZCI6InZtYyIsInRva2VuX2lkIjoiZWRlYmYzMTctNWU2Yi00YmYwLWFmM2ItMTA0OWRjNmFlYjc1In0.XoirrePfEujnZ9Vm7SRRnj3vZEfRp2tkjkS_OCVz5Bs"
-    info = TokenCoder.decode(token, :verify => false)
+    info = TokenCoder.decode(token, verify: false)
     info["id"].should_not be_nil
     info["email"].should == "olds@vmware.com"
   end
+
+  it "decodes only the expiry_at time" do
+    exp = Time.now.to_i + 60
+    tkn = subject.encode({'foo' => "bar", 'exp' => exp })
+    TokenCoder.decode_token_expiry("bEaReR #{tkn}").should == exp
+  end
 end
 
 end

data/spec/token_issuer_spec.rb

@@ -23,13 +23,16 @@ describe TokenIssuer do
 
   before do
     #Util.default_logger(:trace)
-    @issuer = TokenIssuer.new('http://test.uaa.target', 'test_client', 'test_secret', options)
+    @issuer = TokenIssuer.new('http://test.uaa.target', client_id, client_secret, options)
   end
 
+  let(:client_id) { 'test_client' }
+  let(:client_secret) { 'test!secret' }
+
   subject { @issuer }
 
   describe 'initialize' do
-    let(:options) { {:http_proxy => 'http-proxy.com', :https_proxy => 'https-proxy.com', :skip_ssl_validation => true} }
+    let(:options) { {http_proxy: 'http-proxy.com', https_proxy: 'https-proxy.com', skip_ssl_validation: true, basic_auth: false} }
 
     it 'sets skip_ssl_validation' do
       subject.skip_ssl_validation == true
@@ -42,11 +45,12 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         method.should == :post
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-            :scope => 'logs.read', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+            scope: 'logs.read', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       token = subject.client_credentials_grant('logs.read')
@@ -59,8 +63,8 @@ describe TokenIssuer do
 
     it 'gets all granted scopes if none specified' do
       subject.set_request_handler do |url, method, body, headers|
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-            :scope => 'openid logs.read', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+            scope: 'openid logs.read', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       token = subject.client_credentials_grant
@@ -89,11 +93,12 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         method.should == :post
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-            :scope => 'openid', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+            scope: 'openid', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       token = subject.owner_password_grant('joe+admin', "?joe's%password$@ ", 'openid')
@@ -104,17 +109,43 @@ describe TokenIssuer do
       token.info['expires_in'].should == 98765
     end
 
+    context "when client & client secret are nil" do
+      let(:client_id) { nil }
+      let(:client_secret) { nil }
+
+      it 'does not error' do
+        subject.set_request_handler do |url, method, body, headers|
+          headers['content-type'].should =~ /application\/x-www-form-urlencoded/
+          headers['accept'].should =~ /application\/json/
+          headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+          headers['authorization'].should == 'Basic Og=='
+          url.should == 'http://test.uaa.target/oauth/token'
+          method.should == :post
+          reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                   scope: 'openid', expires_in: 98765}
+          [200, Util.json(reply), {'content-type' => 'application/json'}]
+        end
+        token = subject.owner_password_grant('joe+admin', "?joe's%password$@ ", 'openid')
+        token.should be_an_instance_of TokenInfo
+        token.info['access_token'].should == 'test_access_token'
+        token.info['token_type'].should =~ /^bearer$/i
+        token.info['scope'].should == 'openid'
+        token.info['expires_in'].should == 98765
+      end
+    end
+
     it 'gets a token with passcode' do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should == 'http://test.uaa.target/oauth/token'
         body.should =~ /(^|&)passcode=12345($|&)/
         body.should =~ /(^|&)grant_type=password($|&)/
         method.should == :post
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-                 :scope => 'openid', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+                 scope: 'openid', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       token = subject.passcode_grant('12345')
@@ -135,8 +166,8 @@ describe TokenIssuer do
         url.should == 'http://test.uaa.target/oauth/token'
         method.should == :post
         body.split('&').should =~ ['passcode=fake-passcode', 'grant_type=password']
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-          :scope => 'openid', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+          scope: 'openid', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       token = subject.owner_password_credentials_grant({passcode: 'fake-passcode'})
@@ -153,7 +184,7 @@ describe TokenIssuer do
 
     it 'gets the prompts for credentials used to authenticate implicit grant' do
       subject.set_request_handler do |url, method, body, headers|
-        info = { :prompts => {:username => ['text', 'Username'], :password => ['password', 'Password']} }
+        info = { prompts: {username: ['text', 'Username'], password: ['password', 'Password']} }
         [200, Util.json(info), {'content-type' => 'application/json'}]
       end
       result = subject.prompts
@@ -182,10 +213,10 @@ describe TokenIssuer do
         end
 
         expect(subject).to receive(:authorize_path_args).with('token', 'https://uaa.cloudfoundry.com/redirect/test_client', 'logs.read', anything)
-        subject.stub(:random_state).and_return('1234')
-        subject.stub(:authorize_path_args).and_return('/oauth/authorize?state=1234&scope=logs.read')
+        allow(subject).to receive(:random_state).and_return('1234')
+        allow(subject).to receive(:authorize_path_args).and_return('/oauth/authorize?state=1234&scope=logs.read')
 
-        token = subject.implicit_grant_with_creds({:username => 'joe+admin', :password => "?joe's%password$@ "}, 'logs.read')
+        token = subject.implicit_grant_with_creds({username: 'joe+admin', password: "?joe's%password$@ "}, 'logs.read')
         token.should be_an_instance_of TokenInfo
         token.info['access_token'].should == 'test_access_token'
         token.info['token_type'].should =~ /^bearer$/i
@@ -202,7 +233,7 @@ describe TokenIssuer do
         end
 
         expect(subject).to receive(:authorize_path_args).with('token id_token', 'https://uaa.cloudfoundry.com/redirect/test_client', 'openid logs.read', anything)
-        subject.stub(:random_state).and_return('1234')
+        allow(subject).to receive(:random_state).and_return('1234')
         subject.implicit_grant_with_creds({:username => 'joe+admin', :password => "?joe's%password$@ "}, 'openid logs.read')
       end
     end
@@ -214,8 +245,8 @@ describe TokenIssuer do
             'expires_in=98765&scope=openid+logs.read&state=bad_state'
         [302, nil, {'content-type' => 'application/json', 'location' => location}]
       end
-      expect {token = subject.implicit_grant_with_creds(:username => 'joe+admin',
-          :password => "?joe's%password$@ ")}.to raise_exception BadResponse
+      expect {token = subject.implicit_grant_with_creds(username: 'joe+admin',
+          password: "?joe's%password$@ ")}.to raise_exception BadResponse
     end
 
     it 'asks for an id_token with openid scope' do
@@ -250,11 +281,12 @@ describe TokenIssuer do
       subject.set_request_handler do |url, method, body, headers|
         headers['content-type'].should =~ /application\/x-www-form-urlencoded/
         headers['accept'].should =~ /application\/json/
-        # TODO check basic auth header
+        headers['X-CF-ENCODED-CREDENTIALS'].should == 'true'
+        headers['authorization'].should == 'Basic dGVzdF9jbGllbnQ6dGVzdCUyMXNlY3JldA=='
         url.should match 'http://test.uaa.target/oauth/token'
         method.should == :post
-        reply = {:access_token => 'test_access_token', :token_type => 'BEARER',
-            :scope => 'openid', :expires_in => 98765}
+        reply = {access_token: 'test_access_token', token_type: 'BEARER',
+            scope: 'openid', expires_in: 98765}
         [200, Util.json(reply), {'content-type' => 'application/json'}]
       end
       cburi = 'http://call.back/uri_path'