cf-uaa-lib 3.2.3 → 3.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 35d3170905100aa7d8173c6872eda69152cfa2f2
-  data.tar.gz: c17587b9299da1daf876632e70f0b41cba3ff257
+  metadata.gz: f1a44d84d9da8b6a573137d39cff8f0a8272f21d
+  data.tar.gz: 50590e8f0a93d17739478de139c72a744ce1417a
 SHA512:
-  metadata.gz: 5713ce58de47d5132a6d6c3698f236891b8822d492d4752a5e5ad7fcf5fe2e20e03361cceb669cc9a467eb37105c6a8a028398276fb663233879dfbc5c64de11
-  data.tar.gz: 82cf478b0291782c8650988cbc49dc392a17e697b96817ca1cedab4728b10107d2c915c176d6d0d278bad8f18a84208f70da8646324d780553bc52a737ae9f06
+  metadata.gz: 01b0f6577fad7197cd957c55f4f7b7cf781a6d79f160de5cba31a523708da721396cbf48261f9d8da61e59b704672f4b3d3fa0c7f08ccc349c3171ec98478e1f
+  data.tar.gz: 723f1a40f353d5b70bf8ee778dc1ec32f7c1e10729a82444281fa96e7f17a5b5eb0c0a10ff160ef149f9017f2bd2aae236ffb7a72accf016664788d8c947e17f

data/lib/uaa/token_issuer.rb

@@ -84,7 +84,7 @@ class TokenIssuer
     params = args.merge(:client_id => @client_id, :response_type => response_type,
         :redirect_uri => redirect_uri, :state => state)
     params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
-    params[:nonce], params[:response_type] = state, "#{response_type} id_token" if scope && scope.include?('openid')
+    params[:nonce] = state
     "/oauth/authorize?#{Util.encode_form(params)}"
   end
 
@@ -134,7 +134,9 @@ class TokenIssuer
   def implicit_grant_with_creds(credentials, scope = nil)
     # this manufactured redirect_uri is a convention here, not part of OAuth2
     redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}"
-    uri = authorize_path_args("token", redir_uri, scope, state = random_state)
+    response_type = "token"
+    response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
+    uri = authorize_path_args(response_type, redir_uri, scope, state = random_state)
 
     # the accept header is only here so the uaa will issue error replies in json to aid debugging
     headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 }
@@ -154,7 +156,9 @@ class TokenIssuer
   # @param [String] redirect_uri (see #authcode_uri)
   # @return [String]
   def implicit_uri(redirect_uri, scope = nil)
-    @target + authorize_path_args("token", redirect_uri, scope)
+    response_type = "token"
+    response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
+    @target + authorize_path_args(response_type, redirect_uri, scope)
   end
 
   # Gets a token via an implicit grant.

data/lib/uaa/version.rb

@@ -14,6 +14,6 @@
 # Cloud Foundry namespace
 module CF
   module UAA
-    VERSION = "3.2.3"
+    VERSION = "3.2.4"
   end
 end

data/spec/token_issuer_spec.rb

@@ -151,24 +151,44 @@ describe TokenIssuer do
       expect { subject.prompts }.to raise_exception BadResponse
     end
 
-    it "gets an access token" do
-      subject.set_request_handler do |url, method, body, headers|
-        headers["content-type"].should =~ /application\/x-www-form-urlencoded/
-        headers["accept"].should =~ /application\/json/
-        url.should match "http://test.uaa.target/oauth/authorize"
-        (state = /state=([^&]+)/.match(url)[1]).should_not be_nil
-        method.should == :post
-        location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
-            "access_token=test_access_token&token_type=bearer&" +
-            "expires_in=98765&scope=openid+logs.read&state=#{state}"
-        [302, nil, {"content-type" => "application/json", "location" => location}]
+    context "#implicit_grant_with_creds" do
+      it "gets only an access token, no openid in scope" do
+        subject.set_request_handler do |url, method, body, headers|
+          headers["content-type"].should =~ /application\/x-www-form-urlencoded/
+          headers["accept"].should =~ /application\/json/
+          url.should match "http://test.uaa.target/oauth/authorize"
+          (state = /state=([^&]+)/.match(url)[1]).should_not be_nil
+          method.should == :post
+          location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
+              "access_token=test_access_token&token_type=bearer&" +
+              "expires_in=98765&scope=logs.read&state=#{state}"
+          [302, nil, {"content-type" => "application/json", "location" => location}]
+        end
+
+        expect(subject).to receive(:authorize_path_args).with("token", "https://uaa.cloudfoundry.com/redirect/test_client", "logs.read", anything)
+        subject.stub(:random_state).and_return("1234")
+        subject.stub(:authorize_path_args).and_return("/oauth/authorize?state=1234&scope=logs.read")
+
+        token = subject.implicit_grant_with_creds({:username => "joe+admin", :password => "?joe's%password$@ "}, "logs.read")
+        token.should be_an_instance_of TokenInfo
+        token.info["access_token"].should == "test_access_token"
+        token.info["token_type"].should =~ /^bearer$/i
+        Util.arglist(token.info["scope"]).to_set.should == Util.arglist("logs.read").to_set
+        token.info["expires_in"].should == 98765
+      end
+
+      it "also asks for an id_token if scope contains openid" do
+        subject.set_request_handler do |url, method, body, headers|
+          location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
+              "access_token=test_access_token&id_token=test-id_token&token_type=bearer&" +
+              "expires_in=98765&scope=openid+logs.read&state=1234"
+          [302, nil, {"content-type" => "application/json", "location" => location}]
+        end
+
+        expect(subject).to receive(:authorize_path_args).with("token id_token", "https://uaa.cloudfoundry.com/redirect/test_client", "openid logs.read", anything)
+        subject.stub(:random_state).and_return("1234")
+        subject.implicit_grant_with_creds({:username => "joe+admin", :password => "?joe's%password$@ "}, "openid logs.read")
       end
-      token = subject.implicit_grant_with_creds(:username => "joe+admin", :password => "?joe's%password$@ ")
-      token.should be_an_instance_of TokenInfo
-      token.info["access_token"].should == "test_access_token"
-      token.info["token_type"].should =~ /^bearer$/i
-      Util.arglist(token.info["scope"]).to_set.should == Util.arglist("openid logs.read").to_set
-      token.info["expires_in"].should == 98765
     end
 
     it "rejects an access token with wrong state" do
@@ -182,18 +202,30 @@ describe TokenIssuer do
           :password => "?joe's%password$@ ")}.to raise_exception BadResponse
     end
 
+    it "asks for an id_token with openid scope" do
+      uri_parts = subject.implicit_uri("http://call.back/uri_path", "openid logs.read").split('?')
+      params = Util.decode_form(uri_parts[1])
+      params["response_type"].should == "token id_token"
+    end
+
+    it "only asks for token if scope isn't openid" do
+      uri_parts = subject.implicit_uri("http://call.back/uri_path").split('?')
+      params = Util.decode_form(uri_parts[1])
+      params["response_type"].should == "token"
+    end
+
   end
 
   context "with auth code grant" do
 
     it "gets the authcode uri to be sent to the user agent for an authcode" do
       redir_uri = "http://call.back/uri_path"
-      uri_parts = subject.authcode_uri(redir_uri).split('?')
+      uri_parts = subject.authcode_uri(redir_uri, "openid").split('?')
       uri_parts[0].should == "http://test.uaa.target/oauth/authorize"
       params = Util.decode_form(uri_parts[1])
       params["response_type"].should == "code"
       params["client_id"].should == "test_client"
-      params["scope"].should be_nil
+      params["scope"].should == "openid"
       params["redirect_uri"].should == redir_uri
       params["state"].should_not be_nil
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: cf-uaa-lib
 version: !ruby/object:Gem::Version
-  version: 3.2.3
+  version: 3.2.4
 platform: ruby
 authors:
 - Dave Syer
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-08-28 00:00:00.000000000 Z
+date: 2015-09-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: multi_json