cf-uaa-lib 3.2.3 → 3.2.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/uaa/token_issuer.rb +7 -3
- data/lib/uaa/version.rb +1 -1
- data/spec/token_issuer_spec.rb +51 -19
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: f1a44d84d9da8b6a573137d39cff8f0a8272f21d
|
|
4
|
+
data.tar.gz: 50590e8f0a93d17739478de139c72a744ce1417a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 01b0f6577fad7197cd957c55f4f7b7cf781a6d79f160de5cba31a523708da721396cbf48261f9d8da61e59b704672f4b3d3fa0c7f08ccc349c3171ec98478e1f
|
|
7
|
+
data.tar.gz: 723f1a40f353d5b70bf8ee778dc1ec32f7c1e10729a82444281fa96e7f17a5b5eb0c0a10ff160ef149f9017f2bd2aae236ffb7a72accf016664788d8c947e17f
|
data/lib/uaa/token_issuer.rb
CHANGED
|
@@ -84,7 +84,7 @@ class TokenIssuer
|
|
|
84
84
|
params = args.merge(:client_id => @client_id, :response_type => response_type,
|
|
85
85
|
:redirect_uri => redirect_uri, :state => state)
|
|
86
86
|
params[:scope] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
|
|
87
|
-
params[:nonce]
|
|
87
|
+
params[:nonce] = state
|
|
88
88
|
"/oauth/authorize?#{Util.encode_form(params)}"
|
|
89
89
|
end
|
|
90
90
|
|
|
@@ -134,7 +134,9 @@ class TokenIssuer
|
|
|
134
134
|
def implicit_grant_with_creds(credentials, scope = nil)
|
|
135
135
|
# this manufactured redirect_uri is a convention here, not part of OAuth2
|
|
136
136
|
redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}"
|
|
137
|
-
|
|
137
|
+
response_type = "token"
|
|
138
|
+
response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
|
|
139
|
+
uri = authorize_path_args(response_type, redir_uri, scope, state = random_state)
|
|
138
140
|
|
|
139
141
|
# the accept header is only here so the uaa will issue error replies in json to aid debugging
|
|
140
142
|
headers = {'content-type' => FORM_UTF8, 'accept' => JSON_UTF8 }
|
|
@@ -154,7 +156,9 @@ class TokenIssuer
|
|
|
154
156
|
# @param [String] redirect_uri (see #authcode_uri)
|
|
155
157
|
# @return [String]
|
|
156
158
|
def implicit_uri(redirect_uri, scope = nil)
|
|
157
|
-
|
|
159
|
+
response_type = "token"
|
|
160
|
+
response_type = "#{response_type} id_token" if scope && (scope.include? "openid")
|
|
161
|
+
@target + authorize_path_args(response_type, redirect_uri, scope)
|
|
158
162
|
end
|
|
159
163
|
|
|
160
164
|
# Gets a token via an implicit grant.
|
data/lib/uaa/version.rb
CHANGED
data/spec/token_issuer_spec.rb
CHANGED
|
@@ -151,24 +151,44 @@ describe TokenIssuer do
|
|
|
151
151
|
expect { subject.prompts }.to raise_exception BadResponse
|
|
152
152
|
end
|
|
153
153
|
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
154
|
+
context "#implicit_grant_with_creds" do
|
|
155
|
+
it "gets only an access token, no openid in scope" do
|
|
156
|
+
subject.set_request_handler do |url, method, body, headers|
|
|
157
|
+
headers["content-type"].should =~ /application\/x-www-form-urlencoded/
|
|
158
|
+
headers["accept"].should =~ /application\/json/
|
|
159
|
+
url.should match "http://test.uaa.target/oauth/authorize"
|
|
160
|
+
(state = /state=([^&]+)/.match(url)[1]).should_not be_nil
|
|
161
|
+
method.should == :post
|
|
162
|
+
location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
|
|
163
|
+
"access_token=test_access_token&token_type=bearer&" +
|
|
164
|
+
"expires_in=98765&scope=logs.read&state=#{state}"
|
|
165
|
+
[302, nil, {"content-type" => "application/json", "location" => location}]
|
|
166
|
+
end
|
|
167
|
+
|
|
168
|
+
expect(subject).to receive(:authorize_path_args).with("token", "https://uaa.cloudfoundry.com/redirect/test_client", "logs.read", anything)
|
|
169
|
+
subject.stub(:random_state).and_return("1234")
|
|
170
|
+
subject.stub(:authorize_path_args).and_return("/oauth/authorize?state=1234&scope=logs.read")
|
|
171
|
+
|
|
172
|
+
token = subject.implicit_grant_with_creds({:username => "joe+admin", :password => "?joe's%password$@ "}, "logs.read")
|
|
173
|
+
token.should be_an_instance_of TokenInfo
|
|
174
|
+
token.info["access_token"].should == "test_access_token"
|
|
175
|
+
token.info["token_type"].should =~ /^bearer$/i
|
|
176
|
+
Util.arglist(token.info["scope"]).to_set.should == Util.arglist("logs.read").to_set
|
|
177
|
+
token.info["expires_in"].should == 98765
|
|
178
|
+
end
|
|
179
|
+
|
|
180
|
+
it "also asks for an id_token if scope contains openid" do
|
|
181
|
+
subject.set_request_handler do |url, method, body, headers|
|
|
182
|
+
location = "https://uaa.cloudfoundry.com/redirect/test_client#" +
|
|
183
|
+
"access_token=test_access_token&id_token=test-id_token&token_type=bearer&" +
|
|
184
|
+
"expires_in=98765&scope=openid+logs.read&state=1234"
|
|
185
|
+
[302, nil, {"content-type" => "application/json", "location" => location}]
|
|
186
|
+
end
|
|
187
|
+
|
|
188
|
+
expect(subject).to receive(:authorize_path_args).with("token id_token", "https://uaa.cloudfoundry.com/redirect/test_client", "openid logs.read", anything)
|
|
189
|
+
subject.stub(:random_state).and_return("1234")
|
|
190
|
+
subject.implicit_grant_with_creds({:username => "joe+admin", :password => "?joe's%password$@ "}, "openid logs.read")
|
|
165
191
|
end
|
|
166
|
-
token = subject.implicit_grant_with_creds(:username => "joe+admin", :password => "?joe's%password$@ ")
|
|
167
|
-
token.should be_an_instance_of TokenInfo
|
|
168
|
-
token.info["access_token"].should == "test_access_token"
|
|
169
|
-
token.info["token_type"].should =~ /^bearer$/i
|
|
170
|
-
Util.arglist(token.info["scope"]).to_set.should == Util.arglist("openid logs.read").to_set
|
|
171
|
-
token.info["expires_in"].should == 98765
|
|
172
192
|
end
|
|
173
193
|
|
|
174
194
|
it "rejects an access token with wrong state" do
|
|
@@ -182,18 +202,30 @@ describe TokenIssuer do
|
|
|
182
202
|
:password => "?joe's%password$@ ")}.to raise_exception BadResponse
|
|
183
203
|
end
|
|
184
204
|
|
|
205
|
+
it "asks for an id_token with openid scope" do
|
|
206
|
+
uri_parts = subject.implicit_uri("http://call.back/uri_path", "openid logs.read").split('?')
|
|
207
|
+
params = Util.decode_form(uri_parts[1])
|
|
208
|
+
params["response_type"].should == "token id_token"
|
|
209
|
+
end
|
|
210
|
+
|
|
211
|
+
it "only asks for token if scope isn't openid" do
|
|
212
|
+
uri_parts = subject.implicit_uri("http://call.back/uri_path").split('?')
|
|
213
|
+
params = Util.decode_form(uri_parts[1])
|
|
214
|
+
params["response_type"].should == "token"
|
|
215
|
+
end
|
|
216
|
+
|
|
185
217
|
end
|
|
186
218
|
|
|
187
219
|
context "with auth code grant" do
|
|
188
220
|
|
|
189
221
|
it "gets the authcode uri to be sent to the user agent for an authcode" do
|
|
190
222
|
redir_uri = "http://call.back/uri_path"
|
|
191
|
-
uri_parts = subject.authcode_uri(redir_uri).split('?')
|
|
223
|
+
uri_parts = subject.authcode_uri(redir_uri, "openid").split('?')
|
|
192
224
|
uri_parts[0].should == "http://test.uaa.target/oauth/authorize"
|
|
193
225
|
params = Util.decode_form(uri_parts[1])
|
|
194
226
|
params["response_type"].should == "code"
|
|
195
227
|
params["client_id"].should == "test_client"
|
|
196
|
-
params["scope"].should
|
|
228
|
+
params["scope"].should == "openid"
|
|
197
229
|
params["redirect_uri"].should == redir_uri
|
|
198
230
|
params["state"].should_not be_nil
|
|
199
231
|
end
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: cf-uaa-lib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.2.
|
|
4
|
+
version: 3.2.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Dave Syer
|
|
@@ -12,7 +12,7 @@ authors:
|
|
|
12
12
|
autorequire:
|
|
13
13
|
bindir: bin
|
|
14
14
|
cert_chain: []
|
|
15
|
-
date: 2015-
|
|
15
|
+
date: 2015-09-22 00:00:00.000000000 Z
|
|
16
16
|
dependencies:
|
|
17
17
|
- !ruby/object:Gem::Dependency
|
|
18
18
|
name: multi_json
|