devise_g5_authenticatable 0.1.0

data/spec/dummy/public/404.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+</body>
+</html>

data/spec/dummy/public/422.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

data/spec/dummy/public/500.html

@@ -0,0 +1,25 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>We're sorry, but something went wrong (500)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/500.html -->
+  <div class="dialog">
+    <h1>We're sorry, but something went wrong.</h1>
+  </div>
+</body>
+</html>

data/spec/dummy/public/robots.txt

@@ -0,0 +1,5 @@
+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-Agent: *
+# Disallow: /

data/spec/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/spec/factories/admin.rb

@@ -0,0 +1,10 @@
+FactoryGirl.define do
+  factory :admin do
+    sequence(:email) { |n| "admin.#{n}@test.host" }
+    password 'my_new_secret'
+    password_confirmation 'my_new_secret'
+    provider 'g5'
+    sequence(:uid) { |n| "remote-admin-#{n}" }
+    sequence(:g5_access_token) { |n| "token-abc123-#{n}" }
+  end
+end

data/spec/factories/user.rb

@@ -0,0 +1,10 @@
+FactoryGirl.define do
+  factory :user do
+    sequence(:email) { |n| "user.#{n}@test.host" }
+    password 'my_new_secret'
+    password_confirmation 'my_new_secret'
+    provider 'g5'
+    sequence(:uid) { |n| "remote-user-#{n}" }
+    sequence(:g5_access_token) { |n| "token-abc123-#{n}" }
+  end
+end

data/spec/features/edit_registration_spec.rb

@@ -0,0 +1,109 @@
+require 'spec_helper'
+
+describe 'Editing a user registration' do
+  subject(:update_registration) { click_button 'Update' }
+
+  let(:user) { create(:user) }
+
+  let(:auth_client) { double(:auth_client, update_user: auth_user, me: auth_user) }
+
+  let(:auth_user) { double(:auth_user, id: user.uid, email: user.email) }
+  before do
+    allow(G5AuthenticationClient::Client).to receive(:new).and_return(auth_client)
+  end
+
+  before do
+    visit_path_and_login_with(edit_user_registration_path, user)
+    fill_in 'Email', with: email
+    fill_in 'Password', with: password
+    fill_in 'Password confirmation', with: password_confirmation
+    fill_in 'Current password', with: current_password
+  end
+
+  let(:email) { 'new.email@test.host' }
+  let(:password) { '' }
+  let(:password_confirmation) { password }
+  let(:current_password) { user.password }
+
+  context 'when current password is valid' do
+    context 'when password is blank' do
+      it 'should update the email locally' do
+        update_registration
+        user.reload
+        expect(user.email).to eq(email)
+      end
+
+      it 'should update the email on the auth server' do
+        expect(auth_client).to receive(:update_user).with({id: user.uid,
+                                                           email: email,
+                                                           password: nil,
+                                                           password_confirmation: nil})
+        update_registration
+      end
+    end
+
+    context 'when password is updated' do
+      let(:password) { 'a brand new password' }
+
+      it 'should update the password on the auth server' do
+        expect(auth_client).to receive(:update_user).with({id: user.uid,
+                                                           email: email,
+                                                           password: password,
+                                                           password_confirmation: password_confirmation})
+        update_registration
+      end
+    end
+
+    context 'when email is blank' do
+      let(:email) { '' }
+
+      it 'should display an error message' do
+        update_registration
+        expect(page).to have_content("Email can't be blank")
+      end
+
+      it 'should not update the credentials on the auth server' do
+        expect(auth_client).to_not receive(:update_user)
+        update_registration
+      end
+    end
+
+    context 'when the auth server returns an error' do
+      include_context 'OAuth2::Error'
+      before { allow(auth_client).to receive(:update_user).and_raise(oauth_error) }
+
+      it 'should display an error message' do
+        update_registration
+        expect(page).to have_content(error_message)
+      end
+
+      it 'should not update the email locally' do
+        update_registration
+        user.reload
+        expect(user.email).to_not eq(email)
+      end
+    end
+  end
+
+  context 'when current password is invalid' do
+    include_context 'OAuth2::Error'
+    let(:error_message) { 'invalid_resource_owner' }
+    before { allow(auth_client).to receive(:me).and_raise(oauth_error) }
+
+    it 'should display an error message' do
+      update_registration
+      expect(page).to have_content('Current password is invalid')
+    end
+
+    it 'should not update the credentials on the auth server' do
+      expect(auth_client).to_not receive(:update_user)
+      update_registration
+    end
+
+    it 'should not update the email locally' do
+      update_registration
+      user.reload
+      expect(user.email).to_not eq(email)
+    end
+  end
+end

data/spec/features/registration_spec.rb

@@ -0,0 +1,99 @@
+require 'spec_helper'
+
+describe 'User registration' do
+  subject(:register_user) { click_button 'Sign up' }
+
+  let(:auth_client) { double(:auth_client, create_user: auth_user) }
+  let(:auth_user) { double(:auth_user, id: uid, email: email) }
+  before do
+    allow(G5AuthenticationClient::Client).to receive(:new).and_return(auth_client)
+  end
+
+  before do
+    visit new_user_registration_path
+    fill_in 'Email', with: email
+    fill_in 'Password', with: password
+    fill_in 'Password confirmation', with: password_confirmation
+  end
+
+  let(:email) { 'fred.rogers@theneighborhood.net' }
+  let(:password) { 'wontyoubemyneighbor' }
+  let(:password_confirmation) { password }
+  let(:uid) { '42-remote-uid' }
+
+  context 'when registration is valid' do
+    it 'should create a user' do
+      expect { register_user }.to change { User.count }.by(1)
+    end
+
+    it 'should redirect to the root path' do
+      register_user
+      expect(current_path).to eq(root_path)
+    end
+
+    it 'should create the user on the auth server' do
+      expect(auth_client).to receive(:create_user).
+        with({email: email,
+              password: password,
+              password_confirmation: password_confirmation}).
+        and_return(auth_user)
+      register_user
+    end
+
+    it 'needs a token from somewhere - figure it out'
+
+    it 'should assign the provider and uid to the user' do
+      register_user
+      user = User.find_by_email(email)
+      expect(user.provider).to eq('g5')
+      expect(user.uid).to eq(uid)
+    end
+  end
+
+  context 'when there is an error on the auth server' do
+    include_context 'OAuth2::Error'
+    before { allow(auth_client).to receive(:create_user).and_raise(oauth_error) }
+
+    it 'should display an error message' do
+      register_user
+      expect(page).to have_content(error_message)
+    end
+
+    it 'should not create the user locally' do
+      expect { register_user }.to_not change { User.count }
+    end
+  end
+
+  context 'when password is blank' do
+    let(:password) { '  ' }
+
+    it_should_behave_like 'a registration validation error' do
+      let(:error_message) { "Password can't be blank" }
+    end
+  end
+
+  context 'when password does not match confirmation' do
+    let(:password_confirmation) { 'something else entirely' }
+
+    it_should_behave_like 'a registration validation error' do
+      let(:error_message) { "Password doesn't match confirmation" }
+    end
+  end
+
+  context 'when email is blank' do
+    let(:email) { '' }
+
+    it_should_behave_like 'a registration validation error' do
+      let(:error_message) { "Email can't be blank" }
+    end
+  end
+
+  context 'when email is not unique' do
+    let(:user) { create(:user) }
+    let(:email) { user.email }
+
+    it_should_behave_like 'a registration validation error' do
+      let(:error_message) { 'Email has already been taken' }
+    end
+  end
+end

data/spec/features/sign_in_spec.rb

@@ -0,0 +1,91 @@
+require 'spec_helper'
+
+describe 'Signing in' do
+  context 'when visiting a protected page' do
+    let(:protected_path) { edit_user_registration_path }
+
+    context 'with valid credentials' do
+      before do
+        stub_g5_omniauth(user)
+        visit protected_path
+      end
+
+      context 'when user exists locally' do
+        let(:user) { create(:user) }
+
+        it 'should sign in the user successfully' do
+          expect(page).to have_content('Signed in successfully.')
+        end
+
+        it 'should redirect the user to the requested path' do
+          expect(current_path).to eq(protected_path)
+        end
+      end
+
+      context 'when user does not exist locally' do
+        let(:user) { build(:user, uid: 42) }
+
+        it 'should display an informative message' do
+          expect(page).to have_content('You must sign up before continuing.')
+        end
+
+        it 'should redirect the user to the registration page' do
+          expect(current_path).to eq(new_user_registration_path)
+        end
+
+        it 'should prefill the Email field' do
+          expect(find_field('Email').value).to eq(user.email)
+        end
+      end
+    end
+
+    context 'with invalid credentials' do
+      before do
+        stub_g5_invalid_credentials
+        visit protected_path
+      end
+
+      let(:user) { create(:user) }
+
+      it 'should display an error' do
+        expect(page).to have_content('Invalid credentials')
+      end
+    end
+  end
+
+  context 'when clicking a login link' do
+    before do
+      visit root_path
+      stub_g5_omniauth(user)
+      click_link 'Login'
+    end
+
+    let(:user) { create(:user) }
+
+    it 'should sign in the user successfully' do
+      expect(page).to have_content('Signed in successfully.')
+    end
+
+    it 'should redirect the user to the root path' do
+      expect(current_path).to eq(root_path)
+    end
+  end
+
+  context 'when clicking a login link after signing in' do
+    before do
+      visit_path_and_login_with(edit_user_registration_path, user)
+      visit root_path
+      click_link 'Login'
+    end
+
+    let(:user) { create(:user) }
+
+    it 'should warn the user that they are currently signed in' do
+      expect(page).to have_content('You are already signed in.')
+    end
+
+    it 'should redirect the user to the root path' do
+      expect(current_path).to eq(root_path)
+    end
+  end
+end

data/spec/features/sign_out_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper'
+
+describe 'Signing out' do
+  it 'should redirect to the auth server'
+  it 'should pass the root url as a param to the redirect'
+  it 'should not allow the user to access protected pages'
+end

data/spec/g5/auth_password_validator_spec.rb

@@ -0,0 +1,81 @@
+require 'spec_helper'
+
+describe Devise::G5::AuthPasswordValidator do
+  let(:validator) { described_class.new(model) }
+
+  let(:model) { build_stubbed(:user) }
+
+  describe '#valid_password?' do
+    subject(:valid_password?) { validator.valid_password?(password) }
+
+    let(:password) { 'password to check' }
+
+    let(:auth_client) { double(:g5_authentication_client, me: auth_user) }
+    let(:auth_user) { double(:auth_user, uid: model.uid, email: model.email) }
+
+    let(:oauth_error) { OAuth2::Error.new(response) }
+    let(:response) { double(:oauth_response, parsed: oauth_error_hash).as_null_object }
+
+    before do
+      allow(G5AuthenticationClient::Client).to receive(:new).
+        and_return(auth_client)
+    end
+
+    context 'with valid password' do
+      before { valid_password? }
+
+      it 'should initialize auth client with the username' do
+        expect(G5AuthenticationClient::Client).to have_received(:new).
+          with(hash_including(username: model.email))
+      end
+
+      it 'should initialize auth client with the password' do
+        expect(G5AuthenticationClient::Client).to have_received(:new).
+          with(hash_including(password: password))
+      end
+
+      it 'should retrieve the auth user associated with these credentials' do
+        expect(auth_client).to have_received(:me)
+      end
+
+      it 'should return true' do
+        expect(valid_password?).to be_true
+      end
+    end
+
+    context 'with invalid password' do
+      before { allow(auth_client).to receive(:me).and_raise(oauth_error) }
+
+      let(:oauth_error_hash) do
+        {'error' => 'invalid_resource_owner',
+         'error_description' => 'The provided resource owner credentials are not valid, or resource owner cannot be found.'}
+      end
+
+      it 'should return false' do
+        expect(valid_password?).to be_false
+      end
+    end
+
+    context 'with blank password' do
+      before { allow(auth_client).to receive(:me).and_raise(runtime_error) }
+      let(:runtime_error) { RuntimeError.new('Insufficient credentials for access token. Supply a username/password or authentication code.') }
+
+      it 'should return false' do
+        expect(valid_password?).to be_false
+      end
+    end
+
+    context 'when an unrelated server error occurs' do
+      before { allow(auth_client).to receive(:me).and_raise(oauth_error) }
+
+      let(:oauth_error_hash) do
+        {'error' => 'unauthorized_client',
+         'error_description' => 'The client is not authorized to perform this request using this method.'}
+      end
+
+      it 'should re-raise the error' do
+        expect { valid_password? }.to raise_error(oauth_error)
+      end
+    end
+  end
+end