googleauth 0.5.1 → 0.14.0

data/spec/googleauth/web_user_authorizer_spec.rb

@@ -27,133 +27,146 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-spec_dir = File.expand_path(File.join(File.dirname(__FILE__)))
-$LOAD_PATH.unshift(spec_dir)
+spec_dir = File.expand_path File.join(File.dirname(__FILE__))
+$LOAD_PATH.unshift spec_dir
 $LOAD_PATH.uniq!
 
-require 'googleauth'
-require 'googleauth/web_user_authorizer'
-require 'uri'
-require 'multi_json'
-require 'spec_helper'
-require 'rack'
+require "googleauth"
+require "googleauth/web_user_authorizer"
+require "uri"
+require "multi_json"
+require "spec_helper"
+require "rack"
 
 describe Google::Auth::WebUserAuthorizer do
   include TestHelpers
 
-  let(:client_id) { Google::Auth::ClientId.new('testclient', 'notasecret') }
-  let(:scope) { %w(email profile) }
+  let(:client_id) { Google::Auth::ClientId.new "testclient", "notasecret" }
+  let(:scope) { %w[email profile] }
   let(:token_store) { DummyTokenStore.new }
-  let(:authorizer) do
-    Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store)
+  let :authorizer do
+    Google::Auth::WebUserAuthorizer.new client_id, scope, token_store
   end
 
-  describe '#get_authorization_url' do
-    let(:env) do
+  describe "#get_authorization_url" do
+    let :env do
       Rack::MockRequest.env_for(
-        'http://example.com:8080/test',
-        'REMOTE_ADDR' => '10.10.10.10')
+        "http://example.com:8080/test",
+        "REMOTE_ADDR" => "10.10.10.10"
+      )
     end
-    let(:request) { Rack::Request.new(env) }
-    it 'should include current url in state' do
-      url = authorizer.get_authorization_url(request: request)
+    let(:request) { Rack::Request.new env }
+    it "should include current url in state" do
+      url = authorizer.get_authorization_url request: request
       expect(url).to match(
-        %r{%22current_uri%22:%22http://example.com:8080/test%22})
+        %r{%22current_uri%22:%22http://example.com:8080/test%22}
+      )
     end
 
-    it 'should include request forgery token in state' do
-      expect(SecureRandom).to receive(:base64).and_return('aGVsbG8=')
-      url = authorizer.get_authorization_url(request: request)
+    it "should allow adding custom state key-value pairs" do
+      url = authorizer.get_authorization_url request: request, state: { james: "bond", kind: 1 }
+      expect(url).to match(%r{%22james%22:%22bond%22})
+      expect(url).to match(%r{%22kind%22:1})
+    end
+
+    it "should include request forgery token in state" do
+      expect(SecureRandom).to receive(:base64).and_return("aGVsbG8=")
+      url = authorizer.get_authorization_url request: request
       expect(url).to match(/%22session_id%22:%22aGVsbG8=%22/)
     end
 
-    it 'should include request forgery token in session' do
-      expect(SecureRandom).to receive(:base64).and_return('aGVsbG8=')
-      authorizer.get_authorization_url(request: request)
-      expect(request.session['g-xsrf-token']).to eq 'aGVsbG8='
+    it "should include request forgery token in session" do
+      expect(SecureRandom).to receive(:base64).and_return("aGVsbG8=")
+      authorizer.get_authorization_url request: request
+      expect(request.session["g-xsrf-token"]).to eq "aGVsbG8="
     end
 
-    it 'should resolve callback against base URL' do
-      url = authorizer.get_authorization_url(request: request)
+    it "should resolve callback against base URL" do
+      url = authorizer.get_authorization_url request: request
       expect(url).to match(
-        %r{redirect_uri=http://example.com:8080/oauth2callback})
+        %r{redirect_uri=http://example.com:8080/oauth2callback}
+      )
     end
 
-    it 'should allow overriding the current URL' do
+    it "should allow overriding the current URL" do
       url = authorizer.get_authorization_url(
-        request: request,
-        redirect_to: '/foo')
+        request:     request,
+        redirect_to: "/foo"
+      )
       expect(url).to match %r{%22current_uri%22:%22/foo%22}
     end
 
-    it 'should pass through login hint' do
+    it "should pass through login hint" do
       url = authorizer.get_authorization_url(
-        request: request,
-        login_hint: 'user@example.com')
+        request:    request,
+        login_hint: "user@example.com"
+      )
       expect(url).to match(/login_hint=user@example.com/)
     end
   end
 
-  shared_examples 'handles callback' do
-    let(:token_json) do
-      MultiJson.dump('access_token' => '1/abc123',
-                     'token_type' => 'Bearer',
-                     'expires_in' => 3600)
+  shared_examples "handles callback" do
+    let :token_json do
+      MultiJson.dump("access_token" => "1/abc123",
+                     "token_type"   => "Bearer",
+                     "expires_in"   => 3600)
     end
 
-    before(:example) do
-      stub_request(:post, 'https://www.googleapis.com/oauth2/v3/token')
-        .to_return(body: token_json,
-                   status: 200,
-                   headers: { 'Content-Type' => 'application/json' })
+    before :example do
+      stub_request(:post, "https://oauth2.googleapis.com/token")
+        .to_return(body:    token_json,
+                   status:  200,
+                   headers: { "Content-Type" => "application/json" })
     end
 
-    let(:env) do
+    let :env do
       Rack::MockRequest.env_for(
-        'http://example.com:8080/oauth2callback?code=authcode&'\
-        'state=%7B%22current_uri%22%3A%22%2Ffoo%22%2C%22'\
-        'session_id%22%3A%22abc%22%7D',
-        'REMOTE_ADDR' => '10.10.10.10')
+        "http://example.com:8080/oauth2callback?code=authcode&"\
+        "state=%7B%22current_uri%22%3A%22%2Ffoo%22%2C%22"\
+        "session_id%22%3A%22abc%22%7D",
+        "REMOTE_ADDR" => "10.10.10.10"
+      )
     end
-    let(:request) { Rack::Request.new(env) }
+    let(:request) { Rack::Request.new env }
 
-    before(:example) do
-      request.session['g-xsrf-token'] = 'abc'
+    before :example do
+      request.session["g-xsrf-token"] = "abc"
     end
 
-    it 'should return credentials when valid code present' do
+    it "should return credentials when valid code present" do
       expect(credentials).to be_instance_of(
-        Google::Auth::UserRefreshCredentials)
+        Google::Auth::UserRefreshCredentials
+      )
     end
 
-    it 'should return next URL to redirect to' do
-      expect(next_url).to eq '/foo'
+    it "should return next URL to redirect to" do
+      expect(next_url).to eq "/foo"
     end
 
-    it 'should fail if xrsf token in session and does not match request' do
-      request.session['g-xsrf-token'] = '123'
+    it "should fail if xrsf token in session and does not match request" do
+      request.session["g-xsrf-token"] = "123"
       expect { credentials }.to raise_error(Signet::AuthorizationError)
     end
   end
 
-  describe '#handle_auth_callback' do
-    let(:result) { authorizer.handle_auth_callback('user1', request) }
+  describe "#handle_auth_callback" do
+    let(:result) { authorizer.handle_auth_callback "user1", request }
     let(:credentials) { result[0] }
     let(:next_url) { result[1] }
 
-    it_behaves_like 'handles callback'
+    it_behaves_like "handles callback"
   end
 
-  describe '#handle_auth_callback_deferred and #get_credentials' do
-    let(:next_url) do
-      Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
+  describe "#handle_auth_callback_deferred and #get_credentials" do
+    let :next_url do
+      Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred request
     end
 
-    let(:credentials) do
+    let :credentials do
       next_url
-      authorizer.get_credentials('user1', request)
+      authorizer.get_credentials "user1", request
     end
 
-    it_behaves_like 'handles callback'
+    it_behaves_like "handles callback"
   end
 end

data/spec/spec_helper.rb

@@ -27,17 +27,17 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-spec_dir = File.expand_path(File.dirname(__FILE__))
-root_dir = File.expand_path(File.join(spec_dir, '..'))
-lib_dir = File.expand_path(File.join(root_dir, 'lib'))
+spec_dir = __dir__
+root_dir = File.expand_path File.join(spec_dir, "..")
+lib_dir = File.expand_path File.join(root_dir, "lib")
 
-$LOAD_PATH.unshift(spec_dir)
-$LOAD_PATH.unshift(lib_dir)
+$LOAD_PATH.unshift spec_dir
+$LOAD_PATH.unshift lib_dir
 $LOAD_PATH.uniq!
 
 # set up coverage
-require 'simplecov'
-require 'coveralls'
+require "simplecov"
+require "coveralls"
 
 SimpleCov.formatters = [
   Coveralls::SimpleCov::Formatter,
@@ -45,18 +45,18 @@ SimpleCov.formatters = [
 ]
 SimpleCov.start
 
-require 'faraday'
-require 'rspec'
-require 'logging'
-require 'rspec/logging_helper'
-require 'webmock/rspec'
-require 'multi_json'
+require "faraday"
+require "rspec"
+require "logging"
+require "rspec/logging_helper"
+require "webmock/rspec"
+require "multi_json"
 
 # Preload adapter to work around Rubinius error with FakeFS
-MultiJson.use(:json_gem)
+MultiJson.use :json_gem
 
 # Allow Faraday to support test stubs
-Faraday::Adapter.load_middleware(:test)
+Faraday::Adapter.load_middleware :test
 
 # Configure RSpec to capture log messages for each test. The output from the
 # logs will be stored in the @log_output variable. It is a StringIO instance.
@@ -64,6 +64,8 @@ RSpec.configure do |config|
   include RSpec::LoggingHelper
   config.capture_log_messages
   config.include WebMock::API
+  config.filter_run focus: true
+  config.run_all_when_everything_filtered = true
 end
 
 module TestHelpers
@@ -76,15 +78,15 @@ class DummyTokenStore
     @tokens = {}
   end
 
-  def load(id)
+  def load id
     @tokens[id]
   end
 
-  def store(id, token)
+  def store id, token
     @tokens[id] = token
   end
 
-  def delete(id)
-    @tokens.delete(id)
+  def delete id
+    @tokens.delete id
   end
 end

data/test/helper.rb

@@ -0,0 +1,33 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "minitest/autorun"
+require "minitest/focus"
+require "webmock/minitest"
+
+require "googleauth"

data/test/id_tokens/key_sources_test.rb

@@ -0,0 +1,240 @@
+# Copyright 2020 Google LLC
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "helper"
+
+require "openssl"
+
+describe Google::Auth::IDTokens do
+  describe "StaticKeySource" do
+    let(:key1) { Google::Auth::IDTokens::KeyInfo.new id: "1234", key: :key1, algorithm: "RS256" }
+    let(:key2) { Google::Auth::IDTokens::KeyInfo.new id: "5678", key: :key2, algorithm: "ES256" }
+    let(:keys) { [key1, key2] }
+    let(:source) { Google::Auth::IDTokens::StaticKeySource.new keys }
+
+    it "returns a static set of keys" do
+      assert_equal keys, source.current_keys
+    end
+
+    it "does not change on refresh" do
+      assert_equal keys, source.refresh_keys
+    end
+  end
+
+  describe "HttpKeySource" do
+    let(:certs_uri) { "https://example.com/my-certs" }
+    let(:certs_body) { "{}" }
+
+    it "raises an error when failing to parse json from the site" do
+      source = Google::Auth::IDTokens::HttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: "whoops")
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to parse JSON", error.message
+      assert_requested stub
+    end
+
+    it "downloads data but gets no keys" do
+      source = Google::Auth::IDTokens::HttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: certs_body)
+      keys = source.refresh_keys
+      assert_empty keys
+      assert_requested stub
+    end
+  end
+
+  describe "X509CertHttpKeySource" do
+    let(:certs_uri) { "https://example.com/my-certs" }
+    let(:key1) { OpenSSL::PKey::RSA.new 2048 }
+    let(:key2) { OpenSSL::PKey::RSA.new 2048 }
+    let(:cert1) { generate_cert key1 }
+    let(:cert2) { generate_cert key2 }
+    let(:id1) { "1234" }
+    let(:id2) { "5678" }
+    let(:certs_body) { JSON.dump({ id1 => cert1.to_pem, id2 => cert2.to_pem }) }
+
+    after do
+      WebMock.reset!
+    end
+
+    def generate_cert key
+      cert = OpenSSL::X509::Certificate.new
+      cert.subject = cert.issuer = OpenSSL::X509::Name.parse "/C=BE/O=Test/OU=Test/CN=Test"
+      cert.not_before = Time.now
+      cert.not_after = Time.now + 365 * 24 * 60 * 60
+      cert.public_key = key.public_key
+      cert.serial = 0x0
+      cert.version = 2
+      cert.sign key, OpenSSL::Digest::SHA1.new
+      cert
+    end
+
+    it "raises an error when failing to reach the site" do
+      source = Google::Auth::IDTokens::X509CertHttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: "whoops", status: 404)
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to retrieve data from #{certs_uri}", error.message
+      assert_requested stub
+    end
+
+    it "raises an error when failing to parse json from the site" do
+      source = Google::Auth::IDTokens::X509CertHttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: "whoops")
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to parse JSON", error.message
+      assert_requested stub
+    end
+
+    it "raises an error when failing to parse x509 from the site" do
+      source = Google::Auth::IDTokens::X509CertHttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: '{"hi": "whoops"}')
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to parse X509 certificates", error.message
+      assert_requested stub
+    end
+
+    it "gets the right certificates" do
+      source = Google::Auth::IDTokens::X509CertHttpKeySource.new certs_uri
+      stub = stub_request(:get, certs_uri).to_return(body: certs_body)
+      keys = source.refresh_keys
+      assert_equal id1, keys[0].id
+      assert_equal id2, keys[1].id
+      assert_equal key1.public_key.to_pem, keys[0].key.to_pem
+      assert_equal key2.public_key.to_pem, keys[1].key.to_pem
+      assert_equal "RS256", keys[0].algorithm
+      assert_equal "RS256", keys[1].algorithm
+      assert_requested stub
+    end
+  end
+
+  describe "JwkHttpKeySource" do
+    let(:jwk_uri) { "https://example.com/my-jwk" }
+    let(:id1) { "fb8ca5b7d8d9a5c6c6788071e866c6c40f3fc1f9" }
+    let(:id2) { "LYyP2g" }
+    let(:jwk1) {
+      {
+        alg: "RS256",
+        e:   "AQAB",
+        kid: id1,
+        kty: "RSA",
+        n:   "zK8PHf_6V3G5rU-viUOL1HvAYn7q--dxMoUkt7x1rSWX6fimla-lpoYAKhFTLU" \
+             "ELkRKy_6UDzfybz0P9eItqS2UxVWYpKYmKTQ08HgUBUde4GtO_B0SkSk8iLtGh" \
+             "653UBBjgXmfzdfQEz_DsaWn7BMtuAhY9hpMtJye8LQlwaS8ibQrsC0j0GZM5KX" \
+             "RITHwfx06_T1qqC_MOZRA6iJs-J2HNlgeyFuoQVBTY6pRqGXa-qaVsSG3iU-vq" \
+             "NIciFquIq-xydwxLqZNksRRer5VAsSHf0eD3g2DX-cf6paSy1aM40svO9EfSvG" \
+             "_07MuHafEE44RFvSZZ4ubEN9U7ALSjdw",
+        use: "sig"
+      }
+    }
+    let(:jwk2) {
+      {
+        alg: "ES256",
+        crv: "P-256",
+        kid: id2,
+        kty: "EC",
+        use: "sig",
+        x:   "SlXFFkJ3JxMsXyXNrqzE3ozl_0913PmNbccLLWfeQFU",
+        y:   "GLSahrZfBErmMUcHP0MGaeVnJdBwquhrhQ8eP05NfCI"
+      }
+    }
+    let(:bad_type_jwk) {
+      {
+        alg: "RS256",
+        kid: "hello",
+        kty: "blah",
+        use: "sig"
+      }
+    }
+    let(:jwk_body) { JSON.dump({ keys: [jwk1, jwk2] }) }
+    let(:bad_type_body) { JSON.dump({ keys: [bad_type_jwk] }) }
+
+    after do
+      WebMock.reset!
+    end
+
+    it "raises an error when failing to reach the site" do
+      source = Google::Auth::IDTokens::JwkHttpKeySource.new jwk_uri
+      stub = stub_request(:get, jwk_uri).to_return(body: "whoops", status: 404)
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to retrieve data from #{jwk_uri}", error.message
+      assert_requested stub
+    end
+
+    it "raises an error when failing to parse json from the site" do
+      source = Google::Auth::IDTokens::JwkHttpKeySource.new jwk_uri
+      stub = stub_request(:get, jwk_uri).to_return(body: "whoops")
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Unable to parse JSON", error.message
+      assert_requested stub
+    end
+
+    it "raises an error when the json structure is malformed" do
+      source = Google::Auth::IDTokens::JwkHttpKeySource.new jwk_uri
+      stub = stub_request(:get, jwk_uri).to_return(body: '{"hi": "whoops"}')
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "No keys found in jwk set", error.message
+      assert_requested stub
+    end
+
+    it "raises an error when an unrecognized key type is encountered" do
+      source = Google::Auth::IDTokens::JwkHttpKeySource.new jwk_uri
+      stub = stub_request(:get, jwk_uri).to_return(body: bad_type_body)
+      error = assert_raises Google::Auth::IDTokens::KeySourceError do
+        source.refresh_keys
+      end
+      assert_equal "Cannot use key type blah", error.message
+      assert_requested stub
+    end
+
+    it "gets the right keys" do
+      source = Google::Auth::IDTokens::JwkHttpKeySource.new jwk_uri
+      stub = stub_request(:get, jwk_uri).to_return(body: jwk_body)
+      keys = source.refresh_keys
+      assert_equal id1, keys[0].id
+      assert_equal id2, keys[1].id
+      assert_kind_of OpenSSL::PKey::RSA, keys[0].key
+      assert_kind_of OpenSSL::PKey::EC, keys[1].key
+      assert_equal "RS256", keys[0].algorithm
+      assert_equal "ES256", keys[1].algorithm
+      assert_requested stub
+    end
+  end
+end