oauth-plugin 0.3.14 → 0.4.0.pre1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (110) hide show
  1. data/CHANGELOG +10 -0
  2. data/README.rdoc +44 -9
  3. data/Rakefile +2 -2
  4. data/VERSION +1 -1
  5. data/generators/oauth_consumer/templates/migration.rb +1 -1
  6. data/generators/oauth_provider/oauth_provider_generator.rb +6 -0
  7. data/generators/oauth_provider/templates/access_token.rb +2 -2
  8. data/generators/oauth_provider/templates/client_application.rb +8 -6
  9. data/generators/oauth_provider/templates/client_applications.yml +6 -6
  10. data/generators/oauth_provider/templates/clients_controller_spec.rb +130 -193
  11. data/generators/oauth_provider/templates/controller.rb +12 -0
  12. data/generators/oauth_provider/templates/controller_spec.rb +762 -291
  13. data/generators/oauth_provider/templates/controller_spec_helper.rb +49 -63
  14. data/generators/oauth_provider/templates/migration.rb +6 -5
  15. data/generators/oauth_provider/templates/oauth2_authorize.html.erb +16 -0
  16. data/generators/oauth_provider/templates/oauth2_authorize.html.haml +17 -0
  17. data/generators/oauth_provider/templates/oauth2_token.rb +6 -0
  18. data/generators/oauth_provider/templates/oauth2_token_spec.rb +29 -0
  19. data/generators/oauth_provider/templates/oauth2_verifier.rb +28 -0
  20. data/generators/oauth_provider/templates/oauth2_verifier_spec.rb +54 -0
  21. data/generators/oauth_provider/templates/oauth_nonce_test.rb +1 -1
  22. data/generators/oauth_provider/templates/oauth_token.rb +3 -4
  23. data/generators/oauth_provider/templates/request_token.rb +1 -1
  24. data/lib/generators/active_record/oauth_consumer_generator.rb +33 -0
  25. data/lib/generators/active_record/oauth_consumer_templates/consumer_token.rb +5 -0
  26. data/lib/generators/active_record/oauth_consumer_templates/migration.rb +20 -0
  27. data/lib/generators/active_record/oauth_provider_generator.rb +39 -0
  28. data/lib/generators/active_record/oauth_provider_templates/access_token.rb +16 -0
  29. data/lib/generators/active_record/oauth_provider_templates/client_application.rb +57 -0
  30. data/lib/generators/active_record/oauth_provider_templates/migration.rb +47 -0
  31. data/lib/generators/active_record/oauth_provider_templates/oauth2_token.rb +5 -0
  32. data/lib/generators/active_record/oauth_provider_templates/oauth2_verifier.rb +28 -0
  33. data/lib/generators/active_record/oauth_provider_templates/oauth_nonce.rb +13 -0
  34. data/lib/generators/active_record/oauth_provider_templates/oauth_token.rb +30 -0
  35. data/lib/generators/active_record/oauth_provider_templates/request_token.rb +40 -0
  36. data/lib/generators/erb/oauth_consumer_generator.rb +14 -0
  37. data/lib/generators/erb/oauth_consumer_templates/index.html.erb +29 -0
  38. data/lib/generators/erb/oauth_consumer_templates/show.html.erb +7 -0
  39. data/lib/generators/erb/oauth_provider_generator.rb +21 -0
  40. data/lib/generators/erb/oauth_provider_templates/_form.html.erb +17 -0
  41. data/lib/generators/erb/oauth_provider_templates/authorize.html.erb +14 -0
  42. data/lib/generators/erb/oauth_provider_templates/authorize_failure.html.erb +1 -0
  43. data/lib/generators/erb/oauth_provider_templates/authorize_success.html.erb +1 -0
  44. data/lib/generators/erb/oauth_provider_templates/edit.html.erb +7 -0
  45. data/lib/generators/erb/oauth_provider_templates/index.html.erb +43 -0
  46. data/lib/generators/erb/oauth_provider_templates/new.html.erb +5 -0
  47. data/lib/generators/erb/oauth_provider_templates/oauth2_authorize.html.erb +16 -0
  48. data/lib/generators/erb/oauth_provider_templates/show.html.erb +27 -0
  49. data/lib/generators/haml/oauth_consumer_generator.rb +21 -0
  50. data/lib/generators/haml/oauth_consumer_templates/index.html.haml +18 -0
  51. data/lib/generators/haml/oauth_consumer_templates/show.html.haml +8 -0
  52. data/lib/generators/haml/oauth_provider_generator.rb +28 -0
  53. data/lib/generators/haml/oauth_provider_templates/_form.html.haml +21 -0
  54. data/lib/generators/haml/oauth_provider_templates/authorize.html.haml +16 -0
  55. data/lib/generators/haml/oauth_provider_templates/authorize_failure.html.haml +1 -0
  56. data/lib/generators/haml/oauth_provider_templates/authorize_success.html.haml +1 -0
  57. data/lib/generators/haml/oauth_provider_templates/edit.html.haml +4 -0
  58. data/lib/generators/haml/oauth_provider_templates/index.html.haml +39 -0
  59. data/lib/generators/haml/oauth_provider_templates/new.html.haml +5 -0
  60. data/lib/generators/haml/oauth_provider_templates/oauth2_authorize.html.haml +17 -0
  61. data/lib/generators/haml/oauth_provider_templates/show.html.haml +30 -0
  62. data/lib/generators/mongoid/oauth_consumer_generator.rb +15 -0
  63. data/lib/generators/mongoid/oauth_consumer_templates/consumer_token.rb +14 -0
  64. data/lib/generators/mongoid/oauth_provider_generator.rb +21 -0
  65. data/lib/generators/mongoid/oauth_provider_templates/access_token.rb +16 -0
  66. data/lib/generators/mongoid/oauth_provider_templates/client_application.rb +71 -0
  67. data/lib/generators/mongoid/oauth_provider_templates/oauth2_token.rb +5 -0
  68. data/lib/generators/mongoid/oauth_provider_templates/oauth2_verifier.rb +25 -0
  69. data/lib/generators/mongoid/oauth_provider_templates/oauth_nonce.rb +24 -0
  70. data/lib/generators/mongoid/oauth_provider_templates/oauth_token.rb +44 -0
  71. data/lib/generators/mongoid/oauth_provider_templates/request_token.rb +36 -0
  72. data/lib/generators/oauth_consumer/USAGE +8 -0
  73. data/lib/generators/oauth_consumer/oauth_consumer_generator.rb +27 -0
  74. data/lib/generators/oauth_consumer/templates/controller.rb +19 -0
  75. data/lib/generators/oauth_consumer/templates/oauth_config.rb +46 -0
  76. data/lib/generators/oauth_inflections.rb +6 -0
  77. data/lib/generators/oauth_plugin.rb +0 -0
  78. data/lib/generators/oauth_provider/USAGE +18 -0
  79. data/lib/generators/oauth_provider/oauth_provider_generator.rb +47 -0
  80. data/lib/generators/oauth_provider/templates/clients_controller.rb +52 -0
  81. data/lib/generators/oauth_provider/templates/controller.rb +23 -0
  82. data/lib/generators/rspec/oauth_provider_generator.rb +39 -0
  83. data/lib/generators/rspec/templates/client_application_spec.rb +29 -0
  84. data/lib/generators/rspec/templates/client_applications.yml +23 -0
  85. data/lib/generators/rspec/templates/clients_controller_spec.rb +176 -0
  86. data/lib/generators/rspec/templates/controller_spec.rb +838 -0
  87. data/lib/generators/rspec/templates/controller_spec_helper.rb +66 -0
  88. data/lib/generators/rspec/templates/oauth2_token_spec.rb +29 -0
  89. data/lib/generators/rspec/templates/oauth2_verifier_spec.rb +54 -0
  90. data/lib/generators/rspec/templates/oauth_nonce_spec.rb +24 -0
  91. data/lib/generators/rspec/templates/oauth_nonces.yml +13 -0
  92. data/lib/generators/rspec/templates/oauth_token_spec.rb +309 -0
  93. data/lib/generators/rspec/templates/oauth_tokens.yml +17 -0
  94. data/lib/generators/test_unit/oauth_provider_generator.rb +37 -0
  95. data/lib/generators/test_unit/templates/client_application_test.rb +42 -0
  96. data/lib/generators/test_unit/templates/client_applications.yml +23 -0
  97. data/lib/generators/test_unit/templates/clients_controller_test.rb +280 -0
  98. data/lib/generators/test_unit/templates/controller_test.rb +310 -0
  99. data/lib/generators/test_unit/templates/controller_test_helper.rb +115 -0
  100. data/lib/generators/test_unit/templates/oauth_nonce_test.rb +26 -0
  101. data/lib/generators/test_unit/templates/oauth_nonces.yml +13 -0
  102. data/lib/generators/test_unit/templates/oauth_token_test.rb +57 -0
  103. data/lib/generators/test_unit/templates/oauth_tokens.yml +17 -0
  104. data/lib/oauth/controllers/application_controller_methods.rb +169 -66
  105. data/lib/oauth/controllers/provider_controller.rb +154 -38
  106. data/lib/oauth/models/consumers/service_loader.rb +2 -0
  107. data/lib/oauth/models/consumers/token.rb +0 -1
  108. data/oauth-plugin.gemspec +97 -10
  109. data/rails/init.rb +6 -2
  110. metadata +119 -12
@@ -1,262 +1,539 @@
1
1
  require File.dirname(__FILE__) + '/../spec_helper'
2
2
  require File.dirname(__FILE__) + '/oauth_controller_spec_helper'
3
- require 'oauth/client/action_controller_request'
4
3
 
5
- describe OauthController, "getting a request token" do
4
+ describe OauthController do
5
+ if defined?(Devise)
6
+ include Devise::TestHelpers
7
+ end
6
8
  include OAuthControllerSpecHelper
7
- before(:each) do
8
- setup_oauth
9
- sign_request_with_oauth
10
- @client_application.stub!(:create_request_token).and_return(@request_token)
11
- @client_application.stub!(:token_callback_url=)
9
+ fixtures :client_applications, :oauth_tokens, :users
10
+ describe "getting a request token" do
11
+ before(:each) do
12
+ sign_request_with_oauth
13
+ ClientApplication.stub!(:find_by_key).and_return(current_client_application)
14
+ end
15
+
16
+ def do_get
17
+ get :request_token
18
+ end
19
+
20
+ it "should be successful" do
21
+ do_get
22
+ response.should be_success
23
+ end
24
+
25
+ it "should query for client_application" do
26
+ ClientApplication.should_receive(:find_by_key).with(current_client_application.key).and_return(current_client_application)
27
+ do_get
28
+ end
29
+
30
+ it "should request token from client_application" do
31
+ current_client_application.should_receive(:create_request_token).and_return(request_token)
32
+ do_get
33
+ end
34
+
35
+ it "should return token string" do
36
+ do_get
37
+ response.body.should==RequestToken.last.to_query
38
+ end
39
+
40
+ it "should not set token_callback_url" do
41
+ current_client_application.should_not_receive(:token_callback_url=)
42
+ do_get
43
+ end
12
44
  end
13
-
14
- def do_get
15
- get :request_token
16
- end
17
-
18
- it "should be successful" do
19
- do_get
20
- response.should be_success
21
- end
22
-
23
- it "should query for client_application" do
24
- ClientApplication.should_receive(:find_by_key).with('key').and_return(@client_application)
25
- do_get
26
- end
27
-
28
- it "should request token from client_application" do
29
- @client_application.should_receive(:create_request_token).and_return(@request_token)
30
- do_get
31
- end
32
-
33
- it "should return token string" do
34
- do_get
35
- response.body.should==@request_token_string
36
- end
37
-
38
- it "should not set token_callback_url" do
39
- @client_application.should_not_receive(:token_callback_url=).with(nil)
40
- do_get
41
- end
42
- end
43
45
 
44
- describe OauthController, "getting a request token passing a oauth_callback url" do
45
- include OAuthControllerSpecHelper
46
- before(:each) do
47
- setup_oauth
48
- sign_request_with_oauth nil, {:oauth_callback=>"http://test.com/alternative_callback"}
49
- @client_application.stub!(:create_request_token).and_return(@request_token)
50
- @client_application.stub!(:token_callback_url=)
51
- end
52
-
53
- def do_get
54
- get :request_token
55
- end
56
-
57
- it "should be successful" do
58
- do_get
59
- response.should be_success
60
- end
61
-
62
- it "should query for client_application" do
63
- ClientApplication.should_receive(:find_by_key).with('key').and_return(@client_application)
64
- do_get
65
- end
66
-
67
- it "should request token from client_application" do
68
- @client_application.should_receive(:create_request_token).and_return(@request_token)
69
- do_get
46
+ describe "getting a request token passing a oauth_callback url" do
47
+ before(:each) do
48
+ sign_request_with_oauth nil, {:oauth_callback=>"http://test.com/alternative_callback"}
49
+ ClientApplication.stub!(:find_by_key).and_return(current_client_application)
50
+ end
51
+
52
+ def do_get
53
+ get :request_token
54
+ end
55
+
56
+ it "should be successful" do
57
+ do_get
58
+ response.should be_success
59
+ end
60
+
61
+ it "should query for client_application" do
62
+ ClientApplication.should_receive(:find_by_key).with(current_client_application.key).and_return(current_client_application)
63
+ do_get
64
+ end
65
+
66
+ it "should request token from client_application" do
67
+ current_client_application.should_receive(:create_request_token).and_return(request_token)
68
+ do_get
69
+ end
70
+
71
+ it "should return token string" do
72
+ do_get
73
+ response.body.should==RequestToken.last.to_query
74
+ end
75
+
76
+ it "should set token_callback_url with received oauth_callback" do
77
+ current_client_application.should_receive(:token_callback_url=).with("http://test.com/alternative_callback")
78
+ do_get
79
+ end
70
80
  end
81
+
82
+ describe "10a token authorization" do
83
+ before(:each) do
84
+ login
85
+ RequestToken.stub!(:find_by_token).and_return(request_token)
86
+ end
87
+
88
+ def do_get
89
+ get :authorize, :oauth_token => request_token.token
90
+ end
91
+
92
+ it "should show authorize page" do
93
+ do_get
94
+ response.should render_template("authorize")
95
+ end
96
+
97
+ it "should authorize token" do
98
+ request_token.should_not_receive(:authorize!).with(current_user)
99
+ do_get
100
+ end
101
+
102
+ it "should redirect if token is invalidated" do
103
+ request_token.invalidate!
104
+ do_get
105
+ response.should render_template("authorize_failure")
106
+ end
71
107
 
72
- it "should return token string" do
73
- do_get
74
- response.body.should==@request_token_string
75
108
  end
109
+
110
+ describe "10a token authorization" do
111
+ before(:each) do
112
+ login
113
+ RequestToken.stub!(:find_by_token).and_return(request_token)
114
+ end
115
+
116
+ def do_post
117
+ post :authorize, :oauth_token => request_token.token, :authorize=>1
118
+ end
119
+
120
+ it "should redirect to default callback" do
121
+ do_post
122
+ response.should be_redirect
123
+ response.should redirect_to("http://application/callback?oauth_token=#{request_token.token}&oauth_verifier=#{request_token.verifier}")
124
+ end
125
+
126
+ it "should authorize token" do
127
+ request_token.should_receive(:authorize!).with(current_user)
128
+ do_post
129
+ end
130
+
131
+ it "should redirect if token is invalidated" do
132
+ request_token.invalidate!
133
+ do_post
134
+ response.should render_template("authorize_failure")
135
+ end
76
136
 
77
- it "should set token_callback_url with received oauth_callback" do
78
- @client_application.should_receive(:token_callback_url=).with("http://test.com/alternative_callback")
79
- do_get
80
137
  end
81
- end
82
138
 
139
+ describe "2.0 authorization code flow" do
140
+ before(:each) do
141
+ login
142
+ end
83
143
 
84
- describe OauthController, "token authorization" do
85
- include OAuthControllerSpecHelper
86
- before(:each) do
87
- login
88
- setup_oauth
89
- RequestToken.stub!(:find_by_token).and_return(@request_token)
144
+ describe "authorize redirect" do
145
+ before(:each) do
146
+ get :authorize, :response_type=>"code",:client_id=>current_client_application.key, :redirect_url=>"http://application/callback"
147
+ end
148
+
149
+ it "should render authorize" do
150
+ response.should render_template("oauth2_authorize")
151
+ end
152
+
153
+ it "should not create token" do
154
+ Oauth2Verifier.last.should be_nil
155
+ end
156
+ end
90
157
 
91
- end
92
-
93
- def do_get
94
- get :authorize, :oauth_token => @request_token.token
95
- end
158
+ describe "authorize" do
159
+ before(:each) do
160
+ post :authorize, :response_type=>"code",:client_id=>current_client_application.key, :redirect_url=>"http://application/callback",:authorize=>1
161
+ @verification_token = Oauth2Verifier.last
162
+ @oauth2_token_count= Oauth2Token.count
163
+ end
164
+ subject { @verification_token }
165
+
166
+ it { should_not be_nil }
167
+ it "should set user on verification token" do
168
+ @verification_token.user.should==current_user
169
+ end
170
+
171
+ it "should set redirect_url" do
172
+ @verification_token.redirect_url.should == "http://application/callback"
173
+ end
174
+
175
+ it "should redirect to default callback" do
176
+ response.should be_redirect
177
+ response.should redirect_to("http://application/callback?code=#{@verification_token.code}")
178
+ end
179
+
180
+ describe "get token" do
181
+ before(:each) do
182
+ post :token, :grant_type=>"authorization_code", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :redirect_url=>"http://application/callback",:code=>@verification_token.code
183
+ @token = Oauth2Token.last
184
+ end
185
+
186
+ subject { @token }
187
+
188
+ it { should_not be_nil }
189
+ it { should be_authorized }
190
+ it "should have added a new token" do
191
+ Oauth2Token.count.should==@oauth2_token_count+1
192
+ end
193
+
194
+ it "should set user to current user" do
195
+ @token.user.should==current_user
196
+ end
197
+
198
+ it "should return json token" do
199
+ JSON.parse(response.body).should=={"access_token"=>@token.token}
200
+ end
201
+ end
96
202
 
97
- def do_post
98
- @request_token.should_receive(:authorize!).with(@user)
99
- post :authorize, :oauth_token => @request_token.token, :authorize => "1"
100
- end
203
+ describe "get token with wrong secret" do
204
+ before(:each) do
205
+ post :token, :grant_type=>"authorization_code", :client_id=>current_client_application.key,:client_secret=>"fake", :redirect_url=>"http://application/callback",:code=>@verification_token.code
206
+ end
207
+
208
+ it "should not create token" do
209
+ Oauth2Token.count.should==@oauth2_token_count
210
+ end
211
+
212
+ it "should return incorrect_client_credentials error" do
213
+ JSON.parse(response.body).should == {"error"=>"invalid_client"}
214
+ end
215
+ end
216
+
217
+ describe "get token with wrong code" do
218
+ before(:each) do
219
+ post :token, :grant_type=>"authorization_code", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :redirect_url=>"http://application/callback",:code=>"fake"
220
+ end
101
221
 
102
- def do_post_without_user_authorization
103
- @request_token.should_receive(:invalidate!)
104
- post :authorize, :oauth_token => @request_token.token, :authorize => "0"
105
- end
222
+ it "should not create token" do
223
+ Oauth2Token.count.should==@oauth2_token_count
224
+ end
106
225
 
107
- def do_post_with_callback
108
- @request_token.should_receive(:authorize!).with(@user)
109
- post :authorize, :oauth_token => @request_token.token, :oauth_callback => "http://application/alternative", :authorize => "1"
110
- end
226
+ it "should return incorrect_client_credentials error" do
227
+ JSON.parse(response.body).should == {"error"=>"invalid_grant"}
228
+ end
229
+ end
111
230
 
112
- def do_post_with_no_application_callback
113
- @request_token.should_receive(:authorize!).with(@user)
114
- @client_application.stub!(:callback_url).and_return(nil)
115
- post :authorize, :oauth_token => @request_token.token, :authorize => "1"
116
- end
117
-
118
- it "should be successful" do
119
- do_get
120
- response.should be_success
121
- end
122
-
123
- it "should query for client_application" do
124
- RequestToken.should_receive(:find_by_token).and_return(@request_token)
125
- do_get
126
- end
127
-
128
- it "should assign token" do
129
- do_get
130
- assigns[:token].should equal(@request_token)
131
- end
132
-
133
- it "should render authorize template" do
134
- do_get
135
- response.should render_template('authorize')
136
- end
137
-
138
- it "should redirect to default callback" do
139
- do_post
140
- response.should be_redirect
141
- response.should redirect_to("http://application/callback?oauth_token=#{@request_token.token}&oauth_verifier=verifyme")
142
- end
231
+ describe "get token with wrong redirect_url" do
232
+ before(:each) do
233
+ post :token, :grant_type=>"authorization_code", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :redirect_url=>"http://evil/callback",:code=>@verification_token.code
234
+ end
143
235
 
144
- it "should redirect to default callback without verifier if oauth 1.0" do
145
- @request_token.stub!(:oauth10?).and_return(true)
146
- do_post
147
- response.should be_redirect
148
- response.should redirect_to("http://application/callback?oauth_token=#{@request_token.token}")
149
- end
236
+ it "should not create token" do
237
+ Oauth2Token.count.should==@oauth2_token_count
238
+ end
150
239
 
151
- it "should redirect to callback in query if oauth 1.0" do
152
- @request_token.stub!(:oauth10?).and_return(true)
153
- do_post_with_callback
154
- response.should be_redirect
155
- response.should redirect_to("http://application/alternative?oauth_token=#{@request_token.token}")
156
- end
240
+ it "should return incorrect_client_credentials error" do
241
+ JSON.parse(response.body).should == {"error"=>"invalid_grant"}
242
+ end
243
+ end
157
244
 
158
- it "should redirect to request_token callback" do
159
- @request_token.stub!(:oob?).and_return(false)
160
- @request_token.stub!(:callback_url).and_return("http://alternative/callback")
161
- do_post
162
- response.should be_redirect
163
- response.should redirect_to("http://alternative/callback?oauth_token=#{@request_token.token}&oauth_verifier=verifyme")
164
- end
245
+ end
165
246
 
166
- it "should ignore callback in query but redirect to default" do
167
- do_post_with_callback
168
- response.should be_redirect
169
- response.should redirect_to("http://application/callback?oauth_token=#{@request_token.token}&oauth_verifier=verifyme")
170
- end
247
+ describe "deny" do
248
+ before(:each) do
249
+ post :authorize, :response_type=>"code", :client_id=>current_client_application.key, :redirect_url=>"http://application/callback",:authorize=>0
250
+ end
171
251
 
172
- it "should be successful on authorize without any application callback" do
173
- do_post_with_no_application_callback
174
- response.should be_success
175
- end
252
+ it { Oauth2Verifier.last.should be_nil }
176
253
 
177
- it "should be successful on authorize without any application callback" do
178
- do_post_with_no_application_callback
179
- response.should render_template('authorize_success')
180
- end
181
-
182
- it "should render failure screen on user invalidation" do
183
- do_post_without_user_authorization
184
- response.should render_template('authorize_failure')
185
- end
254
+ it "should redirect to default callback" do
255
+ response.should be_redirect
256
+ response.should redirect_to("http://application/callback?error=user_denied")
257
+ end
258
+ end
186
259
 
187
- it "should render failure screen if token is invalidated" do
188
- @request_token.stub!(:authorized?).and_return(false)
189
- @request_token.stub!(:invalidated?).and_return(true)
190
- do_get
191
- response.should render_template('authorize_failure')
192
260
  end
193
-
261
+
194
262
 
195
- end
263
+ describe "2.0 authorization token flow" do
264
+ before(:each) do
265
+ login
266
+ current_client_application # load up so it creates its own token
267
+ @oauth2_token_count= Oauth2Token.count
268
+ end
196
269
 
270
+ describe "authorize redirect" do
271
+ before(:each) do
272
+ get :authorize, :response_type=>"token",:client_id=>current_client_application.key, :redirect_url=>"http://application/callback"
273
+ end
197
274
 
198
- describe OauthController, "getting an access token" do
199
- include OAuthControllerSpecHelper
200
- before(:each) do
201
- setup_oauth
202
- sign_request_with_oauth @request_token
203
- @request_token.stub!(:exchange!).and_return(@access_token)
275
+ it "should render authorize" do
276
+ response.should render_template("oauth2_authorize")
277
+ end
278
+
279
+ it "should not create token" do
280
+ Oauth2Verifier.last.should be_nil
281
+ end
282
+ end
283
+
284
+ describe "authorize" do
285
+ before(:each) do
286
+ post :authorize, :response_type=>"token",:client_id=>current_client_application.key, :redirect_url=>"http://application/callback",:authorize=>1
287
+ @token = Oauth2Token.last
288
+ end
289
+ subject { @token }
290
+ it "should redirect to default callback" do
291
+ response.should be_redirect
292
+ response.should redirect_to("http://application/callback?access_token=#{@token.token}")
293
+ end
294
+
295
+ it "should not have a scope" do
296
+ @token.scope.should be_nil
297
+ end
298
+ it { should_not be_nil }
299
+ it { should be_authorized }
300
+
301
+ it "should set user to current user" do
302
+ @token.user.should==current_user
303
+ end
304
+
305
+ it "should have added a new token" do
306
+ Oauth2Token.count.should==@oauth2_token_count+1
307
+ end
308
+ end
309
+
310
+ describe "deny" do
311
+ before(:each) do
312
+ post :authorize, :response_type=>"token", :client_id=>current_client_application.key, :redirect_url=>"http://application/callback",:authorize=>0
313
+ end
314
+
315
+ it { Oauth2Verifier.last.should be_nil }
316
+
317
+ it "should redirect to default callback" do
318
+ response.should be_redirect
319
+ response.should redirect_to("http://application/callback?error=user_denied")
320
+ end
321
+ end
322
+ end
323
+
324
+ describe "oauth2 token for autonomous client_application" do
325
+ before(:each) do
326
+ current_client_application
327
+ @oauth2_token_count = Oauth2Token.count
328
+ post :token, :grant_type=>"none", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret
329
+ @token = Oauth2Token.last
330
+ end
331
+
332
+ subject { @token }
333
+
334
+ it { should_not be_nil }
335
+ it { should be_authorized }
336
+ it "should set user to client_applications user" do
337
+ @token.user.should==current_client_application.user
338
+ end
339
+ it "should have added a new token" do
340
+ Oauth2Token.count.should==@oauth2_token_count+1
341
+ end
342
+
343
+ it "should return json token" do
344
+ JSON.parse(response.body).should=={"access_token"=>@token.token}
345
+ end
204
346
  end
205
347
 
206
- def do_get
207
- get :access_token
348
+ describe "oauth2 token for autonomous client_application with invalid client credentials" do
349
+ before(:each) do
350
+ current_client_application
351
+ @oauth2_token_count = Oauth2Token.count
352
+ post :token, :grant_type=>"none", :client_id=>current_client_application.key,:client_secret=>"bad"
353
+ end
354
+
355
+ subject { @token }
356
+
357
+ it "should not have added a new token" do
358
+ Oauth2Token.count.should==@oauth2_token_count
359
+ end
360
+
361
+ it "should return json token" do
362
+ JSON.parse(response.body).should=={"error"=>"invalid_client"}
363
+ end
208
364
  end
209
365
 
210
- it "should be successful" do
211
- do_get
212
- response.should be_success
213
- end
214
366
 
215
- it "should query for client_application" do
216
- ClientApplication.should_receive(:find_token).with(@request_token.token).and_return(@request_token)
217
- do_get
367
+ describe "oauth2 token for basic credentials" do
368
+ before(:each) do
369
+ current_client_application
370
+ @oauth2_token_count = Oauth2Token.count
371
+ post :token, :grant_type=>"password", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :username=>current_user.login, :password=>"password"
372
+ @token = Oauth2Token.last
373
+ end
374
+
375
+ subject { @token }
376
+
377
+ it { should_not be_nil }
378
+ it { should be_authorized }
379
+ it "should set user to client_applications user" do
380
+ @token.user.should==current_user
381
+ end
382
+ it "should have added a new token" do
383
+ Oauth2Token.count.should==@oauth2_token_count+1
384
+ end
385
+
386
+ it "should return json token" do
387
+ JSON.parse(response.body).should=={"access_token"=>@token.token}
388
+ end
218
389
  end
219
-
220
- it "should request token from client_application" do
221
- @request_token.should_receive(:exchange!).and_return(@access_token)
222
- do_get
390
+
391
+ describe "oauth2 token for basic credentials with wrong password" do
392
+ before(:each) do
393
+ current_client_application
394
+ @oauth2_token_count = Oauth2Token.count
395
+ post :token, :grant_type=>"password", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :username=>current_user.login, :password=>"bad"
396
+ end
397
+
398
+ it "should not have added a new token" do
399
+ Oauth2Token.count.should==@oauth2_token_count
400
+ end
401
+
402
+ it "should return json token" do
403
+ JSON.parse(response.body).should=={"error"=>"invalid_grant"}
404
+ end
223
405
  end
224
406
 
225
- it "should return token string" do
226
- do_get
227
- response.body.should == @access_token_string
407
+ describe "oauth2 token for basic credentials with unknown user" do
408
+ before(:each) do
409
+ current_client_application
410
+ @oauth2_token_count = Oauth2Token.count
411
+ post :token, :grant_type=>"password", :client_id=>current_client_application.key,:client_secret=>current_client_application.secret, :username=>"non existent", :password=>"password"
412
+ end
413
+
414
+ it "should not have added a new token" do
415
+ Oauth2Token.count.should==@oauth2_token_count
416
+ end
417
+
418
+ it "should return json token" do
419
+ JSON.parse(response.body).should=={"error"=>"invalid_grant"}
420
+ end
421
+ end
422
+
423
+ describe "getting an access token" do
424
+ before(:each) do
425
+ request_token.authorize!(current_user)
426
+ request_token.reload
427
+ sign_request_with_oauth consumer_request_token, :oauth_verifier=>request_token.verifier
428
+ end
429
+
430
+ def do_get
431
+ post :access_token
432
+ end
433
+
434
+ it "should have a verifier" do
435
+ request_token.verifier.should_not be_nil
436
+ end
437
+
438
+ it "should be authorized" do
439
+ request_token.should be_authorized
440
+ end
441
+
442
+ it "should be successful" do
443
+ do_get
444
+ response.should be_success
445
+ end
446
+
447
+ it "should request token from client_application" do
448
+ controller.stub!(:current_token).and_return(request_token)
449
+ request_token.should_receive(:exchange!).and_return(access_token)
450
+ do_get
451
+ end
452
+
453
+ it "should return token string" do
454
+ do_get
455
+ response.body.should == AccessToken.last.to_query
456
+ end
457
+
458
+ describe "access token" do
459
+ before(:each) do
460
+ do_get
461
+ access_token=AccessToken.last
462
+ end
463
+
464
+ it "should have user set" do
465
+ access_token.user.should==current_user
466
+ end
467
+
468
+ it "should be authorized" do
469
+ access_token.should be_authorized
470
+ end
471
+ end
472
+ end
473
+
474
+ describe "invalidate" do
475
+ before(:each) do
476
+ sign_request_with_oauth access_token
477
+ get :invalidate
478
+ end
479
+
480
+ it "should be a success" do
481
+ response.code.should=="410"
482
+ end
228
483
  end
484
+
229
485
  end
230
486
 
231
487
  class OauthorizedController<ApplicationController
232
- before_filter :login_or_oauth_required, :only => :both
233
- before_filter :login_required, :only => :interactive
234
- before_filter :oauth_required, :only => :token_only
488
+ before_filter :login_required, :only => :interactive
489
+ oauthenticate :only => :all
490
+ oauthenticate :strategies=>:token, :only=>:interactive_and_token
491
+ oauthenticate :strategies=>:two_legged, :only=>:interactive_and_two_legged
492
+ oauthenticate :interactive=>false, :only=>:no_interactive
493
+ oauthenticate :interactive=>false, :strategies=>:token, :only=>:token
494
+ oauthenticate :interactive=>false, :strategies=>:two_legged, :only=>:two_legged
495
+ before_filter :oauth_required, :only=>:token_legacy
496
+ before_filter :login_or_oauth_required, :only=>:both_legacy
235
497
 
236
498
  def interactive
499
+ head :ok
237
500
  end
238
501
 
239
- def token_only
502
+ def all
503
+ head :ok
240
504
  end
241
505
 
242
- def both
506
+ def token
507
+ head :ok
243
508
  end
244
- end
245
509
 
246
- describe OauthorizedController, " access control" do
247
- include OAuthControllerSpecHelper
510
+ def interactive_and_token
511
+ head :ok
512
+ end
513
+
514
+ def interactive_and_two_legged
515
+ head :ok
516
+ end
517
+
518
+ def two_legged
519
+ head :ok
520
+ end
248
521
 
249
- before(:each) do
522
+ def token_legacy
523
+ head :ok
250
524
  end
251
525
 
252
- it "should have access_token set up correctly" do
253
- setup_to_authorize_request
254
- @access_token.is_a?(AccessToken).should == true
255
- @access_token.should be_authorized
256
- @access_token.should_not be_invalidated
257
- @access_token.user.should == @user
258
- @access_token.client_application.should == @client_application
526
+ def both_legacy
527
+ head :ok
528
+ end
529
+ end
530
+
531
+ describe OauthorizedController, " access control" do
532
+ fixtures :client_applications, :oauth_tokens, :users
533
+ if defined?(Devise)
534
+ include Devise::TestHelpers
259
535
  end
536
+ include OAuthControllerSpecHelper
260
537
 
261
538
  it "should return false for oauth? by default" do
262
539
  controller.send(:oauth?).should == false
@@ -266,102 +543,296 @@ describe OauthorizedController, " access control" do
266
543
  controller.send(:current_token).should be_nil
267
544
  end
268
545
 
269
- it "should allow oauth when using login_or_oauth_required" do
270
- setup_to_authorize_request
271
- sign_request_with_oauth(@access_token)
272
- ClientApplication.should_receive(:find_token).with(@access_token.token).and_return(@access_token)
273
- get :both
274
- controller.send(:current_token).should == @access_token
275
- controller.send(:current_token).is_a?(AccessToken).should == true
276
- controller.send(:current_user).should == @user
277
- controller.send(:current_client_application).should == @client_application
278
- response.code.should == '200'
279
- response.should be_success
280
- end
546
+ describe "oauth 10a" do
281
547
 
282
- it "should allow interactive when using login_or_oauth_required" do
283
- login
284
- get :both
285
- response.should be_success
286
- controller.send(:current_user).should == @user
287
- controller.send(:current_token).should be_nil
288
- end
548
+ describe "request token signed" do
549
+ before(:each) do
550
+ sign_request_with_oauth(request_token)
551
+ end
552
+
553
+ it "should disallow oauth using RequestToken when using oauth_required" do
554
+ get :token
555
+ response.code.should == '401'
556
+ end
557
+ end
558
+
559
+ describe "access token signed" do
560
+ before(:each) do
561
+ sign_request_with_oauth(access_token)
562
+ end
563
+
564
+ [:interactive,:two_legged,:interactive_and_two_legged].each do |action|
565
+ describe "accessing #{action.to_s.humanize}" do
566
+ before(:each) do
567
+ get action
568
+ end
569
+
570
+ it "should not be a success" do
571
+ response.should_not be_success
572
+ end
573
+
574
+ it "should not set current_token" do
575
+ controller.send(:current_token).should be_nil
576
+ end
577
+
578
+ it "should not set current_client_application" do
579
+ controller.send(:current_client_application).should be_nil
580
+ end
581
+
582
+ it "should not set current_user" do
583
+ controller.send(:current_user).should be_nil
584
+ end
585
+ end
586
+ end
587
+
588
+ [:token,:interactive_and_token,:all,:token_legacy,:both_legacy].each do |action|
589
+ describe "accessing #{action.to_s.humanize}" do
590
+ before(:each) do
591
+ get action
592
+ end
593
+
594
+ it "should not be a success" do
595
+ response.should be_success
596
+ end
597
+
598
+ it "should set current_token" do
599
+ controller.send(:current_token).should == access_token
600
+ end
601
+
602
+ it "should set current_client_application" do
603
+ controller.send(:current_client_application).should == current_client_application
604
+ end
605
+
606
+ it "should set current_user" do
607
+ controller.send(:current_user).should == current_user
608
+ end
609
+ end
610
+ end
611
+ end
612
+
613
+ describe "2 legged" do
614
+ before(:each) do
615
+ two_legged_sign_request_with_oauth(current_consumer)
616
+ end
617
+
618
+ [:token,:interactive_and_token,:interactive,:token_legacy,:both_legacy].each do |action|
619
+ describe "accessing #{action.to_s.humanize}" do
620
+ before(:each) do
621
+ get action
622
+ end
623
+
624
+ it "should not be a success" do
625
+ response.should_not be_success
626
+ end
627
+
628
+ it "should not set current_token" do
629
+ controller.send(:current_token).should be_nil
630
+ end
631
+
632
+ it "should not set current_client_application" do
633
+ controller.send(:current_client_application).should be_nil
634
+ end
635
+
636
+ it "should not set current_user" do
637
+ controller.send(:current_user).should be_nil
638
+ end
639
+ end
640
+ end
641
+
642
+ [:two_legged,:interactive_and_two_legged,:all].each do |action|
643
+ describe "accessing #{action.to_s.humanize}" do
644
+ before(:each) do
645
+ get action
646
+ end
647
+
648
+ it "should not be a success" do
649
+ response.should be_success
650
+ end
651
+
652
+ it "should not set current_token" do
653
+ controller.send(:current_token).should be_nil
654
+ end
655
+
656
+ it "should set current_client_application" do
657
+ controller.send(:current_client_application).should == current_client_application
658
+ end
659
+
660
+ it "should set current_user" do
661
+ controller.send(:current_user).should == current_client_application.user
662
+ end
663
+ end
664
+ end
665
+ end
289
666
 
290
-
291
- it "should allow oauth when using oauth_required" do
292
- setup_to_authorize_request
293
- sign_request_with_oauth(@access_token)
294
- ClientApplication.should_receive(:find_token).with(@access_token.token).and_return(@access_token)
295
- get :token_only
296
- controller.send(:current_token).should == @access_token
297
- controller.send(:current_client_application).should == @client_application
298
- controller.send(:current_user).should == @user
299
- response.code.should == '200'
300
- response.should be_success
301
667
  end
302
668
 
303
- it "should disallow oauth using RequestToken when using oauth_required" do
304
- setup_to_authorize_request
305
- ClientApplication.should_receive(:find_token).with(@request_token.token).and_return(@request_token)
306
- sign_request_with_oauth(@request_token)
307
- get :token_only
308
- response.code.should == '401'
669
+ describe "oauth 2.0" do
670
+ before(:each) do
671
+ @access_token = Oauth2Token.create :user=>current_user, :client_application=>current_client_application
672
+ @client_application = @access_token.client_application
673
+ end
674
+ describe "authorize header" do
675
+ before(:each) do
676
+ add_oauth2_token_header(access_token)
677
+ end
678
+
679
+ it "should include headers" do
680
+ get :interactive_and_token
681
+ ActionController::HttpAuthentication::Basic.authorization(request).should == "OAuth #{access_token.token}"
682
+ end
683
+
684
+ [:interactive,:two_legged,:interactive_and_two_legged,:token_legacy,:both_legacy].each do |action|
685
+ describe "accessing #{action.to_s.humanize}" do
686
+ before(:each) do
687
+ get action
688
+ end
689
+
690
+ it "should not be a success" do
691
+ response.should_not be_success
692
+ end
693
+
694
+ it "should not set current_token" do
695
+ controller.send(:current_token).should be_nil
696
+ end
697
+
698
+ it "should not set current_client_application" do
699
+ controller.send(:current_client_application).should be_nil
700
+ end
701
+
702
+ it "should not set current_user" do
703
+ controller.send(:current_user).should be_nil
704
+ end
705
+ end
706
+ end
707
+
708
+ [:token,:interactive_and_token,:all].each do |action|
709
+ describe "accessing #{action.to_s.humanize}" do
710
+ before(:each) do
711
+ get action
712
+ end
713
+
714
+ it "should not be a success" do
715
+ response.should be_success
716
+ end
717
+
718
+ it "should set current_token" do
719
+ controller.send(:current_token).should == access_token
720
+ end
721
+
722
+ it "should set current_client_application" do
723
+ controller.send(:current_client_application).should == current_client_application
724
+ end
725
+
726
+ it "should set current_user" do
727
+ controller.send(:current_user).should == current_user
728
+ end
729
+ end
730
+ end
731
+ end
732
+
733
+ describe "query string" do
734
+ [:interactive,:two_legged,:interactive_and_two_legged,:token_legacy,:both_legacy].each do |action|
735
+ describe "accessing #{action.to_s.humanize}" do
736
+ before(:each) do
737
+ get action, :oauth_token=>access_token.token
738
+ end
739
+
740
+ it "should not be a success" do
741
+ response.should_not be_success
742
+ end
743
+
744
+ it "should not set current_token" do
745
+ controller.send(:current_token).should be_nil
746
+ end
747
+
748
+ it "should not set current_client_application" do
749
+ controller.send(:current_client_application).should be_nil
750
+ end
751
+
752
+ it "should not set current_user" do
753
+ controller.send(:current_user).should be_nil
754
+ end
755
+ end
756
+ end
757
+
758
+ [:token,:interactive_and_token,:all].each do |action|
759
+ describe "accessing #{action.to_s.humanize}" do
760
+ before(:each) do
761
+ get action, :oauth_token=>access_token.token
762
+ end
763
+
764
+ it "should not be a success" do
765
+ response.should be_success
766
+ end
767
+
768
+ it "should set current_token" do
769
+ controller.send(:current_token).should == access_token
770
+ end
771
+
772
+ it "should set current_client_application" do
773
+ controller.send(:current_client_application).should == current_client_application
774
+ end
775
+
776
+ it "should set current_user" do
777
+ controller.send(:current_user).should == current_user
778
+ end
779
+ end
780
+ end
781
+
782
+ end
783
+
309
784
  end
310
785
 
311
- it "should disallow interactive when using oauth_required" do
312
- login
313
- get :token_only
314
- response.code.should == '401'
786
+ describe "logged in user" do
787
+ before(:each) do
788
+ login
789
+ end
315
790
 
316
- controller.send(:current_user).should == @user
317
- controller.send(:current_token).should be_nil
318
- end
791
+
792
+ [:token,:two_legged,:token_legacy].each do |action|
793
+ describe "accessing #{action.to_s.humanize}" do
794
+ before(:each) do
795
+ get action, :oauth_token=>access_token.token
796
+ end
797
+
798
+ it "should not be a success" do
799
+ response.should_not be_success
800
+ end
801
+
802
+ it "should not set current_token" do
803
+ controller.send(:current_token).should be_nil
804
+ end
319
805
 
320
- it "should disallow oauth when using login_required" do
321
- setup_to_authorize_request
322
- sign_request_with_oauth(@access_token)
323
- get :interactive
324
- response.code.should == "302"
325
- controller.send(:current_user).should be_nil
326
- controller.send(:current_token).should be_nil
327
- end
806
+ it "should not set current_client_application" do
807
+ controller.send(:current_client_application).should be_nil
808
+ end
328
809
 
329
- it "should allow interactive when using login_required" do
330
- login
331
- get :interactive
332
- response.should be_success
333
- controller.send(:current_user).should == @user
334
- controller.send(:current_token).should be_nil
335
- end
810
+ end
811
+ end
812
+
813
+ [:interactive,:interactive_and_two_legged,:interactive_and_token,:all,:both_legacy].each do |action|
814
+ describe "accessing #{action.to_s.humanize}" do
815
+ before(:each) do
816
+ get action, :oauth_token=>access_token.token
817
+ end
818
+
819
+ it "should not be a success" do
820
+ response.should be_success
821
+ end
822
+
823
+ it "should not set current_token" do
824
+ controller.send(:current_token).should be_nil
825
+ end
336
826
 
337
- end
827
+ it "should not set current_client_application" do
828
+ controller.send(:current_client_application).should be_nil
829
+ end
338
830
 
339
- describe OauthController, "revoke" do
340
- include OAuthControllerSpecHelper
341
- before(:each) do
342
- setup_oauth_for_user
343
- @request_token.stub!(:invalidate!)
831
+ it "should set current_user" do
832
+ controller.send(:current_user).should == current_user
833
+ end
834
+ end
835
+ end
344
836
  end
345
-
346
- def do_post
347
- post :revoke, :token => "TOKEN STRING"
348
- end
349
-
350
- it "should redirect to index" do
351
- do_post
352
- response.should be_redirect
353
- response.should redirect_to('http://test.host/oauth_clients')
354
- end
355
-
356
- it "should query current_users tokens" do
357
- @tokens.should_receive(:find_by_token).and_return(@request_token)
358
- do_post
359
- end
360
-
361
- it "should call invalidate on token" do
362
- @request_token.should_receive(:invalidate!)
363
- do_post
364
- end
365
-
366
837
  end
367
838