oauth2-provider-jonrowe 0.1.0

data/spec/oauth2/model/client_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe OAuth2::Model::Client do
+  before do
+    @client = OAuth2::Model::Client.create(:name => 'App', :redirect_uri => 'http://example.com/cb')
+    @owner  = Factory(:owner)
+    Factory(:authorization, :client => @client, :owner => @owner)
+  end
+  
+  it "is valid" do
+    @client.should be_valid
+  end
+  
+  it "is invalid without a name" do
+    @client.name = nil
+    @client.should_not be_valid
+  end
+  
+  it "is invalid without a redirect_uri" do
+    @client.redirect_uri = nil
+    @client.should_not be_valid
+  end
+  
+  it "is invalid with a non-URI redirect_uri" do
+    @client.redirect_uri = 'foo'
+    @client.should_not be_valid
+  end
+  
+  # http://en.wikipedia.org/wiki/HTTP_response_splitting
+  it "is invalid if the URI contains HTTP line breaks" do
+    @client.redirect_uri = "http://example.com/c\r\nb"
+    @client.should_not be_valid
+  end
+  
+  it "cannot mass-assign client_id" do
+    @client.update_attributes(:client_id => 'foo')
+    @client.client_id.should_not == 'foo'
+  end
+  
+  it "cannot mass-assign client_secret" do
+    @client.update_attributes(:client_secret => 'foo')
+    @client.client_secret.should_not == 'foo'
+  end
+  
+  it "has client_id and client_secret filled in" do
+    @client.client_id.should_not be_nil
+    @client.client_secret.should_not be_nil
+  end
+  
+  it "destroys its authorizations on destroy" do
+    @client.destroy
+    OAuth2::Model::Authorization.count.should be_zero
+  end
+end
+

data/spec/oauth2/model/resource_owner_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe OAuth2::Model::ResourceOwner do
+  before do
+    @owner  = Factory(:owner)
+    @client = Factory(:client)
+  end
+  
+  describe "#grant_access!" do
+    it "creates an authorization between the owner and the client" do
+      OAuth2::Model::Authorization.should_receive(:create).with(:owner => @owner, :client => @client)
+      @owner.grant_access!(@client)
+    end
+    
+    it "returns the authorization" do
+      @owner.grant_access!(@client).should be_kind_of(OAuth2::Model::Authorization)
+    end
+  end
+  
+  describe "when there is an existing authorization" do
+    before do
+      @authorization = Factory(:authorization, :owner => @owner, :client => @client)
+    end
+    
+    it "does not create a new one" do
+      OAuth2::Model::Authorization.should_not_receive(:create)
+      @owner.grant_access!(@client)
+    end
+    
+    it "updates the authorization with scopes" do
+      @owner.grant_access!(@client, :scopes => ['foo', 'bar'])
+      @authorization.reload
+      @authorization.scopes.should == ['foo', 'bar']
+    end
+    
+    describe "with scopes" do
+      before do
+        @authorization.update_attribute(:scope, 'foo bar')
+      end
+      
+      it "merges the new scopes with the existing ones" do
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @authorization.reload
+        @authorization.scopes.should == ['foo', 'bar', 'qux']
+      end
+    end
+  end
+  
+  it "destroys its authorizations on destroy" do
+    Factory(:authorization, :owner => @owner, :client => @client)
+    @owner.destroy
+    OAuth2::Model::Authorization.count.should be_zero
+  end
+end
+

data/spec/oauth2/provider/access_token_spec.rb

@@ -0,0 +1,125 @@
+require 'spec_helper'
+
+describe OAuth2::Provider::AccessToken do
+  before do
+    @alice = TestApp::User['Alice']
+    @bob   = TestApp::User['Bob']
+    
+    Factory(:authorization,
+      :owner        => @alice,
+      :scope        => 'profile',
+      :access_token => 'sesame')
+    
+    @authorization = Factory(:authorization,
+      :owner        => @bob,
+      :scope        => 'profile',
+      :access_token => 'magic-key')
+    
+    OAuth2::Provider.realm = 'Demo App'
+  end
+  
+  let :token do
+    OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'magic-key')
+  end
+  
+  shared_examples_for "valid token" do
+    it "is valid" do
+      token.should be_valid
+    end
+    it "does not add headers" do
+      token.response_headers.should == {}
+    end
+    it "has an OK status code" do
+      token.response_status.should == 200
+    end
+    it "returns the owner who granted the authorization" do
+      token.owner.should == @bob
+    end
+  end
+  
+  shared_examples_for "invalid token" do
+    it "is not valid" do
+      token.should_not be_valid
+    end
+    it "does not return the owner" do
+      token.owner.should be_nil
+    end
+  end
+  
+  describe "with the right user, scope and token" do
+    it_should_behave_like "valid token"
+  end
+  
+  describe "with no user" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+  
+  describe "with less scope than was granted" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(@bob, [], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+  
+  describe "when the authorization has expired" do
+    before { @authorization.update_attribute(:expires_at, 1.hour.ago) }
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='expired_token'"
+      token.response_status.should == 401
+    end
+  end
+  
+  describe "with a non-existent token" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'is-the-password-books')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
+      token.response_status.should == 401
+    end
+  end
+  
+  describe "with a token for the wrong user" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'sesame')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
+      token.response_status.should == 403
+    end
+  end
+  
+  describe "with a token for an ungranted scope" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(@bob, ['offline_access'], 'magic-key')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
+      token.response_status.should == 403
+    end
+  end
+  
+  describe "with no token string" do
+    let :token do
+      OAuth2::Provider::AccessToken.new(@bob, ['profile'], nil)
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App'"
+      token.response_status.should == 401
+    end
+  end
+end
+

data/spec/oauth2/provider/authorization_spec.rb

@@ -0,0 +1,323 @@
+require 'spec_helper'
+
+describe OAuth2::Provider::Authorization do
+  let(:resource_owner) { TestApp::User['Bob'] }
+  
+  let(:authorization) { OAuth2::Provider::Authorization.new(resource_owner, params) }
+  
+  let(:params) { { 'response_type' => 'code',
+                   'client_id'     => @client.client_id,
+                   'redirect_uri'  => @client.redirect_uri }
+               }
+  
+  before do
+    @client = Factory(:client)
+    OAuth2.stub(:random_string).and_return('s1', 's2', 's3')
+  end
+  
+  describe "with valid parameters" do
+    it "is valid" do
+      authorization.error.should be_nil
+    end
+  end
+  
+  describe "with the scope parameter" do
+    before { params['scope'] = 'foo bar qux' }
+    
+    it "exposes the scope as a list of strings" do
+      authorization.scopes.should == %w[foo bar qux]
+    end
+    
+    it "exposes the scopes the client has not yet granted" do
+      authorization.unauthorized_scopes.should == %w[foo bar qux]
+    end
+    
+    describe "when the owner has already authorized the client" do
+      before do
+        OAuth2::Model::Authorization.create(:owner => resource_owner, :client => @client, :scope => 'foo bar')
+      end
+      
+      it "exposes the scope as a list of strings" do
+        authorization.scopes.should == %w[foo bar qux]
+      end
+      
+      it "exposes the scopes the client has not yet granted" do
+        authorization.unauthorized_scopes.should == %w[qux]
+      end
+    end
+  end
+  
+  describe "missing response_type" do
+    before { params.delete('response_type') }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_request"
+      authorization.error_description.should == "Missing required parameter response_type"
+    end
+  end
+  
+  describe "with a bad response_type" do
+    before { params['response_type'] = "no_such_type" }
+    
+    it "is invalid" do
+      authorization.error.should == "unsupported_response_type"
+      authorization.error_description.should == "Response type no_such_type is not supported"
+    end
+  end
+  
+  describe "missing client_id" do
+    before { params.delete('client_id') }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_request"
+      authorization.error_description.should == "Missing required parameter client_id"
+    end
+  end
+  
+  describe "with an unknown client_id" do
+    before { params['client_id'] = "unknown" }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_client"
+      authorization.error_description.should == "Unknown client ID unknown"
+    end
+  end
+  
+  describe "missing redirect_uri" do
+    before { params.delete('redirect_uri') }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_request"
+      authorization.error_description.should == "Missing required parameter redirect_uri"
+    end
+  end
+  
+  describe "with a mismatched redirect_uri" do
+    before { params['redirect_uri'] = "http://songkick.com" }
+    
+    it "is invalid" do
+      authorization.error.should == "redirect_uri_mismatch"
+      authorization.error_description.should == "Parameter redirect_uri does not match registered URI"
+    end
+    
+    describe "when the client has not registered a redirect_uri" do
+      before { @client.update_attribute(:redirect_uri, nil) }
+      
+      it "is valid" do
+        authorization.error.should be_nil
+      end
+    end
+  end
+  
+  # http://en.wikipedia.org/wiki/HTTP_response_splitting
+  # scope and state values are passed back in the redirect
+  
+  describe "with an illegal scope" do
+    before { params['scope'] = "http\r\nsplitter" }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_request"
+      authorization.error_description.should == "Illegal value for scope parameter"
+    end
+  end
+  
+  describe "with an illegal state" do
+    before { params['state'] = "http\r\nsplitter" }
+    
+    it "is invalid" do
+      authorization.error.should == "invalid_request"
+      authorization.error_description.should == "Illegal value for state parameter"
+    end
+  end
+  
+  describe "#grant_access!" do
+    describe "when there is an existing authorization with no code" do
+      before do
+        @model = Factory(:authorization,
+          :owner  => resource_owner,
+          :client => @client,
+          :code   => nil)
+      end
+      
+      it "generates and returns a code to the client" do
+        authorization.grant_access!
+        @model.reload
+        @model.code.should == "s1"
+        authorization.code.should == "s1"
+      end
+    end
+    
+    describe "when there is an existing authorization with scopes" do
+      before do
+        @model = Factory(:authorization,
+          :owner  => resource_owner,
+          :client => @client,
+          :code   => nil,
+          :scope  => 'foo bar')
+        
+        params['scope'] = 'qux'
+      end
+      
+      it "merges the new scopes with the existing ones" do
+        authorization.grant_access!
+        @model.reload
+        @model.scopes.should == ['foo', 'bar', 'qux']
+      end
+    end
+    
+    describe "when there is an existing expired authorization" do
+      before do
+        @model = Factory(:authorization,
+          :owner      => resource_owner,
+          :client     => @client,
+          :expires_at => 2.months.ago,
+          :code       => 'existing_code',
+          :scope      => 'foo bar')
+      end
+      
+      it "renews the authorization" do
+        authorization.grant_access!
+        @model.reload
+        @model.expires_at.should be_nil
+      end
+      
+      it "returns a code to the client" do
+        authorization.grant_access!
+        authorization.code.should == "existing_code"
+        authorization.access_token.should be_nil
+      end
+      
+      it "sets the expiry time if a duration is given" do
+        authorization.grant_access!(:duration => 1.hour)
+        @model.reload
+        @model.expires_in.should == 3600
+        authorization.expires_in.should == 3600
+      end
+      
+      it "augments the scope" do
+        params['scope'] = 'qux'
+        authorization.grant_access!
+        @model.reload
+        @model.scopes.should == ['foo', 'bar', 'qux']
+      end
+    end
+    
+    describe "for code requests" do
+      before do
+        params['response_type'] = 'code'
+        params['scope'] = 'foo bar'
+      end
+      
+      it "makes the authorization redirect" do
+        authorization.grant_access!
+        authorization.client.should_not be_nil
+        authorization.should be_redirect
+      end
+      
+      it "creates a code for the authorization" do
+        authorization.grant_access!
+        authorization.code.should == "s1"
+        authorization.access_token.should be_nil
+        authorization.expires_in.should be_nil
+      end
+      
+      it "creates an Authorization in the database" do
+        authorization.grant_access!
+        
+        authorization = OAuth2::Model::Authorization.first
+        authorization.owner.should == resource_owner
+        authorization.client.should == @client
+        authorization.code.should == "s1"
+        authorization.scopes.should == %w[foo bar]
+      end
+    end
+    
+    describe "for token requests" do
+      before { params['response_type'] = 'token' }
+      
+      it "creates a token for the authorization" do
+        authorization.grant_access!
+        authorization.code.should be_nil
+        authorization.access_token.should == "s1"
+        authorization.refresh_token.should == "s2"
+        authorization.expires_in.should be_nil
+      end
+      
+      it "creates an Authorization in the database" do
+        authorization.grant_access!
+        
+        authorization = OAuth2::Model::Authorization.first
+        authorization.owner.should == resource_owner
+        authorization.client.should == @client
+        authorization.code.should be_nil
+        authorization.access_token_hash.should == OAuth2.hashify("s1")
+        authorization.refresh_token_hash.should == OAuth2.hashify("s2")
+      end
+    end
+    
+    describe "for code_and_token requests" do
+      before { params['response_type'] = 'code_and_token' }
+      
+      it "creates a code and token for the authorization" do
+        authorization.grant_access!
+        authorization.code.should == "s1"
+        authorization.access_token.should == "s2"
+        authorization.refresh_token.should == "s3"
+        authorization.expires_in.should be_nil
+      end
+      
+      it "creates an Authorization in the database" do
+        authorization.grant_access!
+        
+        authorization = OAuth2::Model::Authorization.first
+        authorization.owner.should == resource_owner
+        authorization.client.should == @client
+        authorization.code.should == "s1"
+        authorization.access_token_hash.should == OAuth2.hashify("s2")
+        authorization.refresh_token_hash.should == OAuth2.hashify("s3")
+      end
+    end
+  end
+  
+  describe "#deny_access!" do
+    it "puts the authorization in an error state" do
+      authorization.deny_access!
+      authorization.error.should == "access_denied"
+      authorization.error_description.should == "The user denied you access"
+    end
+    
+    it "does not create an Authorization" do
+      OAuth2::Model::Authorization.should_not_receive(:create)
+      OAuth2::Model::Authorization.should_not_receive(:new)
+      authorization.deny_access!
+    end
+  end
+  
+  describe "#params" do
+    before do
+      params['scope'] = params['state'] = 'valid'
+      params['controller'] = 'invalid'
+    end
+    
+    it "only exposes OAuth-related parameters" do
+      authorization.params.should == {
+        'response_type' => 'code',
+        'client_id'     => @client.client_id,
+        'redirect_uri'  => @client.redirect_uri,
+        'state'         => 'valid',
+        'scope'         => 'valid'
+      }
+    end
+    
+    it "does not expose parameters with no value" do
+      params.delete('scope')
+      authorization.params.should == {
+        'response_type' => 'code',
+        'client_id'     => @client.client_id,
+        'redirect_uri'  => @client.redirect_uri,
+        'state'         => 'valid'
+      }
+    end
+  end
+end
+