oauth2_provider_engine 0.0.1

data/test/dummy/lib/tasks/watchr.rake

@@ -0,0 +1,5 @@
+desc "Run watchr"
+task :watchr do
+  sh %{bundle exec watchr .watchr.rb}
+end
+

data/test/dummy/public/404.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The page you were looking for doesn't exist (404)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/404.html -->
+  <div class="dialog">
+    <h1>The page you were looking for doesn't exist.</h1>
+    <p>You may have mistyped the address or the page may have moved.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/422.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>The change you wanted was rejected (422)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/422.html -->
+  <div class="dialog">
+    <h1>The change you wanted was rejected.</h1>
+    <p>Maybe you tried to change something you didn't have access to.</p>
+  </div>
+</body>
+</html>

data/test/dummy/public/500.html

@@ -0,0 +1,4 @@
+{
+  "message": "We are sorry, but it seems we have some problems",
+  "info": "In the case the problem persist, please send us a mail describing your problem"
+}

data/test/dummy/public/robots.txt

@@ -0,0 +1,5 @@
+# See http://www.robotstxt.org/wc/norobots.html for documentation on how to use the robots.txt file
+#
+# To ban all spiders from the entire site uncomment the next two lines:
+# User-Agent: *
+# Disallow: /

data/test/dummy/script/cucumber

@@ -0,0 +1,10 @@
+#!/usr/bin/env ruby
+
+vendored_cucumber_bin = Dir["#{File.dirname(__FILE__)}/../vendor/{gems,plugins}/cucumber*/bin/cucumber"].first
+if vendored_cucumber_bin
+  load File.expand_path(vendored_cucumber_bin)
+else
+  require 'rubygems' unless ENV['NO_RUBYGEMS']
+  require 'cucumber'
+  load Cucumber::BINARY
+end

data/test/dummy/script/rails

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
+
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require File.expand_path('../../config/boot',  __FILE__)
+require 'rails/commands'

data/test/dummy/spec/acceptance/acceptance_helper.rb

@@ -0,0 +1,5 @@
+require File.expand_path(File.dirname(__FILE__) + "/../spec_helper")
+require "steak"
+
+# Put your acceptance spec helpers inside /spec/acceptance/support
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each {|f| require f}

data/test/dummy/spec/acceptance/accesses_controller_spec.rb

@@ -0,0 +1,77 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "Oauth2Provider::AccessesController" do
+  before { host! "http://" + host }
+  before { @user   = FactoryGirl.create(:user) }
+  before { @client = FactoryGirl.create(:client) }
+  before { @token  = FactoryGirl.create(:oauth_token) }
+  before { @access = FactoryGirl.create(:oauth_access) }
+  before { Oauth2Provider::AccessesController.any_instance.stub(:user_url).with(@user).and_return( USER_URI ) }
+
+  context ".index" do
+    before { @uri = "/oauth/accesses" }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      before { login(@user) }
+
+      scenario "view all resources" do
+        visit @uri
+        page.should have_content @access.client_uri
+        page.should have_content "Block!"
+      end
+
+      scenario "block a resource" do
+        visit @uri
+        page.should have_link "Block!"
+        page.click_link "Block!"
+        page.should have_link "Unblock!"
+      end
+    end
+  end
+
+
+  context ".show" do
+    before { @uri = "/oauth/accesses/" + @access.id.as_json }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      before { login(@user) }
+      before { @access_not_owned = FactoryGirl.create(:oauth_access, resource_owner_uri: ANOTHER_USER_URI) }
+
+      scenario "view a resource" do
+        visit @uri
+        page.should have_content @access.client_uri
+      end
+
+      scenario "resource not found" do
+        @access.destroy
+        visit @uri
+        page.should have_content "Resource not found"
+      end
+
+      scenario "resource not owned" do
+        visit "/oauth/accesses/" + @access_not_owned.id.as_json
+        page.should have_content "Resource not found"
+      end
+
+      scenario "illegal id" do
+        visit "/oauth/accesses/0"
+        page.should have_content "Resource not found"
+      end
+    end
+  end
+
+end

data/test/dummy/spec/acceptance/clients_controller_spec.rb

@@ -0,0 +1,218 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "ClientsController" do
+  before { Oauth2Provider::Client.destroy_all }
+  before { User.destroy_all }
+  before { Oauth2Provider::Scope.destroy_all }
+  before { host! "http://" + host }
+  before { @user = FactoryGirl.create(:user) }
+  before { @user_bob   = FactoryGirl.create(:user_bob) }
+  before { @admin = FactoryGirl.create(:admin) }
+  before { @client = FactoryGirl.create(:client) }
+  before { @client_not_owned = FactoryGirl.create(:client_not_owned) }
+  before { @scope_read = FactoryGirl.create(:scope_pizzas_read) }
+  before { @scope_all = FactoryGirl.create(:scope_pizzas_all) }
+  before { Oauth2Provider::ClientsController.any_instance.stub(:user_url).with(@user).and_return( USER_URI ) }
+
+
+  context ".index" do
+    before { @uri = "/oauth/clients" }
+    before { @read_client = FactoryGirl.create(:client_read) }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when not admin" do
+        before { login(@user) }
+
+        scenario "view all resources" do
+          visit @uri
+          should_visualize_client(@client)
+          should_visualize_client(@read_client)
+          page.should_not have_content "Not owned client"
+          page.should_not have_content "Block!"
+        end
+      end
+
+      context "when admin" do
+        before do
+          login(@admin)
+          visit @uri
+          should_visualize_client(@client)
+          should_visualize_client(@read_client)
+        end
+
+        scenario "view all resource" do
+          page.should have_content "Not owned client"
+        end
+
+        scenario "block a resource" do
+          page.should have_link "Block!"
+          page.click_link "Block!"
+          page.should have_link "Unblock!"
+        end
+      end
+    end
+  end
+
+
+  context ".show" do
+    before { @uri = "/oauth/clients/" + @client.id.as_json }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when not admin" do
+        before { login(@user) }
+
+        scenario "view a resource" do
+          visit @uri
+          should_visualize_client(@client)
+        end
+
+        scenario "resource not found" do
+          @client.destroy
+          visit @uri
+          page.should have_content "Resource not found"
+        end
+
+        scenario "resource not owned" do
+          visit "/oauth/clients/" + @client_not_owned.id.as_json
+          page.should have_content "Resource not found"
+        end
+
+        scenario "illegal id" do
+          visit "/oauth/clients/0"
+          page.should have_content "Resource not found"
+        end
+      end
+
+      context "when admin" do
+        before { login(@admin) }
+        scenario "view not owned resource" do
+          visit "/oauth/clients/" + @client_not_owned.id.as_json
+          should_visualize_client @client_not_owned
+        end
+      end
+
+    end
+  end
+
+
+  context ".create" do
+    before { @uri = "/oauth/clients/new" }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      before { login(@user) }
+
+      context "when valid" do
+        before do
+          visit @uri
+          fill_client()
+          click_button 'Create Client'
+          @client = Oauth2Provider::Client.last
+        end
+
+        scenario "create a resource" do
+          should_visualize_client_details(@client)
+          page.should have_content "was successfully created"
+        end
+
+        scenario "assign URI field" do
+          @client.uri.should == host + "/oauth/clients/" + @client.id.as_json
+        end
+      end
+
+      context "when not valid" do
+        scenario "fails" do
+          visit @uri
+          fill_client("")
+          click_button 'Create Client'
+          page.should have_content "Name can't be blank"
+        end
+      end
+    end
+  end
+
+
+  context ".update" do
+    before { @uri = "/oauth/clients/" + @client.id.as_json +  "/edit" }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when not admin" do
+        before { login(@user) }
+
+        scenario "update a resource" do
+          visit @uri
+          fill_client("Example Updated")
+          click_button 'Update Client'
+          should_visualize_client_details(@client.reload)
+          page.should have_content "Example Updated"
+          page.should have_content "was successfully updated"
+        end
+
+        scenario "resource not found" do
+          @client.destroy
+          visit @uri
+          page.should have_content "Resource not found"
+        end
+
+        scenario "resource not owned" do
+          visit "/oauth/clients/" + @client_not_owned.id.as_json + "/edit"
+          page.should have_content "Resource not found"
+        end
+
+        scenario "illegal id" do
+          visit "/oauth/clients/0"
+          page.should have_content "Resource not found"
+        end
+
+        context "when not valid" do
+          scenario "fails" do
+            visit @uri
+            fill_client("")
+            click_button 'Update Client'
+            page.should have_content "Name can't be blank"
+          end
+        end
+      end
+
+      context "when admin" do
+        before { login(@admin) }
+        scenario "view not owned resource" do
+          visit "/oauth/clients/" + @client_not_owned.id.as_json + "/edit"
+          page.should have_field("Name", with: "Not owned client")
+        end
+      end
+    end
+  end
+
+  context ".destroy" do
+  end
+
+end
+

data/test/dummy/spec/acceptance/oauth_authorize_controller_spec.rb

@@ -0,0 +1,241 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "OauthAuthorizeController" do
+  before { Oauth2Provider::Client.destroy_all }
+  before { Oauth2Provider::OauthAccess.destroy_all }
+  before { Oauth2Provider::OauthToken.destroy_all }
+
+  let(:user)        { FactoryGirl.create(:user) }
+  let(:client)      { FactoryGirl.create(:client) }
+  let(:client_read) { FactoryGirl.create(:client_read) }
+  let(:access)      { FactoryGirl.create(:oauth_access) }
+  let(:write_scope) { "pizzas" }
+  let(:read_scope)  { "pizzas/read" }
+
+  before { @scope = FactoryGirl.create(:scope_pizzas_read) }
+  before { @scope = FactoryGirl.create(:scope_pizzas_all) }
+  before { Oauth2Provider::AuthorizeController.any_instance.stub(:user_url).with(user).and_return( USER_URI ) }
+
+
+  context "Authorization code flow" do
+    before { login(user) }
+
+    context "when valid" do
+      background do
+        visit authorization_grant_page(client, write_scope)
+        page.should have_content client.name
+      end
+
+      scenario "#grant" do
+        click_button("Grant")
+        current_url.should == authorization_grant_uri(client)
+      end
+
+      scenario "#deny" do
+        click_button("Deny")
+        current_url.should == authorization_denied_uri(client)
+      end
+    end
+
+    context "when client is blocked" do
+      it "should not load authorization page" do
+        client.block!
+        visit authorization_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    context "when access is blocked (resource owner block a client)" do
+      it "should not load authorization page" do
+        access.block!
+        visit authorization_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    context "when send an extra state params" do
+      background do
+        visit(authorization_grant_page(client, write_scope) + "&state=extra")
+      end
+
+      scenario "#grant" do
+        click_button("Grant")
+        current_url.should == authorization_grant_uri(client) + "&state=extra"
+      end
+
+      scenario "#deny" do
+        click_button("Deny")
+        current_url.should == authorization_denied_uri(client) + "&state=extra"
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with not valid client uri" do
+        client.uri = "http://not.existing/"
+        visit authorization_grant_page(client, write_scope)
+        page.should_not have_content client.name
+        page.should have_content("Client not found")
+      end
+
+      scenario "fails with not valid scope" do
+        visit authorization_grant_page(client_read, write_scope)
+        page.should_not have_content client.name
+        page.should have_content("Client not authorized")
+      end
+    end
+
+    context "when not valid scope hacked in HTML page" do
+      background do
+        visit authorization_grant_page(client_read, read_scope)
+        page.should have_content client_read.name
+      end
+
+      scenario "fails #grant" do
+        page.find("#grant").fill_in("scope", with: "pizzas/create")
+        click_button("Grant")
+        page.should have_content("Client not authorized")
+      end
+
+      scenario "fails #deny" do
+        page.find("#deny").fill_in("scope", with: "pizzas/create")
+        click_button("Deny")
+        page.should have_content("Client not authorized")
+      end
+    end
+  end
+
+
+  context "Implicit token flow" do
+    before { use_javascript }
+    before { login(user) }
+
+    context "when valid" do
+      background do
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content client.name
+      end
+
+      scenario "#grant" do
+        click_button("Grant")
+        current_url.should == implicit_grant_uri(client)
+      end
+
+      scenario "#deny" do
+        click_button("Deny")
+        current_url.should == implicit_denied_uri(client)
+      end
+    end
+
+    context "when client is blocked" do
+      it "should not load authorization page" do
+        client.block!
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    context "when access is blocked (resource owner block a client)" do
+      it "should not load authorization page" do
+        access.block!
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    context "when send an extra state params" do
+      background do
+        visit(implicit_grant_page(client, write_scope) + "&state=extra")
+      end
+
+      scenario "#grant" do
+        click_button("Grant")
+        current_url.should == implicit_grant_uri(client) + "&state=extra"
+      end
+
+      scenario "#deny" do
+        click_button("Deny")
+        current_url.should == implicit_denied_uri(client) + "&state=extra"
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with not valid client uri" do
+        client.uri = "http://not.existing/"
+        visit implicit_grant_page(client, write_scope)
+        page.should_not have_content client.name
+        page.should have_content("Client not found")
+      end
+
+      scenario "fails with not valid scope" do
+        visit implicit_grant_page(client_read, write_scope)
+        page.should_not have_content client_read.name
+        page.should have_content("Client not authorized")
+      end
+    end
+
+    after { use_default }
+  end
+
+
+  context "Refresh implicit token flow" do
+    before { use_javascript }
+    before { @token = FactoryGirl.create(:oauth_token) }
+    before { login(user) }
+
+    scenario "should create new token" do
+      visit implicit_grant_page(client, write_scope)
+      current_url.should == implicit_grant_uri(client)
+    end
+
+    context "when send an extra state params" do
+      scenario "it should be in the callback" do
+        visit(implicit_grant_page(client, write_scope) + "&state=extra")
+        current_url.should == implicit_grant_uri(client) + "&state=extra"
+      end
+    end
+
+    context "when client is blocked" do
+      it "should not load authorization page" do
+        client.block!
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    # TODO: in reality it should not authomatically redirect
+    # and should show the authorization page (no errors)
+    # TODO: miss the scope test
+    context "when access is blocked (resource owner block a client)" do
+      it "should not load authorization page" do
+        access.block!
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content("Client blocked")
+      end
+    end
+
+    context "when token is blocked (resource owner log out)" do
+      it "should not load authorization page" do
+        @token.block!
+        visit implicit_grant_page(client, write_scope)
+        page.should have_content("Access token blocked from the user")
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with not valid client uri" do
+        client.uri = "http://not.existing/"
+        visit implicit_grant_page(client, write_scope)
+        page.should_not have_content client.name
+        page.should have_content("Client not found")
+      end
+
+      scenario "fails with not valid scope" do
+        visit implicit_grant_page(client_read, write_scope)
+        page.should_not have_content client_read.name
+        page.should have_content("Client not authorized")
+      end
+    end
+
+    after { use_default }
+  end
+end