oauth2_provider_engine 0.0.1

data/test/dummy/spec/acceptance/oauth_token_controller_spec.rb

@@ -0,0 +1,196 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "OauthTokenController" do
+  before { Oauth2Provider::Client.destroy_all }
+  before { Oauth2Provider::OauthAccess.destroy_all }
+  before { Oauth2Provider::OauthRefreshToken.destroy_all }
+
+  let(:user)          { FactoryGirl.create(:user) }
+  let(:client)        { FactoryGirl.create(:client) }
+  let(:client_read)   { FactoryGirl.create(:client_read) }
+  let(:authorization) { FactoryGirl.create(:oauth_authorization) }
+  let(:access)        { FactoryGirl.create(:oauth_access) }
+  let(:write_scope)   { "pizzas" }
+  let(:read_scope)    { "pizzas/read" }
+
+  before { @scope = FactoryGirl.create(:scope_pizzas_read) }
+  before { @scope = FactoryGirl.create(:scope_pizzas_all) }
+  before { Oauth2Provider::TokenController.any_instance.stub(:user_url).and_return( USER_URI ) }
+
+  context "Authorization token flow" do
+
+    let(:attributes) { {
+      grant_type: "authorization_code",
+      client_id: client.uri,
+      client_secret: client.secret,
+      code: authorization.code,
+      redirect_uri: client.redirect_uri
+    } }
+
+    scenario "create a token" do
+      create_token_uri(attributes)
+      response_should_have_access_token
+      response_should_have_refresh_token
+    end
+
+    context "when client is blocked" do
+      it "should not load authorization page" do
+        client.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked"
+      end
+    end
+
+    context "when access is blocked (resource owner block a client)" do
+      it "should not load authorization page" do
+        access.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked from the user"
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with not valid code" do
+        attributes.merge!(code: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "Authorization not found"
+      end
+
+      scenario "fails with no valid client uri" do
+        attributes.merge!(client_id: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "Client not found"
+      end
+
+      scenario "fails when authorization is expired" do
+        authorization.expire_at # hack (otherwise do not set the time)
+        Delorean.time_travel_to("in #{Oauth2Provider.settings["authorization_expires_in"]} seconds")
+        create_token_uri(attributes)
+        page.should have_content "Authorization expired"
+        page.should have_content "less than 5 seconds"
+      end
+
+    end
+  end
+
+
+  context "Password credentials flow" do
+    let(:attributes) { {
+      grant_type: "password",
+      client_id: client.uri,
+      client_secret: client.secret,
+      username: user.email,
+      password: user.password,
+      scope: write_scope
+    } }
+
+    scenario "create a token" do
+      create_token_uri(attributes)
+      response_should_have_access_token
+      response_should_have_refresh_token
+    end
+
+    context "when client is blocked" do
+      it "should not load authorization page" do
+        client.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked"
+      end
+    end
+
+    context "when access is blocked (resource owner block a client)" do
+      it "should not load authorization page" do
+        access.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked from the user"
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with not valid user password" do
+        attributes.merge!(password: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "User not found"
+      end
+
+      scenario "fails with no valid client uri" do
+        attributes.merge!(client_id: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "Client not found"
+      end
+
+      scenario "fails with no valid scope authorization" do
+        attributes.merge!({client_id: client_read.uri, client_secret: client_read.secret })
+        create_token_uri(attributes)
+        page.should have_content "Client not authorized"
+      end
+    end
+  end
+
+
+  context "Refresh Token" do
+    let(:token)         { FactoryGirl.create(:oauth_token) }
+    let(:refresh_token) { Oauth2Provider::OauthRefreshToken.create(access_token: token.token) }
+
+    let(:attributes) { {
+      grant_type: "refresh_token",
+      refresh_token: refresh_token.refresh_token,
+      client_id: client.uri,
+      client_secret: client.secret
+    } }
+
+    scenario "create an access token" do
+      create_token_uri(attributes)
+      response_should_have_access_token
+      response_should_have_refresh_token
+    end
+
+    context "when client is blocked" do
+      scenario "should not load authorization page" do
+        client.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked"
+      end
+    end
+
+    context "when access is blocked (resource owner block a client)" do
+      scenario "should not load authorization page" do
+        access.block!
+        create_token_uri(attributes)
+        page.should have_content "Client blocked from the user"
+      end
+    end
+
+    context "when token is blocked (resource owner log out)" do
+      scenario "should not load authorization page" do
+        token.block!
+        create_token_uri(attributes)
+        page.should have_content "Access token blocked from the user"
+      end
+    end
+
+    context "when not valid" do
+      scenario "fails with no valid client uri" do
+        attributes.merge!(client_id: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "Client not found"
+      end
+
+      scenario "fails with no valid refresh token" do
+        attributes.merge!(refresh_token: "not_existing")
+        create_token_uri(attributes)
+        page.should have_content "Refresh token not found"
+      end
+    end
+  end
+
+  context "Authorization token flow" do
+    before { @token = FactoryGirl.create(:oauth_token) }
+
+    scenario "block a token" do
+      page.driver.delete("/oauth/token/" + @token.token)
+      #@token.reload.should be_blocked
+      #page.status_code.should == 200
+    end
+  end
+end

data/test/dummy/spec/acceptance/resource_controller_spec.rb

@@ -0,0 +1,143 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "ResourceController" do
+
+  context "with not existing access token" do
+    before { @token = FactoryGirl.create(:oauth_access) }
+    before { @token = FactoryGirl.create(:oauth_token) }
+    before { @token_value = @token.token }
+    before do
+      uri = Addressable::URI.new
+      uri.query_values = {token: @token_value}
+      @token_query = uri.query
+    end
+    before { @token.destroy }
+
+    scenario ".index" do
+      visit "/pizzas?token=" + @token_value
+      should_not_be_authorized
+    end
+
+    scenario ".show" do
+      visit "/pizzas/0?token=" + @token_value
+      should_not_be_authorized
+    end
+
+    scenario ".create" do
+      page.driver.post("/pizzas", @token_query)
+      should_not_be_authorized
+    end
+
+    scenario ".update" do
+      page.driver.put("/pizzas/0", @token_query)
+      should_not_be_authorized
+    end
+
+    scenario ".destroy" do
+      page.driver.delete("/pizzas/0", @token_query)
+      should_not_be_authorized
+    end
+  end
+
+  context "with single action accesses" do
+    before { @token_value = FactoryGirl.create(:oauth_token, scope: ["pizzas/index"]).token }
+    before do
+      uri = Addressable::URI.new
+      uri.query_values = {token: @token_value}
+      @token_query = uri.query
+    end
+
+    scenario ".index" do
+      visit "/pizzas?token=" + @token_value
+      page.should have_content "index"
+    end
+
+    scenario ".show" do
+      visit "/pizzas/0?token=" + @token_value
+      should_not_be_authorized
+    end
+  end
+
+
+  context "with read accesses on a resource" do
+    before { @token_value = FactoryGirl.create(:oauth_token_read).token }
+    before do
+      uri = Addressable::URI.new
+      uri.query_values = {token: @token_value}
+      @token_query = uri.query
+    end
+
+    scenario ".index" do
+      visit "/pizzas?token=" + @token_value
+      page.should have_content "index"
+    end
+
+    scenario ".show" do
+      visit "/pizzas/0?token=" + @token_value
+      page.should have_content "show"
+    end
+
+    scenario ".create" do
+      page.driver.post("/pizzas", @token_query)
+      should_not_be_authorized
+    end
+
+    scenario ".update" do
+      page.driver.put("/pizzas/0", @token_query)
+      should_not_be_authorized
+    end
+
+    scenario ".destroy" do
+      page.driver.delete("/pizzas/0", @token_query)
+      should_not_be_authorized
+    end
+  end
+
+
+  context "with all accesses" do
+    before { @token_value = FactoryGirl.create(:oauth_token).token }
+    before do
+      uri = Addressable::URI.new
+      uri.query_values = {token: @token_value}
+      @token_query = uri.query
+    end
+
+    scenario ".index" do
+      visit "/pizzas?token=" + @token_value
+      page.should have_content "index"
+    end
+
+    scenario ".show" do
+      visit "/pizzas/0?token=" + @token_value
+      page.should have_content "show"
+    end
+
+    scenario ".create" do
+      page.driver.post("/pizzas", @token_query)
+      page.should have_content "create"
+    end
+
+    scenario ".update" do
+      page.driver.put("/pizzas/0", @token_query)
+      page.should have_content "update"
+    end
+
+    scenario ".destroy" do
+      page.driver.delete("/pizzas/0", @token_query)
+      page.should have_content "destroy"
+    end
+
+    context "with token in the header" do
+      before { @headers = Hash["Authorization", "OAuth2 #{@token_value}"] }
+      before do
+        page.driver.browser.hacked_env.merge!(@headers)
+      end
+
+      scenario ".index" do
+        visit "/pizzas"
+        page.should have_content "index"
+      end
+    end
+  end
+
+end

data/test/dummy/spec/acceptance/scopes_controller_spec.rb

@@ -0,0 +1,227 @@
+require File.expand_path(File.dirname(__FILE__) + '/acceptance_helper')
+
+feature "ScopesController" do
+  before { host! "http://" + host }
+  before { @user  = FactoryGirl.create(:user) }
+  before { @admin = FactoryGirl.create(:admin) }
+  before { @scope = FactoryGirl.create(:scope, values: ALL_SCOPE) }
+
+
+  context ".index" do
+    before { @uri = "/oauth/scopes" }
+    before { @read_scope = FactoryGirl.create(:scope, name: "read", values: READ_SCOPE) }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged it" do
+      context "when admin" do
+        before { login(@admin) }
+
+        scenario "view the resources" do
+          visit @uri
+          should_visualize_scope(@scope)
+          should_visualize_scope(@read_scope)
+        end
+      end
+
+      context "when not admin" do
+        before { login(@user) }
+        scenario "do not list all resources" do
+          visit @uri
+          page.should have_content "Unauthorized access"
+        end
+      end
+    end
+  end
+
+
+  context ".show" do
+    before { @uri = "/oauth/scopes/" + @scope.id.as_json }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when admin" do
+        before { login(@admin) }
+
+        scenario "view a resource" do
+          visit @uri
+          should_visualize_scope(@scope)
+        end
+
+        scenario "resource not found" do
+          @scope.destroy
+          visit @uri
+          page.should have_content "Resource not found"
+        end
+
+        scenario "illegal id" do
+          visit "/oauth/scopes/0"
+          page.should have_content "Resource not found"
+        end
+      end
+
+      context "when not admin" do
+        before { login(@user) }
+        scenario "do not show a resource" do
+          visit @uri
+          page.should have_content "Unauthorized access"
+        end
+      end
+    end
+  end
+
+
+  context ".create" do
+    before { @uri = "/oauth/scopes/new" }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when admin" do
+        before { login(@admin) }
+
+        context "when valid" do
+          before do
+            visit @uri
+            fill_scope("pizza/read", "pizza/index pizza/show")
+            click_button 'Create Scope'
+            @scope = Oauth2Provider::Scope.last
+          end
+
+          scenario "create a resource" do
+            should_visualize_scope(@scope)
+            page.should have_content "was successfully created"
+          end
+
+          scenario "assign an URI to the resource" do
+            @scope.uri.should == host + "/oauth/scopes/" + @scope.id.as_json
+          end
+        end
+
+        context "when not valid" do
+          scenario "fails" do
+            visit @uri
+            fill_scope("", "")
+            click_button 'Create Scope'
+            page.should have_content "Name can't be blank"
+            page.should have_content "Values can't be blank"
+          end
+        end
+      end
+
+      context "when not admin" do
+        before { login(@user) }
+        scenario "do not create a resource" do
+          visit @uri
+          page.should have_content "Unauthorized access"
+        end
+      end
+    end
+  end
+
+  context ".update" do
+    before { @uri = "/oauth/scopes/" + @scope.id.as_json +  "/edit" }
+
+    context "when not logged in" do
+      scenario "is not authorized" do
+        visit @uri
+        current_url.should == host + "/log_in"
+      end
+    end
+
+    context "when logged in" do
+      context "when admin" do
+        before { login(@admin) }
+
+        scenario "update a resource" do
+          visit @uri
+          fill_scope("pizza/read/toppings", "pizza/index pizza/show pizza/toppings")
+          click_button 'Update Scope'
+          page.should have_content("pizza/read/toppings")
+          page.should have_content("pizza/toppings")
+        end
+
+        scenario "resource not found" do
+          @scope.destroy
+          visit @uri
+          page.should have_content "Resource not found"
+        end
+
+        scenario "illegal id" do
+          visit "/oauth/scopes/0"
+          page.should have_content "Resource not found"
+        end
+
+        context "when not valid" do
+          scenario "fails" do
+            visit @uri
+            fill_scope("", "")
+            click_button 'Update Scope'
+            page.should have_content "Name can't be blank"
+            page.should have_content "Values can't be blank"
+          end
+        end
+
+        context "update clients'scopes" do
+
+          before do
+            Oauth2Provider::Scope.destroy_all
+            @scope = FactoryGirl.create(:scope_pizzas_all)
+            @scope_read = FactoryGirl.create(:scope_pizzas_read)
+            @client = FactoryGirl.create(:client)
+            @client_read = FactoryGirl.create(:client_read)
+          end
+
+          before do
+            visit "/oauth/scopes/" + @scope_read.id.as_json +  "/edit"
+            fill_scope("pizzas/read", "pizzas/show")
+            click_button 'Update Scope'
+          end
+
+          context "with indirect client" do
+            subject { @client.reload.scope_values }
+            it { should_not include "pizzas/index" }
+            it { should include "pizzas/show" }
+            it { should include "pizzas/create" }
+            it { should include "pizzas/update" }
+            it { should include "pizzas/destroy" }
+          end
+
+          context "with direct client" do
+            subject { @client_read.reload.scope_values }
+            it { should_not include "pizzas/index" }
+            it { @client_read.reload.scope_values.should include "pizzas/show" }
+          end
+        end
+      end
+
+      context "when not admin" do
+        before { login(@user) }
+        scenario "do not update a resource" do
+          visit @uri
+          page.should have_content "Unauthorized access"
+        end
+      end
+    end
+  end
+
+  context ".destroy" do
+  end
+
+end