openid-token-proxy 0.1.0

data/spec/lib/openid_token_proxy/config_spec.rb

@@ -0,0 +1,201 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::Config do
+  subject { described_class.new }
+  let(:with_valid_issuer) {
+    subject.issuer = 'https://login.windows.net/common'
+    subject
+  }
+
+  before do
+    stub_request(:get, "https://login.windows.net/common/.well-known/openid-configuration")
+      .to_return(body: fixture('openid-configuration.json'))
+    stub_request(:get, "https://login.windows.net/common/discovery/keys")
+      .to_return(body: fixture('keys.json'))
+    stub_request(:get, "https://example.com/.well-known/openid-configuration")
+      .to_return(status: 404)
+  end
+
+  describe '#initialize' do
+    it 'yields configuration to given block' do
+      config = described_class.new do |config|
+        config.client_id = 'from-block'
+      end
+      expect(config.client_id).to eq 'from-block'
+    end
+  end
+
+  describe '#client_id' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_CLIENT_ID', 'from env')
+      expect(subject.client_id).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.client_id = 'overridden'
+      expect(subject.client_id).to eq 'overridden'
+    end
+  end
+
+  describe '#client_secret' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_CLIENT_SECRET', 'from env')
+      expect(subject.client_secret).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.client_secret = 'overridden'
+      expect(subject.client_secret).to eq 'overridden'
+    end
+  end
+
+  describe '#issuer' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_ISSUER', 'from env')
+      expect(subject.issuer).to eq 'from env'
+    end
+
+    it 'may be overriden' do
+      subject.issuer = 'overridden'
+      expect(subject.issuer).to eq 'overridden'
+    end
+  end
+
+  describe '#redirect_uri' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_REDIRECT_URI', 'from env')
+      expect(subject.redirect_uri).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.redirect_uri = 'overridden'
+      expect(subject.redirect_uri).to eq 'overridden'
+    end
+  end
+
+  describe '#resource' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_RESOURCE', 'from env')
+      expect(subject.resource).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.resource = 'overridden'
+      expect(subject.resource).to eq 'overridden'
+    end
+  end
+
+  describe '#authorization_uri' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_AUTHORIZATION_URI', 'from env')
+      expect(subject.authorization_uri).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.authorization_uri = 'overridden'
+      expect(subject.authorization_uri).to eq 'overridden'
+    end
+  end
+
+  describe '#provider_config' do
+    context 'when valid issuer' do
+      it 'loads provider configuration' do
+        expect do
+          with_valid_issuer.provider_config
+        end.not_to raise_error
+      end
+    end
+
+    context 'when issuer omitted' do
+      it 'raises' do
+        stub_env('OPENID_ISSUER')
+        expect do
+          subject.provider_config
+        end.to raise_error URI::InvalidURIError
+      end
+    end
+
+    context 'when invalid issuer' do
+      it 'raises' do
+        subject.issuer = 'https://example.com'
+        expect do
+          subject.provider_config
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+      end
+    end
+  end
+
+  describe '#authorization_endpoint' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_AUTHORIZATION_ENDPOINT', 'from env')
+      expect(subject.authorization_endpoint).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.authorization_endpoint = 'overridden'
+      expect(subject.authorization_endpoint).to eq 'overridden'
+    end
+
+    context 'when not set' do
+      it 'defaults to endpoint from provider config' do
+        stub_env('OPENID_AUTHORIZATION_ENDPOINT')
+        ep = with_valid_issuer.authorization_endpoint
+        expect(ep).to eq 'https://login.windows.net/common/oauth2/authorize'
+      end
+    end
+  end
+
+  describe '#token_endpoint' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_TOKEN_ENDPOINT', 'from env')
+      expect(subject.token_endpoint).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.token_endpoint = 'overridden'
+      expect(subject.token_endpoint).to eq 'overridden'
+    end
+
+    context 'when not set' do
+      it 'defaults to endpoint from provider config' do
+        stub_env('OPENID_TOKEN_ENDPOINT')
+        ep = with_valid_issuer.token_endpoint
+        expect(ep).to eq 'https://login.windows.net/common/oauth2/token'
+      end
+    end
+  end
+
+  describe '#userinfo_endpoint' do
+    it 'obtains its default from environment' do
+      stub_env('OPENID_USERINFO_ENDPOINT', 'from env')
+      expect(subject.userinfo_endpoint).to eq 'from env'
+    end
+
+    it 'may be set explicitly' do
+      subject.userinfo_endpoint = 'overridden'
+      expect(subject.userinfo_endpoint).to eq 'overridden'
+    end
+
+    context 'when not set' do
+      it 'defaults to endpoint from provider config' do
+        stub_env('OPENID_USERINFO_ENDPOINT')
+        ep = with_valid_issuer.userinfo_endpoint
+        expect(ep).to eq 'https://login.windows.net/common/openid/userinfo'
+      end
+    end
+  end
+
+  describe '#public_keys' do
+    it 'may be set explicitly' do
+      subject.public_keys = []
+      expect(subject.public_keys).to eq []
+    end
+
+    context 'when not set' do
+      it 'retrieves public keys from provider' do
+        keys = with_valid_issuer.public_keys
+        expect(keys.first).to be_an OpenSSL::PKey::PKey
+      end
+    end
+  end
+end

data/spec/lib/openid_token_proxy/error_spec.rb

@@ -0,0 +1,11 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::Error do
+  subject { described_class.new 'error message' }
+
+  describe '#to_json' do
+    it 'includes error message' do
+      expect(subject.to_json).to eq(error: 'error message')
+    end
+  end
+end

data/spec/lib/openid_token_proxy/token/authentication_spec.rb

@@ -0,0 +1,67 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::Token::Authentication, type: :controller do
+  let(:authorization_uri) { 'https://id.hyper.no/authorize' }
+  let(:access_token) { 'access token' }
+  let(:token) { OpenIDTokenProxy::Token.new(access_token) }
+
+  before do
+    allow(token).to receive(:validate!).and_return true
+    allow(OpenIDTokenProxy::Token).to receive(:decode!).and_return token
+  end
+
+  controller(ApplicationController) do
+    include OpenIDTokenProxy::Token::Authentication
+
+    require_valid_token
+
+    def index
+      render text: 'Authentication successful', status: :ok
+    end
+  end
+
+  context 'when token proxy errors are encountered' do
+    it 'results in 401 UNAUTHORIZED with authentication URI' do
+      expect(token).to receive(:validate!).and_raise OpenIDTokenProxy::Error
+      OpenIDTokenProxy.configure_temporarily do |config|
+        config.authorization_uri = authorization_uri
+        get :index
+      end
+      expect(response).to have_http_status :unauthorized
+      expect(response.headers['X-Authentication-URL']).to eq authorization_uri
+    end
+  end
+
+  context 'when no token proxy errors are encountered' do
+    it 'executes actions normally' do
+      get :index
+      expect(response).to have_http_status :ok
+      expect(response.body).to eq 'Authentication successful'
+    end
+  end
+
+  describe '#current_token' do
+    it 'returns current valid token' do
+      expect(controller.current_token).to eq token
+    end
+  end
+
+  describe '#raw_token' do
+    it 'may be provided as parameter' do
+      get :index, token: 'raw token'
+      expect(controller.raw_token).to eq 'raw token'
+    end
+
+    it 'may be provided through authorization header' do
+      request.headers['Authorization'] = 'Bearer raw token'
+      get :index
+      expect(controller.raw_token).to eq 'raw token'
+    end
+
+    it 'may be provided through X-Token header' do
+      request.headers['X-Token'] = 'raw token'
+      get :index
+      expect(controller.raw_token).to eq 'raw token'
+    end
+  end
+end

data/spec/lib/openid_token_proxy/token/refresh_spec.rb

@@ -0,0 +1,71 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::Token::Refresh, type: :controller do
+  let(:authorization_uri) { 'https://id.hyper.no/authorize' }
+  let(:refresh_token) { 'refresh token' }
+  let(:token) {
+    OpenIDTokenProxy::Token.new('expired access token', nil, refresh_token)
+  }
+  let(:refreshed_token) {
+    OpenIDTokenProxy::Token.new('new access token', nil, 'new refresh token')
+  }
+
+  before do
+    expect(token).to receive(:validate!).and_raise OpenIDTokenProxy::Token::Expired
+    expect(OpenIDTokenProxy::Token).to receive(:decode!).and_return token
+    allow(OpenIDTokenProxy.client).to receive(:retrieve_token!).with(
+      refresh_token: refresh_token
+    ).and_return refreshed_token
+  end
+
+  controller(ApplicationController) do
+    include OpenIDTokenProxy::Token::Refresh
+
+    require_valid_token
+
+    def index
+      render text: 'Refresh successful', status: :ok
+    end
+  end
+
+  context 'when token has expired' do
+    context 'when refresh token could not be exchanged' do
+      it 'results in 401 UNAUTHORIZED with authentication URI' do
+        error = OpenIDTokenProxy::Client::RefreshTokenError.new 'msg'
+        expect(OpenIDTokenProxy.client).to receive(:retrieve_token!).with(
+          refresh_token: refresh_token
+        ).and_raise error
+        OpenIDTokenProxy.configure_temporarily do |config|
+          config.authorization_uri = authorization_uri
+          get :index, refresh_token: refresh_token
+        end
+        expect(response).to have_http_status :unauthorized
+        expect(response.headers['X-Authentication-URL']).to eq authorization_uri
+        expect(response.headers).not_to include 'X-Token', 'X-Refresh-Token'
+      end
+    end
+
+    context 'when token was refreshed successfully' do
+      it 'executes actions normally returning new tokens as headers' do
+        get :index, refresh_token: refresh_token
+        expect(response).to have_http_status :ok
+        expect(response.body).to eq 'Refresh successful'
+        expect(response.headers['X-Token']).to eq 'new access token'
+        expect(response.headers['X-Refresh-Token']).to eq 'new refresh token'
+      end
+    end
+  end
+
+  describe '#raw_refresh_token' do
+    it 'may be provided as parameter' do
+      get :index, refresh_token: refresh_token
+      expect(controller.raw_refresh_token).to eq 'refresh token'
+    end
+
+    it 'may be provided through X-Refresh-Token header' do
+      request.headers['X-Refresh-Token'] = refresh_token
+      get :index
+      expect(controller.raw_refresh_token).to eq 'refresh token'
+    end
+  end
+end

data/spec/lib/openid_token_proxy/token_spec.rb

@@ -0,0 +1,138 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy::Token do
+  subject { described_class.new 'access token', id_token }
+
+  let(:audience) { 'audience' }
+  let(:client_id) { 'client ID' }
+  let(:issuer) { 'issuer' }
+  let(:expiry_date) { 2.hours.from_now }
+
+  let(:id_token) {
+    double(
+      exp: expiry_date,
+      aud: audience,
+      iss: issuer,
+      raw_attributes: {
+        'appid' => client_id
+      }
+    )
+  }
+
+  describe '#to_s' do
+    it 'returns access token' do
+      expect(subject.to_s).to eq 'access token'
+    end
+  end
+
+  describe '#[]' do
+    it 'retrieves identity attributes' do
+      expect(subject['appid']).to eq client_id
+    end
+  end
+
+  describe '#validate!' do
+    context 'when token has expired' do
+      let(:expiry_date) { 2.hours.ago }
+
+      it 'raises' do
+        expect do
+          subject.validate!
+        end.to raise_error OpenIDTokenProxy::Token::Expired
+      end
+    end
+
+    context 'when application differs' do
+      it 'raises' do
+        expect do
+          subject.validate! client_id: 'expected client ID'
+        end.to raise_error OpenIDTokenProxy::Token::InvalidApplication
+      end
+    end
+
+    context 'when audience differs' do
+      it 'raises' do
+        expect do
+          subject.validate! audience: 'expected audience'
+        end.to raise_error OpenIDTokenProxy::Token::InvalidAudience
+      end
+    end
+
+    context 'when issuer differs' do
+      it 'raises' do
+        expect do
+          subject.validate! issuer: 'expected issuer'
+        end.to raise_error OpenIDTokenProxy::Token::InvalidIssuer
+      end
+    end
+
+    context 'when all is well' do
+      it 'returns true' do
+        assertions = {
+          audience: audience,
+          client_id: client_id,
+          issuer: issuer
+        }
+        expect(subject.validate! assertions).to be_truthy
+      end
+    end
+  end
+
+  describe '#expired?' do
+    context 'when token has expired' do
+      let(:expiry_date) { 2.hours.ago }
+      it { should be_expired }
+    end
+
+    context 'when token has not yet expired' do
+      it { should_not be_expired }
+    end
+  end
+
+  describe '::decode!' do
+    let(:keys) { [double] }
+
+    context 'when token is omitted' do
+      it 'raises' do
+        expect do
+          described_class.decode! '', keys
+        end.to raise_error OpenIDTokenProxy::Token::Required
+      end
+    end
+
+    context 'when token is malformed' do
+      it 'raises' do
+        expect do
+          described_class.decode! 'malformed token', keys
+        end.to raise_error OpenIDTokenProxy::Token::Malformed
+      end
+    end
+
+    context 'when token is well-formed' do
+      context 'with invalid signature or missing public keys' do
+        it 'raises' do
+          expect do
+            described_class.decode! 'well-formed token', []
+          end.to raise_error OpenIDTokenProxy::Token::UnverifiableSignature
+        end
+      end
+
+      context 'with valid signature' do
+        it 'returns token with an identity token' do
+          object = double(raw_attributes: {
+            iss: double,
+            sub: double,
+            aud: double,
+            exp: double,
+            iat: double
+          })
+          expect(OpenIDConnect::RequestObject).to receive(:decode).and_return object
+          token = described_class.decode! 'valid token', keys
+          expect(token).to be_an OpenIDTokenProxy::Token
+          expect(token.access_token).to eq 'valid token'
+          expect(token.id_token).to be_an OpenIDConnect::ResponseObject::IdToken
+        end
+      end
+    end
+  end
+end

data/spec/lib/openid_token_proxy_spec.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+RSpec.describe OpenIDTokenProxy do
+  describe '::client' do
+    it 'returns global client' do
+      client = described_class.client
+      expect(client).to eq described_class.client
+      expect(client).to be_a OpenIDTokenProxy::Client
+    end
+  end
+
+  describe '::config' do
+    it 'returns global configuration' do
+      config = described_class.config
+      expect(config).to eq described_class.config
+      expect(config).to be_a OpenIDTokenProxy::Config
+    end
+  end
+
+  describe '::configure' do
+    it 'yields configuration' do
+      expect do |probe|
+        described_class.configure &probe
+      end.to yield_with_args OpenIDTokenProxy.config
+    end
+  end
+
+  describe '::configure_temporarily' do
+    it 'yields temporary configuration' do
+      original = OpenIDTokenProxy.config
+      described_class.configure_temporarily do |config|
+        expect(OpenIDTokenProxy.config).to eq config
+        expect(config).not_to eq original
+      end
+      expect(OpenIDTokenProxy.config).to eq original
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,88 @@
+require 'simplecov'
+require 'coveralls'
+
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+  SimpleCov::Formatter::HTMLFormatter,
+  Coveralls::SimpleCov::Formatter
+]
+SimpleCov.start do
+  add_filter '/spec/dummy/config/initializers'
+end
+
+ENV['RAILS_ENV'] = 'test'
+require File.expand_path('../../spec/dummy/config/environment.rb',  __FILE__)
+
+require 'webmock/rspec'
+
+require 'pry'
+require 'rspec/rails'
+
+# Load support files
+Dir["#{File.dirname(__FILE__)}/support/**/*.rb"].each { |f| require f }
+
+require 'openid_token_proxy'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |expectations|
+    # This option will default to `true` in RSpec 4. It makes the `description`
+    # and `failure_message` of custom matchers include text for helper methods
+    # defined using `chain`, e.g.:
+    #     be_bigger_than(2).and_smaller_than(4).description
+    #     # => "be bigger than 2 and smaller than 4"
+    # ...rather than:
+    #     # => "be bigger than 2"
+    expectations.include_chain_clauses_in_custom_matcher_descriptions = true
+  end
+
+  config.mock_with :rspec do |mocks|
+    # Prevents you from mocking or stubbing a method that does not exist on
+    # a real object. This is generally recommended, and will default to
+    # `true` in RSpec 4.
+    mocks.verify_partial_doubles = true
+  end
+
+  # These two settings work together to allow you to limit a spec run
+  # to individual examples or groups you care about by tagging them with
+  # `:focus` metadata. When nothing is tagged with `:focus`, all examples
+  # get run.
+  config.filter_run :focus
+  config.run_all_when_everything_filtered = true
+
+  # Limits the available syntax to the non-monkey patched syntax that is
+  # recommended. For more details, see:
+  #   - http://myronmars.to/n/dev-blog/2012/06/rspecs-new-expectation-syntax
+  #   - http://teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
+  #   - http://myronmars.to/n/dev-blog/2014/05/notable-changes-in-rspec-3#new__config_option_to_disable_rspeccore_monkey_patching
+  config.disable_monkey_patching!
+
+  # This setting enables warnings. It's recommended, but in some cases may
+  # be too noisy due to issues in dependencies.
+  # config.warnings = true
+
+  # Many RSpec users commonly either run the entire suite or an individual
+  # file, and it's useful to allow more verbose output when running an
+  # individual spec file.
+  # if config.files_to_run.one?
+  #   # Use the documentation formatter for detailed output,
+  #   # unless a formatter has already been configured
+  #   # (e.g. via a command-line flag).
+  #   config.default_formatter = 'doc'
+  # end
+
+  # Print the 10 slowest examples and example groups at the
+  # end of the spec run, to help surface which specs are running
+  # particularly slow.
+  # config.profile_examples = 10
+
+  # Run specs in random order to surface order dependencies. If you find an
+  # order dependency and want to debug it, you can fix the order by providing
+  # the seed, which is printed after each run.
+  #     --seed 1234
+  config.order = :random
+
+  # Seed global randomization in this process using the `--seed` CLI option.
+  # Setting this allows you to use `--seed` to deterministically reproduce
+  # test failures related to randomization by passing the same `--seed` value
+  # as the one that triggered the failure.
+  Kernel.srand config.seed
+end

data/spec/support/env.rb

@@ -0,0 +1,4 @@
+def stub_env(name, value = nil)
+  allow(ENV).to receive(:[]).with(anything)
+  allow(ENV).to receive(:[]).with(name).and_return(value)
+end

data/spec/support/fixture.rb

@@ -0,0 +1,3 @@
+def fixture(file)
+  File.read "spec/fixtures/#{file}"
+end