openid_connect 0.0.31 → 0.0.32

data/spec/mock_response/id_token.json

@@ -1,7 +1,7 @@
 {
-  "iss": "http://server.example.com",
+  "iss": "https://server.example.com",
   "aud": "client_id",
-  "issued_to": "http://client.example.com",
-  "user_id": "user_328723",
+  "issued_to": "https://client.example.com",
+  "user_id": "user_id",
   "exp": 1303852880
 }

data/spec/openid_connect/access_token_spec.rb

@@ -48,45 +48,65 @@ describe OpenIDConnect::AccessToken do
     end
   end
 
-  describe '#user_info!' do
-    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
-      mock_json :get, client.user_info_uri, 'user_info/openid', :HTTP_AUTHORIZATION => 'Bearer access_token' do
-        access_token.user_info!.should be_a OpenIDConnect::ResponseObject::UserInfo::OpenID
+  shared_examples_for :access_token_error_handling do
+    context 'when bad_request' do
+      it 'should raise OpenIDConnect::Forbidden' do
+        mock_json :get, endpoint, 'errors/invalid_request', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 400 do
+          expect { request }.should raise_error OpenIDConnect::BadRequest
+        end
       end
     end
 
-    describe 'error handling' do
-      context 'when bad_request' do
-        it 'should raise OpenIDConnect::Forbidden' do
-          mock_json :get, client.user_info_uri, 'errors/invalid_request', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 400 do
-            expect { access_token.user_info! }.should raise_error OpenIDConnect::BadRequest
-          end
+    context 'when unauthorized' do
+      it 'should raise OpenIDConnect::Unauthorized' do
+        mock_json :get, endpoint, 'errors/invalid_access_token', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 401 do
+          expect { request }.should raise_error OpenIDConnect::Unauthorized
         end
       end
+    end
 
-      context 'when unauthorized' do
-        it 'should raise OpenIDConnect::Unauthorized' do
-          mock_json :get, client.user_info_uri, 'errors/invalid_access_token', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 401 do
-            expect { access_token.user_info! }.should raise_error OpenIDConnect::Unauthorized
-          end
+    context 'when forbidden' do
+      it 'should raise OpenIDConnect::Forbidden' do
+        mock_json :get, endpoint, 'errors/insufficient_scope', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 403 do
+          expect { request }.should raise_error OpenIDConnect::Forbidden
         end
       end
+    end
 
-      context 'when forbidden' do
-        it 'should raise OpenIDConnect::Forbidden' do
-          mock_json :get, client.user_info_uri, 'errors/insufficient_scope', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 403 do
-            expect { access_token.user_info! }.should raise_error OpenIDConnect::Forbidden
-          end
+    context 'when unknown' do
+      it 'should raise OpenIDConnect::HttpError' do
+        mock_json :get, endpoint, 'errors/unknown', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 500 do
+          expect { request }.should raise_error OpenIDConnect::HttpError
         end
       end
+    end
+  end
 
-      context 'when unknown' do
-        it 'should raise OpenIDConnect::HttpError' do
-          mock_json :get, client.user_info_uri, 'errors/unknown', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 500 do
-            expect { access_token.user_info! }.should raise_error OpenIDConnect::HttpError
-          end
-        end
+  describe '#user_info!' do
+    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
+      mock_json :get, client.user_info_uri, 'user_info/openid', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+        access_token.user_info!.should be_a OpenIDConnect::ResponseObject::UserInfo::OpenID
       end
     end
+
+    describe 'error handling' do
+      let(:endpoint) { client.user_info_uri }
+      let(:request) { access_token.user_info! }
+      it_behaves_like :access_token_error_handling
+    end
+  end
+
+  describe '#id_token!' do
+    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
+      mock_json :get, client.check_id_uri, 'id_token', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+        access_token.id_token!.should be_a OpenIDConnect::ResponseObject::IdToken
+      end
+    end
+
+    describe 'error handling' do
+      let(:endpoint) { client.check_id_uri }
+      let(:request) { access_token.id_token! }
+      it_behaves_like :access_token_error_handling
+    end
   end
 end

data/spec/openid_connect/client/registrar_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper'
+
+describe OpenIDConnect::Client::Registrar do
+  subject { instance }
+  let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint, attributes) }
+  let(:endpoint) { 'https://server.example.com/clients' }
+
+  context 'when endpoint given' do
+    context 'when attributes given' do
+      context 'when type=client_associate' do
+        let(:attributes) do
+          {
+            :type => :client_associate
+          }
+        end
+        it { should be_valid }
+      end
+
+      context 'when type=client_update' do
+        context 'when client_id given' do
+          let(:attributes) do
+            {
+              :type => :client_update,
+              :client_id => 'client.example.com'
+            }
+          end
+          it { should be_valid }
+        end
+
+        context 'otherwise' do
+          let(:attributes) do
+            {
+              :type => :client_update
+            }
+          end
+          it { should_not be_valid }
+        end
+      end
+
+      context 'otherwise' do
+        let(:attributes) do
+          {
+            :type => :invalid_type
+          }
+        end
+        it { should_not be_valid }
+      end
+    end
+
+    context 'otherwise' do
+      let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
+      it do
+        expect do
+          instance
+        end.should_not raise_error
+      end
+      it { should_not be_valid }
+    end
+  end
+
+  context 'otherwise' do
+    let(:instance) { OpenIDConnect::Client::Registrar.new(endpoint) }
+    let(:endpoint) { '' }
+
+    it do
+      expect do
+        instance
+      end.should raise_error AttrRequired::AttrMissing
+    end
+  end
+
+  describe '#sector_identifier' do
+    it :TODO
+  end
+
+  describe '#as_json' do
+    it :TODO
+  end
+
+  describe '#associate!' do
+    it :TODO
+  end
+
+  describe '#update!' do
+    it :TODO
+  end
+
+  describe '#validate!' do
+    context 'when valid' do
+      let(:attributes) do
+        {
+          :type => :client_associate
+        }
+      end
+      it do
+        expect do
+          instance.validate!
+        end.should_not raise_error OpenIDConnect::ValidationFailed
+      end
+    end
+
+    context 'otherwise' do
+      let(:attributes) do
+        {
+          :type => :client_update
+        }
+      end
+      it do
+        expect do
+          instance.validate!
+        end.should raise_error OpenIDConnect::ValidationFailed
+      end
+    end
+  end
+end

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -0,0 +1,46 @@
+require 'spec_helper'
+
+describe OpenIDConnect::Discovery::Provider::Config::Response do
+  let :instance do
+    OpenIDConnect::Discovery::Provider::Config::Response.new attributes
+  end
+  let :attributes do
+    {}
+  end
+
+  describe '#as_json' do
+    subject {
+      instance.as_json
+    }
+
+    context 'when no attributes given' do
+      it do
+        should == {:version => '3.0'}
+      end
+    end
+
+    context 'when user_info_endpoint given' do
+      let :attributes do
+        {:user_info_endpoint => 'https://server.example.com/user_info'}
+      end
+      it do
+        should include :userinfo_endpoint
+      end
+      it do
+        should_not include :user_info_endpoint
+      end
+    end
+
+    context 'when user_info_algs_supported given' do
+      let :attributes do
+        {:user_info_algs_supported => [:HS256, :RS256]}
+      end
+      it do
+        should include :userinfo_algs_supported
+      end
+      it do
+        should_not include :user_info_algs_supported
+      end
+    end
+  end
+end

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -17,13 +17,13 @@ describe OpenIDConnect::Discovery::Provider::Config do
         config.check_id_endpoint.should == 'https://connect-op.heroku.com/id_token'
         config.refresh_session_endpoint.should be_nil
         config.end_session_endpoint.should be_nil
-        config.jwk_document.should be_nil
+        config.jwk_url.should be_nil
         config.x509_url.should == 'https://connect-op.heroku.com/cert.pem'
         config.registration_endpoint.should == 'https://connect-op.heroku.com/connect/client'
-        config.scopes_supported.should == ["openid", "profile", "email", "address", "PPID"]
-        config.flows_supported.should == ["code", "token", "id_token", "code token", "code id_token", "id_token token"]
-        config.iso29115_supported.should be_nil
-        config.identifiers_supported.should == ["public", "ppid"]
+        config.scopes_supported.should == ["openid", "profile", "email", "address"]
+        config.response_types_supported.should == ["code", "token", "id_token", "code token", "code id_token", "id_token token"]
+        config.acrs_supported.should be_nil
+        config.user_id_types_supported.should == ["public", "pairwise"]
       end
     end
   end

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -54,13 +54,38 @@ describe OpenIDConnect::ResponseObject::IdToken do
     end
   end
 
-  describe '.from_jwt' do
-    subject { klass.from_jwt id_token.to_jwt(private_key), public_key }
-    let(:attributes) { required_attributes }
-    it { should be_a klass }
-    [:iss, :user_id, :aud].each do |key|
-      its(key) { should == attributes[key] }
+  describe '.decode' do
+    context 'when key is given' do
+      subject { klass.decode id_token.to_jwt(private_key), public_key }
+      let(:attributes) { required_attributes }
+      it { should be_a klass }
+      [:iss, :user_id, :aud].each do |key|
+        its(key) { should == attributes[key] }
+      end
+      its(:exp) { should == attributes[:exp].to_i }
+    end
+
+    context 'when client is given' do
+      let :client do
+        OpenIDConnect::Client.new(
+          :identifier => 'client_id',
+          :secret => 'client_secret',
+          :host => 'server.example.com'
+        )
+      end
+      subject do
+        mock_json :get, client.check_id_uri, 'id_token', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+          @subject = klass.decode id_token.to_jwt(private_key), client
+        end
+        @subject
+      end
+      let(:attributes) { required_attributes }
+      let(:ext) { 1303852880 }
+      it { should be_a klass }
+      [:iss, :user_id, :aud].each do |key|
+        its(key) { should == attributes[key] }
+      end
+      its(:exp) { should == attributes[:exp].to_i }
     end
-    its(:exp) { should == attributes[:exp].to_i }
   end
 end

data/spec/openid_connect/response_object/user_info/open_id_spec.rb

@@ -36,6 +36,14 @@ describe OpenIDConnect::ResponseObject::UserInfo::OpenID do
       its(:errors) { should include :base }
     end
 
+    context 'when email is invalid' do
+      let :attributes do
+        {:email => 'nov@localhost'}
+      end
+      its(:valid?) { should be_false }
+      its(:errors) { should include :email }
+    end
+
     [:verified, :gender, :zoneinfo].each do |one_of_list|
       context "when #{one_of_list} is invalid" do
         let :attributes do

data/spec/openid_connect/response_object_spec.rb

@@ -58,8 +58,8 @@ describe OpenIDConnect::ResponseObject do
         {:required => 'Out of List and Too Long'}
       end
 
-      it 'should raise OpenIDConnect::ResponseObject::ValidationFailed with ActiveModel::Errors' do
-        expect { instance.as_json }.should raise_error(OpenIDConnect::ResponseObject::ValidationFailed) { |e|
+      it 'should raise OpenIDConnect::ValidationFailed with ActiveModel::Errors' do
+        expect { instance.as_json }.should raise_error(OpenIDConnect::ValidationFailed) { |e|
           e.message.should include 'Required is not included in the list'
           e.message.should include 'Required is too long (maximum is 10 characters)'
           e.errors.should be_a ActiveModel::Errors
@@ -79,8 +79,8 @@ describe OpenIDConnect::ResponseObject do
         {:required => 'Out of List and Too Long'}
       end
 
-      it 'should raise OpenIDConnect::ResponseObject::ValidationFailed with ActiveModel::Errors' do
-        expect { instance.validate! }.should raise_error(OpenIDConnect::ResponseObject::ValidationFailed) { |e|
+      it 'should raise OpenIDConnect::ValidationFailed with ActiveModel::Errors' do
+        expect { instance.validate! }.should raise_error(OpenIDConnect::ValidationFailed) { |e|
           e.message.should include 'Required is not included in the list'
           e.message.should include 'Required is too long (maximum is 10 characters)'
           e.errors.should be_a ActiveModel::Errors

data/spec/rack/oauth2/server/authorize/extension/code_and_id_token_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Rack::OAuth2::Server::Authorize::Extension::CodeAndIdToken do
   subject { response }
   let(:request)      { Rack::MockRequest.new app }
-  let(:response)     { request.get("/?response_type=code%20id_token&client_id=client") }
+  let(:response)     { request.get("/?response_type=code%20id_token&client_id=client&state=state") }
   let(:redirect_uri) { 'http://client.example.com/callback' }
   let(:code)         { 'authorization_code' }
   let :id_token do
@@ -28,6 +28,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::CodeAndIdToken do
     its(:location) { should include "#{redirect_uri}#" }
     its(:location) { should include "code=#{code}" }
     its(:location) { should include "id_token=#{id_token}" }
+    its(:location) { should include "state=state" }
 
     context 'when id_token is String' do
       let(:id_token) { 'non_jwt_string' }

data/spec/rack/oauth2/server/authorize/extension/id_token_and_token_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
   subject { response }
   let(:request)      { Rack::MockRequest.new app }
-  let(:response)     { request.get("/?response_type=token%20id_token&client_id=client") }
+  let(:response)     { request.get('/?response_type=token%20id_token&client_id=client&state=state') }
   let(:redirect_uri) { 'http://client.example.com/callback' }
   let(:bearer_token) { Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token') }
   let :id_token do
@@ -15,7 +15,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
     ).to_jwt private_key
   end
 
-  context "when id_token is given" do
+  context 'when id_token is given' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri
@@ -25,15 +25,20 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdTokenAndToken do
       end
     end
     its(:status)   { should == 302 }
-    its(:location) { should == "#{redirect_uri}#access_token=access_token&id_token=#{id_token}&token_type=bearer" }
+    its(:location) { should_not include '?' }
+    its(:location) { should include '#' }
+    its(:location) { should include 'access_token=access_token' }
+    its(:location) { should include "id_token=#{id_token}" }
+    its(:location) { should include 'token_type=bearer' }
+    its(:location) { should include 'state=state' }
 
     context 'when id_token is String' do
       let(:id_token) { 'id_token' }
-      its(:location) { should == "#{redirect_uri}#access_token=access_token&id_token=id_token&token_type=bearer" }
+      its(:location) { should include 'id_token=id_token' }
     end
   end
 
-  context "otherwise" do
+  context 'otherwise' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri

data/spec/rack/oauth2/server/authorize/extension/id_token_spec.rb

@@ -3,7 +3,7 @@ require 'spec_helper'
 describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
   subject { response }
   let(:request)      { Rack::MockRequest.new app }
-  let(:response)     { request.get("/?response_type=id_token&client_id=client") }
+  let(:response)     { request.get('/?response_type=id_token&client_id=client&state=state') }
   let(:redirect_uri) { 'http://client.example.com/callback' }
   let :id_token do
     OpenIDConnect::ResponseObject::IdToken.new(
@@ -14,7 +14,7 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
     ).to_jwt private_key
   end
 
-  context "when id_token is given" do
+  context 'when id_token is given' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri
@@ -23,15 +23,18 @@ describe Rack::OAuth2::Server::Authorize::Extension::IdToken do
       end
     end
     its(:status)   { should == 302 }
-    its(:location) { should == "#{redirect_uri}#id_token=#{id_token}" }
+    its(:location) { should_not include '?' }
+    its(:location) { should include '#' }
+    its(:location) { should include "id_token=#{id_token}" }
+    its(:location) { should include 'state=state' }
 
     context 'when id_token is String' do
       let(:id_token) { 'id_token' }
-      its(:location) { should == "#{redirect_uri}#id_token=id_token" }
+      its(:location) { should include 'id_token=id_token' }
     end
   end
 
-  context "otherwise" do
+  context 'otherwise' do
     let :app do
       Rack::OAuth2::Server::Authorize.new do |request, response|
         response.redirect_uri = redirect_uri

data/spec/spec_helper.rb

@@ -1,3 +1,10 @@
+if RUBY_VERSION >= '1.9'
+  require 'cover_me'
+  at_exit do
+    CoverMe.complete!
+  end
+end
+
 require 'rspec'
 require 'openid_connect'