openid_connect 0.6.1 → 0.7.0

data/spec/openid_connect/client_spec.rb

@@ -19,11 +19,11 @@ describe OpenIDConnect::Client do
       end
       its(:authorization_uri) { should include 'https://server.example.com/oauth2/authorize' }
       its(:authorization_uri) { should include 'scope=openid' }
-      its(:user_info_uri)     { should == 'https://server.example.com/user_info' }
+      its(:userinfo_uri)     { should == 'https://server.example.com/userinfo' }
     end
 
     context 'otherwise' do
-      [:authorization_uri, :user_info_uri].each do |endpoint|
+      [:authorization_uri, :userinfo_uri].each do |endpoint|
         describe endpoint do
           it do
             expect { client.send endpoint }.to raise_error 'No Host Info'

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -4,311 +4,78 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
   let :instance do
     OpenIDConnect::Discovery::Provider::Config::Response.new attributes
   end
-  let :attributes do
-    {}
+  let :jwks_uri do
+    'https://server.example.com/jwks.json'
   end
-
-  describe '#as_json' do
-    subject {
-      instance.as_json
+  let :minimum_attributes do
+    {
+      issuer: 'https://server.example.com',
+      jwks_uri: jwks_uri,
+      response_types_supported: [
+        :code, :id_token, 'token id_token'
+      ],
+      subject_types_supported: [
+        :public, :pairwise
+      ],
+      id_token_signing_alg_values_supported: [
+        :RS256
+      ]
     }
+  end
+  let :attributes do
+    minimum_attributes
+  end
+  subject { instance }
 
-    context 'when no attributes given' do
-      it do
-        should == {version: '3.0'}
-      end
+  context 'when required attributes missing' do
+    let :attributes do
+      {}
     end
+    it { should_not be_valid }
+  end
 
-    context 'when user_info_endpoint given' do
+  describe '#as_json' do
+    subject { instance.as_json }
+    it { should == minimum_attributes }
+  end
+
+  describe '#validate!' do
+    context 'when required attributes missing' do
       let :attributes do
-        {user_info_endpoint: 'https://server.example.com/user_info'}
+        {}
       end
       it do
-        should include :userinfo_endpoint
-      end
-      it do
-        should_not include :user_info_endpoint
+        expect do
+          instance.validate!
+        end.to raise_error OpenIDConnect::ValidationFailed
       end
     end
 
-    [
-      :user_info_signing_alg_values_supported,
-      :user_info_encryption_alg_values_supported,
-      :user_info_encryption_enc_values_supported
-    ].each do |key|
-      context "when #{key} given" do
-        let :attributes do
-          {key => [:x, :y]}
-        end
-        it do
-          should include key.to_s.sub('user_info', 'userinfo').to_sym
-        end
-        it do
-          should_not include key
-        end
+    context 'otherwise' do
+      it do
+        expect do
+          instance.validate!
+        end.not_to raise_error OpenIDConnect::ValidationFailed
       end
     end
   end
 
-  describe '#signing_key and #encryption_key' do
-    subject { config }
-    let(:config) { instance }
-    let(:attributes) do
-      {
-        x509_url: x509_url,
-        x509_encryption_url: x509_encryption_url,
-        jwk_url: jwk_url,
-        jwk_encryption_url: jwk_encryption_url
-      }.delete_if do |key, value|
-        value.nil?
-      end
-    end
-    let(:x509_url)            { nil }
-    let(:x509_encryption_url) { nil }
-    let(:jwk_url)             { nil }
-    let(:jwk_encryption_url)  { nil }
-
-    context 'when x509_url is given' do
-      let(:x509_url) { 'http://provider.example.com/x509.pem' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-    end
-
-    context 'when jwk_url is given' do
-      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-    end
-
-    context 'when both x509_url and jwk_url are given' do
-      let(:x509_url) { 'http://provider.example.com/cert.pem' }
-      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
+  describe '#jwks' do
+    it do
+      jwks = mock_json :get, jwks_uri, 'public_keys/jwks' do
+        instance.jwks
       end
+      jwks.should be_instance_of JSON::JWK::Set
     end
+  end
 
-    context 'when neither x509_url nor jwk_url are given' do
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        its(:signing_key) { should be_nil }
-        its(:encryption_key) { should be_nil }
+  describe '#public_keys' do
+    it do
+      public_keys = mock_json :get, jwks_uri, 'public_keys/jwks' do
+        instance.public_keys
       end
+      public_keys.should be_instance_of Array
+      public_keys.first.should be_instance_of OpenSSL::PKey::RSA
     end
   end
 end

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -2,28 +2,27 @@ require 'spec_helper'
 
 describe OpenIDConnect::Discovery::Provider::Config do
   let(:provider) { 'https://connect-op.heroku.com' }
-  let(:endpoint) { "https://connect-op.heroku.com/.well-known/openid-configuration" }
+  let(:endpoint) { 'https://connect-op.heroku.com/.well-known/openid-configuration' }
 
   describe 'discover!' do
     it 'should setup given attributes' do
       mock_json :get, endpoint, 'discovery/config' do
         config = OpenIDConnect::Discovery::Provider::Config.discover! provider
         config.should be_instance_of OpenIDConnect::Discovery::Provider::Config::Response
-        config.version.should == '3.0'
         config.issuer.should == 'https://connect-op.heroku.com'
         config.authorization_endpoint.should == 'https://connect-op.heroku.com/authorizations/new'
         config.token_endpoint.should == 'https://connect-op.heroku.com/access_tokens'
-        config.user_info_endpoint.should == 'https://connect-op.heroku.com/user_info'
-        config.refresh_session_endpoint.should be_nil
+        config.userinfo_endpoint.should == 'https://connect-op.heroku.com/userinfo'
+        config.check_session_endpoint.should be_nil
         config.end_session_endpoint.should be_nil
-        config.jwk_url.should be_nil
-        config.x509_url.should == 'https://connect-op.heroku.com/cert.pem'
+        config.jwks_uri.should == 'https://connect-op.heroku.com/jwks.json'
         config.registration_endpoint.should == 'https://connect-op.heroku.com/connect/client'
-        config.scopes_supported.should == ["openid", "profile", "email", "address"]
-        config.response_types_supported.should == ["code", "token", "id_token", "code token", "code id_token", "id_token token"]
+        config.scopes_supported.should == ['openid', 'profile', 'email', 'address']
+        config.response_types_supported.should == ['code', 'token', 'id_token', 'code token', 'code id_token', 'id_token token']
         config.acr_values_supported.should be_nil
-        config.subject_types_supported.should == ["public", "pairwise"]
-        config.claims_supported.should == ["sub", "iss", "name", "email"]
+        config.subject_types_supported.should == ['public', 'pairwise']
+        config.claims_supported.should == ['sub', 'iss', 'name', 'email']
+        config.id_token_signing_alg_values_supported.should == ['RS256']
       end
     end
 
@@ -40,7 +39,7 @@ describe OpenIDConnect::Discovery::Provider::Config do
 
   context 'when OP identifier includes custom port' do
     let(:provider) { 'https://connect-op.heroku.com:8080' }
-    let(:endpoint) { "https://connect-op.heroku.com:8080/.well-known/openid-configuration" }
+    let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
 
     it 'should construct well-known URI with given port' do
       mock_json :get, endpoint, 'discovery/config' do
@@ -51,7 +50,7 @@ describe OpenIDConnect::Discovery::Provider::Config do
 
   context 'when OP identifier includes path' do
     let(:provider) { 'https://connect.openid4.us/abop' }
-    let(:endpoint) { "https://connect.openid4.us/abop/.well-known/openid-configuration" }
+    let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
 
     it 'should construct well-known URI with given port' do
       mock_json :get, endpoint, 'discovery/config' do

data/spec/openid_connect/discovery/provider_spec.rb

@@ -6,7 +6,7 @@ describe OpenIDConnect::Discovery::Provider do
   let(:endpoint) { "https://#{host}/.well-known/webfinger" }
   let(:query) do
     {
-      rel: OpenIDConnect::Discovery::REL_VALUE,
+      rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE,
       resource: resource
     }
   end

data/spec/openid_connect/request_object_spec.rb

@@ -93,15 +93,15 @@ describe OpenIDConnect::RequestObject do
 
     describe '#required?' do
       it do
-        request_object.user_info.required?(:name).should be_true
-        request_object.user_info.optional?(:name).should be_false
+        request_object.userinfo.required?(:name).should be_true
+        request_object.userinfo.optional?(:name).should be_false
       end
     end
 
     describe '#optional' do
       it do
-        request_object.user_info.required?(:email).should be_false
-        request_object.user_info.optional?(:email).should be_true
+        request_object.userinfo.required?(:email).should be_false
+        request_object.userinfo.optional?(:email).should be_true
       end
     end
   end