openid_connect 0.6.1 → 2.3.0

data/spec/openid_connect/discovery/provider/config/response_spec.rb

@@ -4,311 +4,103 @@ describe OpenIDConnect::Discovery::Provider::Config::Response do
   let :instance do
     OpenIDConnect::Discovery::Provider::Config::Response.new attributes
   end
-  let :attributes do
-    {}
+  let :jwks_uri do
+    'https://server.example.com/jwks.json'
   end
-
-  describe '#as_json' do
-    subject {
-      instance.as_json
+  let :minimum_attributes do
+    {
+      issuer: 'https://server.example.com',
+      authorization_endpoint: 'https://server.example.com/authorize',
+      jwks_uri: jwks_uri,
+      response_types_supported: [
+        :code, :id_token, 'token id_token'
+      ],
+      subject_types_supported: [
+        :public, :pairwise
+      ],
+      id_token_signing_alg_values_supported: [
+        :RS256
+      ]
     }
+  end
+  let :attributes do
+    minimum_attributes
+  end
+  subject { instance }
 
-    context 'when no attributes given' do
-      it do
-        should == {version: '3.0'}
-      end
-    end
-
-    context 'when user_info_endpoint given' do
-      let :attributes do
-        {user_info_endpoint: 'https://server.example.com/user_info'}
-      end
-      it do
-        should include :userinfo_endpoint
-      end
-      it do
-        should_not include :user_info_endpoint
-      end
+  context 'when required attributes missing' do
+    let :attributes do
+      {}
     end
+    it { should_not be_valid }
+  end
 
-    [
-      :user_info_signing_alg_values_supported,
-      :user_info_encryption_alg_values_supported,
-      :user_info_encryption_enc_values_supported
-    ].each do |key|
-      context "when #{key} given" do
-        let :attributes do
-          {key => [:x, :y]}
-        end
-        it do
-          should include key.to_s.sub('user_info', 'userinfo').to_sym
-        end
-        it do
-          should_not include key
-        end
-      end
+  context 'when end_session_endpoint given' do
+    let(:end_session_endpoint) { 'https://server.example.com/end_session' }
+    let :attributes do
+      minimum_attributes.merge(
+        end_session_endpoint: end_session_endpoint
+      )
     end
+    it { should be_valid }
+    its(:end_session_endpoint) { should == end_session_endpoint }
   end
 
-  describe '#signing_key and #encryption_key' do
-    subject { config }
-    let(:config) { instance }
-    let(:attributes) do
-      {
-        x509_url: x509_url,
-        x509_encryption_url: x509_encryption_url,
-        jwk_url: jwk_url,
-        jwk_encryption_url: jwk_encryption_url
-      }.delete_if do |key, value|
-        value.nil?
-      end
+  context 'when check_session_iframe given' do
+    let(:check_session_iframe) { 'https://server.example.com/check_session_iframe.html' }
+    let :attributes do
+      minimum_attributes.merge(
+        check_session_iframe: check_session_iframe
+      )
     end
-    let(:x509_url)            { nil }
-    let(:x509_encryption_url) { nil }
-    let(:jwk_url)             { nil }
-    let(:jwk_encryption_url)  { nil }
-
-    context 'when x509_url is given' do
-      let(:x509_url) { 'http://provider.example.com/x509.pem' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
+    it { should be_valid }
+    its(:check_session_iframe) { should == check_session_iframe }
+  end
 
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
+  describe '#as_json' do
+    subject { instance.as_json }
+    it { should == minimum_attributes }
+  end
 
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
+  describe '#validate!' do
+    context 'when required attributes missing' do
+      let :attributes do
+        {}
       end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
+      it do
+        expect do
+          instance.validate!
+        end.to raise_error OpenIDConnect::ValidationFailed
       end
     end
 
-    context 'when jwk_url is given' do
-      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from jwk_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, jwk_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
+    context 'otherwise' do
+      it do
+        expect do
+          instance.validate!
+        end.not_to raise_error{ |e|
+          e.should be_a OpenIDConnect::ValidationFailed
+        }
       end
     end
+  end
 
-    context 'when both x509_url and jwk_url are given' do
-      let(:x509_url) { 'http://provider.example.com/cert.pem' }
-      let(:jwk_url) { 'http://provider.example.com/jwk.json' }
-
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        it 'should fetch signing_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.signing_key
-          end
-        end
-
-        it 'should fetch encryption_key from x509_url' do
-          mock_json :get, x509_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
+  describe '#jwks' do
+    it do
+      jwks = mock_json :get, jwks_uri, 'public_keys/jwks' do
+        instance.jwks
       end
+      jwks.should be_instance_of JSON::JWK::Set
     end
+  end
 
-    context 'when neither x509_url nor jwk_url are given' do
-      context 'when x509_encryption_url is given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when jwk_encryption_url is given' do
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from jwk_encryption_url' do
-          mock_json :get, jwk_encryption_url, 'public_keys/jwk' do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when both x509_encryption_url and jwk_encryption_url are given' do
-        let(:x509_encryption_url) { 'http://provider.example.com/x509_encryption.pem' }
-        let(:jwk_encryption_url) { 'http://provider.example.com/jwk_encryption.json' }
-        its(:signing_key) { should be_nil }
-
-        it 'should fetch encryption_key from x509_encryption_url' do
-          mock_json :get, x509_encryption_url, 'public_keys/x509', format: :pem do
-            config.encryption_key
-          end
-        end
-      end
-
-      context 'when neither x509_encryption_url nor jwk_encryption_url are given' do
-        its(:signing_key) { should be_nil }
-        its(:encryption_key) { should be_nil }
+  describe '#public_keys' do
+    it do
+      public_keys = mock_json :get, jwks_uri, 'public_keys/jwks' do
+        instance.public_keys
       end
+      public_keys.should be_instance_of Array
+      public_keys.first.should be_instance_of OpenSSL::PKey::RSA
     end
   end
-end
+end

data/spec/openid_connect/discovery/provider/config_spec.rb

@@ -2,28 +2,47 @@ require 'spec_helper'
 
 describe OpenIDConnect::Discovery::Provider::Config do
   let(:provider) { 'https://connect-op.heroku.com' }
-  let(:endpoint) { "https://connect-op.heroku.com/.well-known/openid-configuration" }
+  let(:endpoint) { 'https://connect-op.heroku.com/.well-known/openid-configuration' }
 
   describe 'discover!' do
     it 'should setup given attributes' do
       mock_json :get, endpoint, 'discovery/config' do
         config = OpenIDConnect::Discovery::Provider::Config.discover! provider
         config.should be_instance_of OpenIDConnect::Discovery::Provider::Config::Response
-        config.version.should == '3.0'
         config.issuer.should == 'https://connect-op.heroku.com'
         config.authorization_endpoint.should == 'https://connect-op.heroku.com/authorizations/new'
         config.token_endpoint.should == 'https://connect-op.heroku.com/access_tokens'
-        config.user_info_endpoint.should == 'https://connect-op.heroku.com/user_info'
-        config.refresh_session_endpoint.should be_nil
-        config.end_session_endpoint.should be_nil
-        config.jwk_url.should be_nil
-        config.x509_url.should == 'https://connect-op.heroku.com/cert.pem'
+        config.userinfo_endpoint.should == 'https://connect-op.heroku.com/userinfo'
+        config.jwks_uri.should == 'https://connect-op.heroku.com/jwks.json'
         config.registration_endpoint.should == 'https://connect-op.heroku.com/connect/client'
-        config.scopes_supported.should == ["openid", "profile", "email", "address"]
-        config.response_types_supported.should == ["code", "token", "id_token", "code token", "code id_token", "id_token token"]
+        config.scopes_supported.should == ['openid', 'profile', 'email', 'address']
+        config.response_types_supported.should == ['code', 'token', 'id_token', 'code token', 'code id_token', 'id_token token']
         config.acr_values_supported.should be_nil
-        config.subject_types_supported.should == ["public", "pairwise"]
-        config.claims_supported.should == ["sub", "iss", "name", "email"]
+        config.subject_types_supported.should == ['public', 'pairwise']
+        config.claims_supported.should == ['sub', 'iss', 'name', 'email']
+        config.id_token_signing_alg_values_supported.should == ['RS256']
+      end
+    end
+
+    context 'when OP identifier includes custom port' do
+      let(:provider) { 'https://connect-op.heroku.com:8080' }
+      let(:endpoint) { 'https://connect-op.heroku.com:8080/.well-known/openid-configuration' }
+
+      it 'should construct well-known URI with given port' do
+        mock_json :get, endpoint, 'discovery/config_with_custom_port' do
+          OpenIDConnect::Discovery::Provider::Config.discover! provider
+        end
+      end
+    end
+
+    context 'when OP identifier includes path' do
+      let(:provider) { 'https://connect.openid4.us/abop' }
+      let(:endpoint) { 'https://connect.openid4.us/abop/.well-known/openid-configuration' }
+
+      it 'should construct well-known URI with given port' do
+        mock_json :get, endpoint, 'discovery/config_with_path' do
+          OpenIDConnect::Discovery::Provider::Config.discover! provider
+        end
       end
     end
 
@@ -36,27 +55,45 @@ describe OpenIDConnect::Discovery::Provider::Config do
         end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
       end
     end
-  end
 
-  context 'when OP identifier includes custom port' do
-    let(:provider) { 'https://connect-op.heroku.com:8080' }
-    let(:endpoint) { "https://connect-op.heroku.com:8080/.well-known/openid-configuration" }
+    describe 'when response include invalid issuer' do
+      context 'with normal configuration' do
+        it do
+          expect do
+            mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
+              OpenIDConnect::Discovery::Provider::Config.discover! provider
+            end
+          end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
+        end
+      end
 
-    it 'should construct well-known URI with given port' do
-      mock_json :get, endpoint, 'discovery/config' do
-        OpenIDConnect::Discovery::Provider::Config.discover! provider
+      context 'when issuer validation is disabled.' do
+        before :each do
+          OpenIDConnect.validate_discovery_issuer = false
+        end
+
+        after :each do
+          OpenIDConnect.validate_discovery_issuer = true
+        end
+
+        it do
+          expect do
+            mock_json :get, endpoint, 'discovery/config_with_invalid_issuer' do
+              OpenIDConnect::Discovery::Provider::Config.discover! provider
+            end
+          end.not_to raise_error
+        end
       end
     end
-  end
 
-  context 'when OP identifier includes path' do
-    let(:provider) { 'https://connect.openid4.us/abop' }
-    let(:endpoint) { "https://connect.openid4.us/abop/.well-known/openid-configuration" }
-
-    it 'should construct well-known URI with given port' do
-      mock_json :get, endpoint, 'discovery/config' do
-        OpenIDConnect::Discovery::Provider::Config.discover! provider
+    context 'when response include no issuer' do
+      it do
+        expect do
+          mock_json :get, endpoint, 'discovery/config_without_issuer' do
+            OpenIDConnect::Discovery::Provider::Config.discover! provider
+          end
+        end.to raise_error OpenIDConnect::Discovery::DiscoveryFailed
       end
     end
   end
-end
+end

data/spec/openid_connect/discovery/provider_spec.rb

@@ -6,7 +6,7 @@ describe OpenIDConnect::Discovery::Provider do
   let(:endpoint) { "https://#{host}/.well-known/webfinger" }
   let(:query) do
     {
-      rel: OpenIDConnect::Discovery::REL_VALUE,
+      rel: OpenIDConnect::Discovery::Provider::Issuer::REL_VALUE,
       resource: resource
     }
   end
@@ -51,7 +51,7 @@ describe OpenIDConnect::Discovery::Provider do
 
     context 'when Email is given' do
       let(:identifier) { "nov@#{host}" }
-      let(:resource)   { identifier }
+      let(:resource)   { "acct:#{identifier}" }
       it_behaves_like :discover_provider
     end
 

data/spec/openid_connect/request_object_spec.rb

@@ -93,15 +93,15 @@ describe OpenIDConnect::RequestObject do
 
     describe '#required?' do
       it do
-        request_object.user_info.required?(:name).should be_true
-        request_object.user_info.optional?(:name).should be_false
+        request_object.userinfo.required?(:name).should == true
+        request_object.userinfo.optional?(:name).should == false
       end
     end
 
     describe '#optional' do
       it do
-        request_object.user_info.required?(:email).should be_false
-        request_object.user_info.optional?(:email).should be_true
+        request_object.userinfo.required?(:email).should == false
+        request_object.userinfo.optional?(:email).should == true
       end
     end
   end