openid_connect 0.0.4 → 0.0.5

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format=documentation

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    openid_connect (0.0.3)
+    openid_connect (0.0.4)
       activemodel (>= 3)
       attr_required (>= 0.0.3)
       json (>= 1.4.3)
@@ -14,16 +14,18 @@ PATH
 GEM
   remote: http://rubygems.org/
   specs:
-    activemodel (3.0.5)
-      activesupport (= 3.0.5)
+    activemodel (3.0.9)
+      activesupport (= 3.0.9)
       builder (~> 2.1.2)
-      i18n (~> 0.4)
-    activesupport (3.0.5)
+      i18n (~> 0.5.0)
+    activesupport (3.0.9)
+    addressable (2.2.6)
     attr_required (0.0.3)
     builder (2.1.2)
+    crack (0.1.8)
     diff-lcs (1.1.2)
     httpclient (2.2.1)
-    i18n (0.6.0)
+    i18n (0.5.0)
     json (1.5.3)
     jwt (0.1.3)
       json (>= 1.2.4)
@@ -60,6 +62,9 @@ GEM
       mail (>= 2.2.5)
     validate_url (0.2.0)
       activemodel (>= 3.0.0)
+    webmock (1.6.4)
+      addressable (> 2.2.5, ~> 2.2)
+      crack (>= 0.1.7)
 
 PLATFORMS
   ruby
@@ -69,3 +74,4 @@ DEPENDENCIES
   rake (>= 0.8)
   rcov (>= 0.9)
   rspec (>= 2)
+  webmock (>= 1.6.2)

data/VERSION

@@ -1 +1 @@
-0.0.4
+0.0.5

data/lib/openid_connect/access_token.rb

@@ -2,17 +2,16 @@ module OpenIDConnect
   class AccessToken < Rack::OAuth2::AccessToken::Bearer
     attr_required :client
 
+    def initialize(attributes = {})
+      super
+      @token_type = :bearer
+    end
+
     def user_info!(scheme = :openid)
-      klass = case scheme
-      when :openid
-        ResponseObject::UserInfo::OpenID
-      else
-        raise "Unknown Scheme: #{scheme}"
-      end
       hash = resource_request do
         get client.user_info_uri
       end
-      klass.new hash
+      ResponseObject::UserInfo::OpenID.new hash
     end
 
     def id_token!
@@ -29,10 +28,14 @@ module OpenIDConnect
       case res.status
       when 200
         JSON.parse(res.body).with_indifferent_access
+      when 400
+        raise BadRequest.new('API Access Faild')
       when 401
-        raise OpenIDConnect::Unauthorized.new('Access Token Invalid or Expired')
+        raise Unauthorized.new('Access Token Invalid or Expired')
+      when 403
+        raise Forbidden.new('Insufficient Scope')
       else
-        raise OpenIDConnect::BadRequest.new('API Access Faild')
+        raise HttpError.new(res.status, 'Unknown HttpError')
       end
     end
   end

data/lib/openid_connect/client.rb

@@ -19,6 +19,7 @@ module OpenIDConnect
 
     def access_token!
       token = super
+      raise Exception.new("Unexpected Token Type: #{token.token_type}") unless token.token_type == :bearer
       AccessToken.new token.token_response.merge(:client => self)
     end
 

data/lib/openid_connect/exception.rb

@@ -4,26 +4,26 @@ module OpenIDConnect
   class HttpError < Exception
     attr_accessor :status, :response
     def initialize(status, message, response = nil)
+      super message
       @status = status
-      @message = message
       @response = response
     end
   end
 
   class BadRequest < HttpError
-    def initialize(message, response = nil)
+    def initialize(message = nil, response = nil)
       super 400, message, response
     end
   end
 
   class Unauthorized < HttpError
-    def initialize(message, response = nil)
+    def initialize(message = nil, response = nil)
       super 401, message, response
     end
   end
 
   class Forbidden < HttpError
-    def initialize(message, response = nil)
+    def initialize(message = nil, response = nil)
       super 403, message, response
     end
   end

data/lib/openid_connect/response_object.rb

@@ -20,10 +20,6 @@ module OpenIDConnect
       required_attributes + optional_attributes
     end
 
-    def hidden_attributes
-      nil
-    end
-
     def require_at_least_one_attributes
       all_blank = all_attriutes.all? do |key|
         self.send(key).blank?
@@ -38,6 +34,12 @@ module OpenIDConnect
         value.nil?
       end
     end
+
+    private
+
+    def hidden_attributes
+      nil
+    end
   end
 end
 

data/lib/openid_connect/response_object/id_token.rb

@@ -6,17 +6,20 @@ module OpenIDConnect
       attr_required :iss, :user_id, :aud, :exp
       attr_optional :iso29115, :nonce, :issued_to, :secret
 
-      def hidden_attributes
-        :secret
-      end
-
       def to_jwt
+        raise Exception.new('Secret Required') unless secret
         JWT.encode as_json, secret
       end
 
       def self.from_jwt(jwt, secret)
         new JWT.decode(jwt, secret).with_indifferent_access.merge(:secret => secret)
       end
+
+      private
+
+      def hidden_attributes
+        :secret
+      end
     end
   end
 end

data/openid_connect.gemspec

@@ -21,4 +21,5 @@ Gem::Specification.new do |s|
   s.add_development_dependency "rake", ">= 0.8"
   s.add_development_dependency "rcov", ">= 0.9"
   s.add_development_dependency "rspec", ">= 2"
+  s.add_development_dependency "webmock", ">= 1.6.2"
 end

data/spec/helpers/webmock_helper.rb

@@ -0,0 +1,42 @@
+require 'webmock/rspec'
+
+module WebMockHelper
+  def mock_json(method, endpoint, response_file, options = {})
+    stub_request(method, endpoint).with(
+      request_for(method, options)
+    ).to_return(
+      response_for(response_file, options)
+    )
+    yield
+    a_request(method, endpoint).with(
+      request_for(method, options)
+    ).should have_been_made.once
+  end
+
+  private
+
+  def request_for(method, options = {})
+    request = {}
+    if options[:params]
+      case method
+      when :post, :put
+        request[:body] = options[:params]
+      else
+        request[:query] = options[:params]
+      end
+    end
+    request
+  end
+
+  def response_for(response_file, options = {})
+    response = {}
+    response[:body] = File.new(File.join(File.dirname(__FILE__), '../mock_response', "#{response_file}.#{options[:format] || :json}"))
+    if options[:status]
+      response[:status] = options[:status]
+    end
+    response
+  end
+end
+
+include WebMockHelper
+WebMock.disable_net_connect!

data/spec/mock_response/access_token/bearer.json

@@ -0,0 +1,6 @@
+{
+  "access_token":"access_token",
+  "refresh_token":"refresh_token",
+  "token_type":"bearer",
+  "expires_in":3600
+}

data/spec/mock_response/access_token/mac.json

@@ -0,0 +1,8 @@
+{
+  "token_type": "mac",
+  "mac_algorithm": "hmac-sha-256",
+  "expires_in": 3600,
+  "mac_key": "secret",
+  "refresh_token": "refresh_token",
+  "access_token": "access_token"
+}

data/spec/mock_response/errors/insufficient_scope.json

@@ -0,0 +1,3 @@
+{
+  "error": "insufficient_scope"
+}

data/spec/mock_response/errors/invalid_access_token.json

@@ -0,0 +1,3 @@
+{
+  "error": "invalid_access_token"
+}

data/spec/mock_response/errors/invalid_request.json

@@ -0,0 +1,3 @@
+{
+  "error": "invalid_request"
+}

data/spec/mock_response/errors/unknown.json

@@ -0,0 +1 @@
+Fuckin Unknown Error

data/spec/mock_response/id_token.json

@@ -0,0 +1,7 @@
+{
+  "iss": "http://server.example.com",
+  "client_id": "http://client.example.com",
+  "aud": "http://client.example.com",
+  "user_id": "user_328723",
+  "exp": 1303852880
+}

data/spec/mock_response/user_info/openid.json

@@ -0,0 +1,23 @@
+{
+  "id": "90125",
+  "name": "Jonathan Q. Doe",
+  "given_name": "Jonathan",
+  "middle_name": "Q.",
+  "family_name": "Doe",
+  "nickname": "John",
+  "email": "johndoe@example.com",
+  "verified": true,
+  "profile": "http://example.com/johndoe/",
+  "picture": "http://example.com/johndoe/me.jpg",
+  "website": "http://john.doe.blogs.example.net/",
+  "gender": "male",
+  "birthday": "05/02/0000",
+  "zoneinfo": "America/Los_Angeles",
+  "locale": "en_US",
+  "phone_number": "+1 (425) 555-1212",
+  "address": {
+    "region": "WA",
+    "country": "United States"
+  },
+  "last_updated": "2011-06-29T21:10:22+0000"
+}

data/spec/openid_connect/access_token_spec.rb

@@ -0,0 +1,68 @@
+require 'spec_helper'
+
+describe OpenIDConnect::AccessToken do
+  subject { token }
+  let :client do
+    OpenIDConnect::Client.new(
+      :identifier => 'client_id',
+      :host => 'server.example.com'
+    )
+  end
+  let :token do
+    OpenIDConnect::AccessToken.new(
+      :access_token => 'access_token',
+      :client => client
+    )
+  end
+  its(:token_type) { should == :bearer }
+
+  describe '#user_info!' do
+    it 'should return OpenIDConnect::ResponseObject::UserInfo::OpenID' do
+      mock_json :get, client.user_info_uri, 'user_info/openid', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+        token.user_info!.should be_a OpenIDConnect::ResponseObject::UserInfo::OpenID
+      end
+    end
+
+    describe 'error handling' do
+      context 'when bad_request' do
+        it 'should raise OpenIDConnect::Forbidden' do
+          mock_json :get, client.user_info_uri, 'errors/invalid_request', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 400 do
+            expect { token.user_info! }.should raise_error OpenIDConnect::BadRequest
+          end
+        end
+      end
+
+      context 'when unauthorized' do
+        it 'should raise OpenIDConnect::Unauthorized' do
+          mock_json :get, client.user_info_uri, 'errors/invalid_access_token', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 401 do
+            expect { token.user_info! }.should raise_error OpenIDConnect::Unauthorized
+          end
+        end
+      end
+
+      context 'when forbidden' do
+        it 'should raise OpenIDConnect::Forbidden' do
+          mock_json :get, client.user_info_uri, 'errors/insufficient_scope', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 403 do
+            expect { token.user_info! }.should raise_error OpenIDConnect::Forbidden
+          end
+        end
+      end
+
+      context 'when unknown' do
+        it 'should raise OpenIDConnect::HttpError' do
+          mock_json :get, client.user_info_uri, 'errors/unknown', :HTTP_AUTHORIZATION => 'Bearer access_token', :status => 500 do
+            expect { token.user_info! }.should raise_error OpenIDConnect::HttpError
+          end
+        end
+      end
+    end
+  end
+
+  describe '#id_token!' do
+    it 'should return OpenIDConnect::ResponseObject::IdToken' do
+      mock_json :get, client.introspection_uri, 'id_token', :HTTP_AUTHORIZATION => 'Bearer access_token' do
+        token.id_token!.should be_a OpenIDConnect::ResponseObject::IdToken
+      end
+    end
+  end
+end

data/spec/openid_connect/client_spec.rb

@@ -0,0 +1,102 @@
+require 'spec_helper'
+
+describe OpenIDConnect::Client do
+  subject { client }
+  let(:client) { OpenIDConnect::Client.new attributes }
+  let(:attributes) { required_attributes }
+  let :required_attributes do
+    {
+      :identifier => 'client_id'
+    }
+  end
+
+  describe 'endpoints' do
+    context 'when host info is given' do
+      let :attributes do
+        required_attributes.merge(
+          :host => 'server.example.com'
+        )
+      end
+      its(:authorization_uri) { should include 'https://server.example.com/oauth2/authorize' }
+      its(:authorization_uri) { should include 'scope=openid' }
+      its(:introspection_uri) { should == 'https://server.example.com/id_tokens' }
+      its(:user_info_uri)     { should == 'https://server.example.com/user_info' }
+    end
+
+    context 'otherwise' do
+      [:authorization_uri, :introspection_uri, :user_info_uri].each do |endpoint|
+        describe endpoint do
+          it do
+            expect { client.send endpoint }.should raise_error 'No Host Info'
+          end
+        end
+      end
+    end
+  end
+
+  describe '#authorization_uri' do
+    describe 'scope' do
+      subject do
+        query = URI.parse(client.authorization_uri :scope => scope).query
+        Rack::Utils.parse_query(query).with_indifferent_access[:scope]
+      end
+      let(:scope) { nil }
+      let :attributes do
+        required_attributes.merge(
+          :host => 'server.example.com'
+        )
+      end
+
+      context 'when scope is given' do
+        context 'when openid scope is included' do
+          let(:scope) { [:openid, :email] }
+          it { should == 'openid email' }
+        end
+
+        context 'otherwise' do
+          let(:scope) { :email }
+          it { should == 'email openid' }
+        end
+      end
+
+      context 'otherwise' do
+        it { should == 'openid' }
+      end
+    end
+  end
+
+  describe '#access_token!' do
+    let :attributes do
+      required_attributes.merge(
+        :secret => 'client_secret',
+        :token_endpoint => 'http://server.example.com/access_tokens'
+      )
+    end
+    let :protocol_params do
+      {
+        :client_id => 'client_id',
+        :client_secret => 'client_secret',
+        :grant_type => 'authorization_code',
+        :code => 'code'
+      }
+    end
+
+    context 'when bearer token is returned' do
+      it 'should return OpenIDConnect::AccessToken' do
+        mock_json :post, client.token_endpoint, 'access_token/bearer', :params => protocol_params do
+          client.authorization_code = 'code'
+          client.access_token!.should be_a OpenIDConnect::AccessToken
+        end
+      end
+    end
+
+    context 'otherwise' do
+      it 'should raise Unexpected Token Type exception' do
+        mock_json :post, client.token_endpoint, 'access_token/mac', :params => protocol_params do
+          client.authorization_code = 'code'
+          expect { client.access_token! }.should raise_error OpenIDConnect::Exception, 'Unexpected Token Type: mac'
+        end
+      end
+    end
+  end
+end

data/spec/openid_connect/exception_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe OpenIDConnect::HttpError do
+  subject do
+    OpenIDConnect::HttpError.new 400, 'Bad Request'
+  end
+  its(:status)   { should == 400 }
+  its(:message)  { should == 'Bad Request' }
+  its(:response) { should be_nil }
+end
+
+describe OpenIDConnect::BadRequest do
+  its(:status)  { should == 400 }
+  its(:message) { should == 'OpenIDConnect::BadRequest' }
+end
+
+describe OpenIDConnect::Unauthorized do
+  its(:status)  { should == 401 }
+  its(:message) { should == 'OpenIDConnect::Unauthorized' }
+end
+
+describe OpenIDConnect::Forbidden do
+  its(:status)  { should == 403 }
+  its(:message) { should == 'OpenIDConnect::Forbidden' }
+end

data/spec/openid_connect/response_object/id_token_spec.rb

@@ -2,10 +2,50 @@ require 'spec_helper'
 
 describe OpenIDConnect::ResponseObject::IdToken do
   let(:klass) { OpenIDConnect::ResponseObject::IdToken }
+  let(:id_token) { klass.new attributes }
+  let :required_attributes do
+    {
+      :iss => 'https://server.example.com',
+      :user_id => 'user_id',
+      :aud => 'client_id',
+      :exp => 1313424327
+    }
+  end
 
   describe 'attributes' do
     subject { klass }
     its(:required_attributes) { should == [:iss, :user_id, :aud, :exp] }
     its(:optional_attributes) { should == [:iso29115, :nonce, :issued_to, :secret] }
   end
+
+  describe '#to_jwt' do
+    subject { id_token.to_jwt }
+
+    context 'when secret is given' do
+      let(:attributes) { required_attributes.merge(:secret => 'secret') }
+      it { should be_a String }
+    end
+
+    context 'otherwise' do
+      let(:attributes) { required_attributes }
+      it do
+        expect { id_token.to_jwt }.should raise_error OpenIDConnect::Exception, 'Secret Required'
+      end
+    end
+  end
+
+  describe '#as_json' do
+    subject { id_token.as_json }
+    let(:attributes) { required_attributes.merge(:secret => 'secret') }
+    it { should_not include :secret }
+  end
+
+  describe '.from_jwt' do
+    subject { klass.from_jwt id_token.to_jwt, 'secret' }
+    let(:attributes) { required_attributes.merge(:secret => 'secret') }
+    it { should be_a klass }
+    [:iss, :user_id, :aud, :exp, :secret].each do |key|
+      its(key) { should == attributes[key] }
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -1,2 +1,4 @@
 require 'rspec'
 require 'openid_connect'
+
+require 'helpers/webmock_helper'

metadata

@@ -2,7 +2,7 @@
 name: openid_connect
 version: !ruby/object:Gem::Version 
   prerelease: 
-  version: 0.0.4
+  version: 0.0.5
 platform: ruby
 authors: 
 - nov matake
@@ -10,7 +10,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-08-15 00:00:00 Z
+date: 2011-08-16 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: activemodel
@@ -133,6 +133,17 @@ dependencies:
         version: "2"
   type: :development
   version_requirements: *id011
+- !ruby/object:Gem::Dependency 
+  name: webmock
+  prerelease: false
+  requirement: &id012 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.6.2
+  type: :development
+  version_requirements: *id012
 description: OpenID Connect Server & Client Library
 email: 
 - nov@matake.jp
@@ -144,6 +155,7 @@ extra_rdoc_files: []
 
 files: 
 - .gitignore
+- .rspec
 - Gemfile
 - Gemfile.lock
 - LICENSE
@@ -162,6 +174,18 @@ files:
 - lib/rack/oauth2/server/authorize/extension/id_token.rb
 - lib/rack/oauth2/server/authorize/extension/id_token_and_token.rb
 - openid_connect.gemspec
+- spec/helpers/webmock_helper.rb
+- spec/mock_response/access_token/bearer.json
+- spec/mock_response/access_token/mac.json
+- spec/mock_response/errors/insufficient_scope.json
+- spec/mock_response/errors/invalid_access_token.json
+- spec/mock_response/errors/invalid_request.json
+- spec/mock_response/errors/unknown.json
+- spec/mock_response/id_token.json
+- spec/mock_response/user_info/openid.json
+- spec/openid_connect/access_token_spec.rb
+- spec/openid_connect/client_spec.rb
+- spec/openid_connect/exception_spec.rb
 - spec/openid_connect/response_object/id_token_spec.rb
 - spec/openid_connect/response_object/user_info/open_id/address_spec.rb
 - spec/openid_connect/response_object/user_info/open_id_spec.rb
@@ -197,6 +221,18 @@ signing_key:
 specification_version: 3
 summary: OpenID Connect Server & Client Library
 test_files: 
+- spec/helpers/webmock_helper.rb
+- spec/mock_response/access_token/bearer.json
+- spec/mock_response/access_token/mac.json
+- spec/mock_response/errors/insufficient_scope.json
+- spec/mock_response/errors/invalid_access_token.json
+- spec/mock_response/errors/invalid_request.json
+- spec/mock_response/errors/unknown.json
+- spec/mock_response/id_token.json
+- spec/mock_response/user_info/openid.json
+- spec/openid_connect/access_token_spec.rb
+- spec/openid_connect/client_spec.rb
+- spec/openid_connect/exception_spec.rb
 - spec/openid_connect/response_object/id_token_spec.rb
 - spec/openid_connect/response_object/user_info/open_id/address_spec.rb
 - spec/openid_connect/response_object/user_info/open_id_spec.rb