prx_auth-rails 4.1.0 → 4.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.git-blame-ignore-revs +2 -0
- data/.github/workflows/check-project-std.yml +23 -0
- data/Gemfile +1 -1
- data/Guardfile +5 -5
- data/Rakefile +3 -3
- data/app/controllers/prx_auth/rails/sessions_controller.rb +15 -14
- data/app/views/prx_auth/rails/sessions/auth_error.html.erb +0 -7
- data/config/initializers/assets.rb +1 -1
- data/config/routes.rb +3 -3
- data/lib/prx_auth/rails/configuration.rb +15 -15
- data/lib/prx_auth/rails/engine.rb +1 -1
- data/lib/prx_auth/rails/ext/controller.rb +20 -20
- data/lib/prx_auth/rails/railtie.rb +3 -3
- data/lib/prx_auth/rails/token.rb +17 -4
- data/lib/prx_auth/rails/version.rb +1 -1
- data/lib/prx_auth/rails.rb +3 -3
- data/prx_auth-rails.gemspec +25 -26
- data/test/dummy/app/controllers/application_controller.rb +3 -3
- data/test/dummy/app/mailers/application_mailer.rb +2 -2
- data/test/dummy/bin/rails +1 -1
- data/test/dummy/bin/setup +7 -7
- data/test/dummy/config/boot.rb +2 -2
- data/test/dummy/config/environments/development.rb +2 -2
- data/test/dummy/config/environments/production.rb +5 -5
- data/test/dummy/config/environments/test.rb +2 -2
- data/test/dummy/config/initializers/assets.rb +1 -1
- data/test/dummy/config/initializers/prx_auth.rb +7 -7
- data/test/dummy/config/routes.rb +2 -2
- data/test/prx_auth/rails/configuration_test.rb +14 -15
- data/test/prx_auth/rails/ext/controller_test.rb +80 -81
- data/test/prx_auth/rails/sessions_controller_test.rb +39 -41
- data/test/prx_auth/rails/token_test.rb +44 -16
- data/test/prx_auth/rails_test.rb +11 -12
- data/test/test_helper.rb +15 -17
- metadata +21 -68
@@ -1,7 +1,7 @@
|
|
1
1
|
# Be sure to restart your server when you modify this file.
|
2
2
|
|
3
3
|
# Version of your assets, change this if you want to expire all your assets.
|
4
|
-
Rails.application.config.assets.version =
|
4
|
+
Rails.application.config.assets.version = "1.0"
|
5
5
|
|
6
6
|
# Add additional assets to the asset load path.
|
7
7
|
# Rails.application.config.assets.paths << Emoji.images_path
|
@@ -1,8 +1,8 @@
|
|
1
|
-
|
1
|
+
require "prx_auth/rails"
|
2
2
|
|
3
|
-
|
4
|
-
|
5
|
-
|
6
|
-
|
7
|
-
|
8
|
-
|
3
|
+
PrxAuth::Rails.configure do |config|
|
4
|
+
config.install_middleware = true
|
5
|
+
config.namespace = :test_app
|
6
|
+
config.prx_client_id = "1234"
|
7
|
+
config.id_host = "id.prx.test"
|
8
|
+
end
|
data/test/dummy/config/routes.rb
CHANGED
@@ -1,38 +1,37 @@
|
|
1
|
-
require
|
1
|
+
require "test_helper"
|
2
2
|
|
3
3
|
describe PrxAuth::Rails::Configuration do
|
4
|
-
|
5
4
|
subject { PrxAuth::Rails::Configuration.new }
|
6
5
|
|
7
|
-
it
|
6
|
+
it "initializes with defaults" do
|
8
7
|
assert subject.install_middleware
|
9
8
|
assert_nil subject.prx_client_id
|
10
9
|
assert_nil subject.prx_scope
|
11
|
-
assert_equal
|
12
|
-
assert_equal
|
10
|
+
assert_equal "id.prx.org", subject.id_host
|
11
|
+
assert_equal "api/v1/certs", subject.cert_path
|
13
12
|
end
|
14
13
|
|
15
|
-
it
|
14
|
+
it "infers the default namespace from the rails app name" do
|
16
15
|
assert_equal :dummy, subject.namespace
|
17
16
|
end
|
18
17
|
|
19
|
-
it
|
18
|
+
it "is updated by the prxauth configure block" do
|
20
19
|
PrxAuth::Rails.stub(:configuration, subject) do
|
21
20
|
PrxAuth::Rails.configure do |config|
|
22
21
|
config.install_middleware = false
|
23
|
-
config.prx_client_id =
|
24
|
-
config.prx_scope =
|
25
|
-
config.id_host =
|
26
|
-
config.cert_path =
|
22
|
+
config.prx_client_id = "some-id"
|
23
|
+
config.prx_scope = "appname:*"
|
24
|
+
config.id_host = "id.prx.blah"
|
25
|
+
config.cert_path = "cert/path"
|
27
26
|
config.namespace = :new_test
|
28
27
|
end
|
29
28
|
end
|
30
29
|
|
31
30
|
refute subject.install_middleware
|
32
|
-
assert_equal
|
33
|
-
assert_equal
|
34
|
-
assert_equal
|
35
|
-
assert_equal
|
31
|
+
assert_equal "some-id", subject.prx_client_id
|
32
|
+
assert_equal "appname:*", subject.prx_scope
|
33
|
+
assert_equal "id.prx.blah", subject.id_host
|
34
|
+
assert_equal "cert/path", subject.cert_path
|
36
35
|
assert_equal :new_test, subject.namespace
|
37
36
|
end
|
38
37
|
end
|
@@ -1,145 +1,144 @@
|
|
1
|
-
require
|
1
|
+
require "test_helper"
|
2
2
|
|
3
3
|
module PrxAuth::Rails::Ext
|
4
4
|
class ControllerTest < ActionController::TestCase
|
5
|
-
|
6
5
|
setup do
|
7
6
|
@controller = ApplicationController.new
|
8
7
|
@jwt_session_key = ApplicationController::PRX_JWT_SESSION_KEY
|
9
8
|
@user_info_key = ApplicationController::PRX_USER_INFO_SESSION_KEY
|
10
9
|
@account_mapping_key = ApplicationController::PRX_ACCOUNT_MAPPING_SESSION_KEY
|
11
|
-
@stub_claims = {
|
10
|
+
@stub_claims = {"iat" => Time.now.to_i, "exp" => Time.now.to_i + 3600}
|
12
11
|
end
|
13
12
|
|
14
13
|
# stub auth and init controller+session by getting a page
|
15
14
|
def with_stubbed_auth(jwt)
|
16
|
-
session[@jwt_session_key] =
|
15
|
+
session[@jwt_session_key] = "some-jwt"
|
17
16
|
@controller.stub(:prx_auth_needs_refresh?, false) do
|
18
17
|
get :index
|
19
|
-
assert_equal response.code,
|
18
|
+
assert_equal response.code, "200"
|
20
19
|
yield
|
21
20
|
end
|
22
21
|
end
|
23
22
|
|
24
|
-
test
|
23
|
+
test "redirects unless you are authenticated" do
|
25
24
|
get :index
|
26
|
-
assert_equal response.code,
|
27
|
-
assert response.headers[
|
25
|
+
assert_equal response.code, "302"
|
26
|
+
assert response.headers["Location"].ends_with?("/sessions/new")
|
28
27
|
end
|
29
28
|
|
30
|
-
test
|
31
|
-
session[@jwt_session_key] =
|
29
|
+
test "uses a valid session token" do
|
30
|
+
session[@jwt_session_key] = "some-jwt"
|
32
31
|
JSON::JWT.stub(:decode, @stub_claims) do
|
33
32
|
get :index
|
34
|
-
assert_equal response.code,
|
35
|
-
assert response.body.include?(
|
33
|
+
assert_equal response.code, "200"
|
34
|
+
assert response.body.include?("the controller index!")
|
36
35
|
assert @controller.current_user.is_a?(PrxAuth::Rails::Token)
|
37
36
|
end
|
38
37
|
end
|
39
38
|
|
40
|
-
test
|
41
|
-
session[@jwt_session_key] =
|
42
|
-
@stub_claims[
|
39
|
+
test "redirects if your token is nearing expiration" do
|
40
|
+
session[@jwt_session_key] = "some-jwt"
|
41
|
+
@stub_claims["exp"] = Time.now.to_i + 10
|
43
42
|
JSON::JWT.stub(:decode, @stub_claims) do
|
44
43
|
get :index
|
45
|
-
assert_equal response.code,
|
46
|
-
assert response.headers[
|
44
|
+
assert_equal response.code, "302"
|
45
|
+
assert response.headers["Location"].ends_with?("/sessions/new")
|
47
46
|
end
|
48
47
|
end
|
49
48
|
|
50
|
-
test
|
51
|
-
session[@jwt_session_key] =
|
52
|
-
@stub_claims[
|
49
|
+
test "does not redirect if your token has expired on a non-GET request" do
|
50
|
+
session[@jwt_session_key] = "some-jwt"
|
51
|
+
@stub_claims["exp"] = Time.now.to_i + 10
|
53
52
|
JSON::JWT.stub(:decode, @stub_claims) do
|
54
53
|
put :index
|
55
|
-
assert_equal response.code,
|
56
|
-
assert response.body.include?(
|
54
|
+
assert_equal response.code, "200"
|
55
|
+
assert response.body.include?("the controller index!")
|
57
56
|
end
|
58
57
|
end
|
59
58
|
|
60
|
-
test
|
61
|
-
with_stubbed_auth(
|
59
|
+
test "fetches current user info" do
|
60
|
+
with_stubbed_auth("some-jwt") do
|
62
61
|
body = {
|
63
|
-
|
64
|
-
|
65
|
-
|
62
|
+
"name" => "Some Username",
|
63
|
+
"apps" => {"publish.prx.test" => "https://publish.prx.test"},
|
64
|
+
"other" => "stuff"
|
66
65
|
}
|
67
66
|
|
68
67
|
id_host = PrxAuth::Rails.configuration.id_host
|
69
|
-
stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile")
|
70
|
-
with(headers: {
|
71
|
-
to_return(status: 200, body: JSON.generate(body))
|
72
|
-
|
73
|
-
assert session[@user_info_key]
|
74
|
-
assert_equal @controller.current_user_info, body.slice(
|
75
|
-
refute session[@user_info_key]
|
76
|
-
assert_equal @controller.current_user_name,
|
77
|
-
assert_equal @controller.current_user_apps, {
|
68
|
+
stub_request(:get, "https://#{id_host}/userinfo?scope=apps%20email%20profile")
|
69
|
+
.with(headers: {"Authorization" => "Bearer some-jwt"})
|
70
|
+
.to_return(status: 200, body: JSON.generate(body))
|
71
|
+
|
72
|
+
assert session[@user_info_key].nil?
|
73
|
+
assert_equal @controller.current_user_info, body.slice("name", "apps")
|
74
|
+
refute session[@user_info_key].nil?
|
75
|
+
assert_equal @controller.current_user_name, "Some Username"
|
76
|
+
assert_equal @controller.current_user_apps, {"PRX Publish" => "https://publish.prx.test"}
|
78
77
|
end
|
79
78
|
end
|
80
79
|
|
81
|
-
test
|
82
|
-
with_stubbed_auth(
|
83
|
-
session[@user_info_key] = {
|
84
|
-
assert_equal @controller.current_user_name,
|
80
|
+
test "has user name fallbacks" do
|
81
|
+
with_stubbed_auth("some-jwt") do
|
82
|
+
session[@user_info_key] = {"name" => "one", "preferred_username" => "two", "email" => "three"}
|
83
|
+
assert_equal @controller.current_user_name, "one"
|
85
84
|
|
86
|
-
session[@user_info_key] = {
|
87
|
-
assert_equal @controller.current_user_name,
|
85
|
+
session[@user_info_key] = {"preferred_username" => "two", "email" => "three"}
|
86
|
+
assert_equal @controller.current_user_name, "two"
|
88
87
|
|
89
|
-
session[@user_info_key] = {
|
90
|
-
assert_equal @controller.current_user_name,
|
88
|
+
session[@user_info_key] = {"email" => "three"}
|
89
|
+
assert_equal @controller.current_user_name, "three"
|
91
90
|
end
|
92
91
|
end
|
93
92
|
|
94
|
-
test
|
95
|
-
with_stubbed_auth(
|
93
|
+
test "filters apps displayed in production" do
|
94
|
+
with_stubbed_auth("some-jwt") do
|
96
95
|
Rails.env.stub(:production?, true) do
|
97
96
|
session[@user_info_key] = {
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
97
|
+
"apps" => {
|
98
|
+
"localhost stuff" => "http://localhost:4000/path1",
|
99
|
+
"publish.prx.test" => "https://publish.prx.test/path2",
|
100
|
+
"metrics.prx.tech" => "https://metrics.prx.tech/path3",
|
101
|
+
"augury.prx.org" => "https://augury.prx.org/path4"
|
103
102
|
}
|
104
103
|
}
|
105
104
|
|
106
105
|
assert_equal @controller.current_user_apps, {
|
107
|
-
|
108
|
-
|
106
|
+
"PRX Metrics" => "https://metrics.prx.tech/path3",
|
107
|
+
"PRX Augury" => "https://augury.prx.org/path4"
|
109
108
|
}
|
110
109
|
end
|
111
110
|
end
|
112
111
|
end
|
113
112
|
|
114
|
-
test
|
115
|
-
with_stubbed_auth(
|
116
|
-
one = {
|
117
|
-
three = {
|
118
|
-
body = {
|
113
|
+
test "fetches accounts" do
|
114
|
+
with_stubbed_auth("some-jwt") do
|
115
|
+
one = {"id" => 1, "type" => "IndividualAccount", "name" => "One"}
|
116
|
+
three = {"id" => 3, "type" => "GroupAccount", "name" => "Three"}
|
117
|
+
body = {"_embedded" => {"prx:items" => [one, three]}}
|
119
118
|
|
120
|
-
min_one = one.slice(
|
121
|
-
min_three = three.slice(
|
119
|
+
min_one = one.slice("name", "type")
|
120
|
+
min_three = three.slice("name", "type")
|
122
121
|
|
123
122
|
id_host = PrxAuth::Rails.configuration.id_host
|
124
|
-
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3")
|
125
|
-
to_return(status: 200, body: JSON.generate(body))
|
123
|
+
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=1,2,3")
|
124
|
+
.to_return(status: 200, body: JSON.generate(body))
|
126
125
|
|
127
126
|
assert_nil session[@account_mapping_key]
|
128
127
|
assert_equal @controller.accounts_for([1, 2, 3]), [min_one, nil, min_three]
|
129
128
|
refute_nil session[@account_mapping_key]
|
130
129
|
assert_equal @controller.account_for(1), min_one
|
131
130
|
assert_equal @controller.account_for(3), min_three
|
132
|
-
assert_equal @controller.account_name_for(1),
|
133
|
-
assert_equal @controller.account_name_for(3),
|
131
|
+
assert_equal @controller.account_name_for(1), "One"
|
132
|
+
assert_equal @controller.account_name_for(3), "Three"
|
134
133
|
end
|
135
134
|
end
|
136
135
|
|
137
|
-
test
|
138
|
-
with_stubbed_auth(
|
136
|
+
test "handles unknown account ids" do
|
137
|
+
with_stubbed_auth("some-jwt") do
|
139
138
|
id_host = PrxAuth::Rails.configuration.id_host
|
140
|
-
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
|
141
|
-
to_return(status: 200, body: JSON.generate({
|
142
|
-
times(3)
|
139
|
+
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
|
140
|
+
.to_return(status: 200, body: JSON.generate({"_embedded" => {"prx:items" => []}}))
|
141
|
+
.times(3)
|
143
142
|
|
144
143
|
assert_equal @controller.accounts_for([2]), [nil]
|
145
144
|
assert_nil @controller.account_for(2)
|
@@ -147,25 +146,25 @@ module PrxAuth::Rails::Ext
|
|
147
146
|
end
|
148
147
|
end
|
149
148
|
|
150
|
-
test
|
151
|
-
with_stubbed_auth(
|
152
|
-
one = {
|
153
|
-
two = {
|
154
|
-
three = {
|
149
|
+
test "only fetches only missing accounts" do
|
150
|
+
with_stubbed_auth("some-jwt") do
|
151
|
+
one = {"name" => "One"}
|
152
|
+
two = {"id" => 2, "type" => "StationAccount", "name" => "Two"}
|
153
|
+
three = {"name" => "Three"}
|
155
154
|
session[@account_mapping_key] = {1 => one, 3 => three}
|
156
|
-
body = {
|
155
|
+
body = {"_embedded" => {"prx:items" => [two]}}
|
157
156
|
|
158
|
-
min_one = one.slice(
|
159
|
-
min_two = two.slice(
|
160
|
-
min_three = three.slice(
|
157
|
+
min_one = one.slice("name", "type")
|
158
|
+
min_two = two.slice("name", "type")
|
159
|
+
min_three = three.slice("name", "type")
|
161
160
|
|
162
161
|
id_host = PrxAuth::Rails.configuration.id_host
|
163
|
-
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
|
164
|
-
to_return(status: 200, body: JSON.generate(body))
|
162
|
+
stub_request(:get, "https://#{id_host}/api/v1/accounts?account_ids=2")
|
163
|
+
.to_return(status: 200, body: JSON.generate(body))
|
165
164
|
|
166
165
|
assert_equal @controller.accounts_for([1, 2, 3]), [min_one, min_two, min_three]
|
167
166
|
assert_equal @controller.account_for(2), min_two
|
168
|
-
assert_equal @controller.account_name_for(2),
|
167
|
+
assert_equal @controller.account_name_for(2), "Two"
|
169
168
|
end
|
170
169
|
end
|
171
170
|
end
|
@@ -2,19 +2,18 @@ require "test_helper"
|
|
2
2
|
|
3
3
|
module PrxAuth::Rails
|
4
4
|
class SessionsControllerTest < ActionController::TestCase
|
5
|
-
|
6
5
|
setup do
|
7
6
|
@routes = PrxAuth::Rails::Engine.routes
|
8
7
|
@nonce_session_key = SessionsController::ID_NONCE_SESSION_KEY
|
9
8
|
@refresh_back_key = SessionsController::PRX_REFRESH_BACK_KEY
|
10
|
-
@token_params = {id_token:
|
11
|
-
@stub_claims = {
|
12
|
-
@stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new
|
9
|
+
@token_params = {id_token: "idtok", access_token: "accesstok"}
|
10
|
+
@stub_claims = {"nonce" => "123", "sub" => "1"}
|
11
|
+
@stub_token = PrxAuth::Rails::Token.new(Rack::PrxAuth::TokenData.new)
|
13
12
|
end
|
14
13
|
|
15
14
|
test "new creates nonce" do
|
16
15
|
nonce = session[@nonce_session_key]
|
17
|
-
assert nonce
|
16
|
+
assert nonce.nil?
|
18
17
|
|
19
18
|
get :new
|
20
19
|
|
@@ -23,7 +22,7 @@ module PrxAuth::Rails
|
|
23
22
|
assert nonce.length == 32
|
24
23
|
end
|
25
24
|
|
26
|
-
test
|
25
|
+
test "new should should not overwrite the saved nonce" do
|
27
26
|
get :new
|
28
27
|
nonce1 = session[@nonce_session_key]
|
29
28
|
|
@@ -32,94 +31,93 @@ module PrxAuth::Rails
|
|
32
31
|
assert nonce1 == nonce2
|
33
32
|
end
|
34
33
|
|
35
|
-
test
|
34
|
+
test "create should validate a token and set the session variable" do
|
36
35
|
session[SessionsController::PRX_JWT_SESSION_KEY] = nil
|
37
36
|
@controller.stub(:validate_token, @stub_claims) do
|
38
37
|
@controller.stub(:session_token, @stub_token) do
|
39
|
-
session[@nonce_session_key] =
|
38
|
+
session[@nonce_session_key] = "123"
|
40
39
|
post :create, params: @token_params, format: :json
|
41
|
-
assert session[SessionsController::PRX_JWT_SESSION_KEY] ==
|
40
|
+
assert session[SessionsController::PRX_JWT_SESSION_KEY] == "accesstok"
|
42
41
|
end
|
43
42
|
end
|
44
43
|
end
|
45
44
|
|
46
|
-
test
|
47
|
-
@controller.stub(:validate_token, {
|
48
|
-
session[@nonce_session_key] =
|
45
|
+
test "create should call test_nonce! if upon verification" do
|
46
|
+
@controller.stub(:validate_token, {"nonce" => "not matching", "aud" => "1"}) do
|
47
|
+
session[@nonce_session_key] = "nonce"
|
49
48
|
post :create, params: @token_params, format: :json
|
50
|
-
assert session[@nonce_session_key]
|
49
|
+
assert session[@nonce_session_key].nil?
|
51
50
|
end
|
52
51
|
end
|
53
52
|
|
54
|
-
test
|
53
|
+
test "create should reset the nonce after consumed" do
|
55
54
|
@controller.stub(:validate_token, @stub_claims) do
|
56
55
|
@controller.stub(:session_token, @stub_token) do
|
57
|
-
session[@nonce_session_key] =
|
56
|
+
session[@nonce_session_key] = "123"
|
58
57
|
post :create, params: @token_params, format: :json
|
59
58
|
|
60
|
-
assert session[@nonce_session_key]
|
61
|
-
assert response.code ==
|
59
|
+
assert session[@nonce_session_key].nil?
|
60
|
+
assert response.code == "302"
|
62
61
|
assert response.body.match?(/after-sign-in-path/)
|
63
62
|
end
|
64
63
|
end
|
65
64
|
end
|
66
65
|
|
67
|
-
test
|
66
|
+
test "redirects to a back-path after refresh" do
|
68
67
|
@controller.stub(:validate_token, @stub_claims) do
|
69
68
|
@controller.stub(:session_token, @stub_token) do
|
70
|
-
session[@nonce_session_key] =
|
71
|
-
session[@refresh_back_key] =
|
69
|
+
session[@nonce_session_key] = "123"
|
70
|
+
session[@refresh_back_key] = "/lets/go/here?okay"
|
72
71
|
post :create, params: @token_params, format: :json
|
73
72
|
|
74
73
|
# A trailing log of the 'last' page
|
75
|
-
assert session[@refresh_back_key] ==
|
74
|
+
assert session[@refresh_back_key] == "/lets/go/here?okay"
|
76
75
|
|
77
|
-
assert response.code ==
|
78
|
-
assert response.headers[
|
76
|
+
assert response.code == "302"
|
77
|
+
assert response.headers["Location"].ends_with?("/lets/go/here?okay")
|
79
78
|
end
|
80
79
|
end
|
81
80
|
end
|
82
81
|
|
83
|
-
test
|
82
|
+
test "should respond with redirect to the auth error page / code if the nonce does not match" do
|
84
83
|
@controller.stub(:validate_token, @stub_claims) do
|
85
|
-
@token_params[:error] =
|
86
|
-
session[@nonce_session_key] =
|
84
|
+
@token_params[:error] = "verification_failed"
|
85
|
+
session[@nonce_session_key] = "nonce-does-not-match"
|
87
86
|
post :create, params: @token_params, format: :json
|
88
|
-
assert response.code ==
|
87
|
+
assert response.code == "302"
|
89
88
|
assert response.body.match(/auth_error\?error=verification_failed/)
|
90
89
|
end
|
91
90
|
end
|
92
91
|
|
93
|
-
test
|
94
|
-
get :auth_error, params: {error:
|
95
|
-
assert response.code ==
|
96
|
-
assert response.body.match?(/
|
92
|
+
test "auth_error should return a formatted error message to the user" do
|
93
|
+
get :auth_error, params: {error: "error_message"}
|
94
|
+
assert response.code == "200"
|
95
|
+
assert response.body.match?(/Not authorized/)
|
97
96
|
end
|
98
97
|
|
99
|
-
test
|
98
|
+
test "auth_error should expect the error param" do
|
100
99
|
assert_raises ActionController::ParameterMissing do
|
101
100
|
get :auth_error, params: {}
|
102
101
|
end
|
103
102
|
end
|
104
103
|
|
105
|
-
test
|
104
|
+
test "validates that the user id matches in both tokens" do
|
106
105
|
@controller.stub(:id_claims, @stub_claims) do
|
107
|
-
@controller.stub(:access_claims, @stub_claims.merge(
|
108
|
-
|
109
|
-
@
|
110
|
-
session[@nonce_session_key] = '123'
|
106
|
+
@controller.stub(:access_claims, @stub_claims.merge("sub" => "444")) do
|
107
|
+
@token_params[:error] = "verification_failed"
|
108
|
+
session[@nonce_session_key] = "123"
|
111
109
|
post :create, params: @token_params, format: :json
|
112
110
|
|
113
|
-
assert response.code ==
|
111
|
+
assert response.code == "302"
|
114
112
|
assert response.body.match?(/error=verification_failed/)
|
115
113
|
end
|
116
114
|
end
|
117
115
|
end
|
118
116
|
|
119
|
-
test
|
120
|
-
session[SessionsController::PRX_JWT_SESSION_KEY] =
|
117
|
+
test "should clear the user token on sign out" do
|
118
|
+
session[SessionsController::PRX_JWT_SESSION_KEY] = "some-token"
|
121
119
|
post :destroy
|
122
|
-
assert session[SessionsController::PRX_JWT_SESSION_KEY]
|
120
|
+
assert session[SessionsController::PRX_JWT_SESSION_KEY].nil?
|
123
121
|
end
|
124
122
|
end
|
125
123
|
end
|
@@ -1,35 +1,35 @@
|
|
1
|
-
require
|
1
|
+
require "test_helper"
|
2
2
|
|
3
3
|
describe PrxAuth::Rails::Token do
|
4
|
-
let
|
5
|
-
let
|
6
|
-
let
|
7
|
-
let
|
8
|
-
let
|
9
|
-
let
|
10
|
-
|
11
|
-
it
|
4
|
+
let(:aur) { {"123" => "test_app:read other_namespace:write", "*" => "test_app:add"} }
|
5
|
+
let(:sub) { "123" }
|
6
|
+
let(:scope) { "one two three" }
|
7
|
+
let(:token_data) { Rack::PrxAuth::TokenData.new("aur" => aur, "scope" => scope, "sub" => sub) }
|
8
|
+
let(:mock_token_data) { Minitest::Mock.new(token_data) }
|
9
|
+
let(:token) { PrxAuth::Rails::Token.new(mock_token_data) }
|
10
|
+
|
11
|
+
it "automatically namespaces requests" do
|
12
12
|
mock_token_data.expect(:authorized?, true, ["123", :test_app, :read])
|
13
13
|
assert token.authorized?("123", :read)
|
14
14
|
|
15
15
|
mock_token_data.expect(:resources, ["123"], [:test_app, :read])
|
16
|
-
assert token.resources(:read) === [
|
16
|
+
assert token.resources(:read) === ["123"]
|
17
17
|
|
18
18
|
mock_token_data.expect(:globally_authorized?, true, [:test_app, :add])
|
19
|
-
assert token.globally_authorized?(:add)
|
19
|
+
assert token.globally_authorized?(:add)
|
20
20
|
|
21
21
|
mock_token_data.verify
|
22
22
|
end
|
23
23
|
|
24
|
-
it
|
24
|
+
it "allows unscoped calls to authorized?" do
|
25
25
|
assert token.authorized?("123")
|
26
26
|
end
|
27
27
|
|
28
|
-
it
|
29
|
-
assert token.resources == [
|
28
|
+
it "allows unscoped calls to resources" do
|
29
|
+
assert token.resources == ["123"]
|
30
30
|
end
|
31
31
|
|
32
|
-
it
|
32
|
+
it "allows manual setting of namespace" do
|
33
33
|
assert token.authorized?("123", :other_namespace, :write)
|
34
34
|
assert !token.authorized?("123", :other_namespace, :read)
|
35
35
|
|
@@ -41,5 +41,33 @@ describe PrxAuth::Rails::Token do
|
|
41
41
|
assert !token.globally_authorized?(:other_namespace, :add)
|
42
42
|
end
|
43
43
|
|
44
|
-
|
44
|
+
it "returns a token except resources" do
|
45
|
+
token2 = token.except("123")
|
46
|
+
|
47
|
+
assert token.authorized?("123", :read)
|
48
|
+
refute token2.authorized?("123", :read)
|
49
|
+
|
50
|
+
# BUT cannot remove wildcard resources
|
51
|
+
assert token.authorized?("123", :add)
|
52
|
+
assert token2.authorized?("123", :add)
|
53
|
+
|
54
|
+
# the ! version modifies
|
55
|
+
token.except!("123")
|
56
|
+
refute token.authorized?("123", :read)
|
57
|
+
end
|
58
|
+
|
59
|
+
it "checks for empty resources" do
|
60
|
+
# wilcard tokens are never empty
|
61
|
+
refute token.empty_resources?
|
62
|
+
refute token.except("123").empty_resources?
|
63
|
+
|
64
|
+
# non-wildcard token
|
65
|
+
aur2 = {"123" => "anything"}
|
66
|
+
token_data2 = Rack::PrxAuth::TokenData.new("aur" => aur2, "scope" => scope, "sub" => sub)
|
67
|
+
mock_token_data2 = Minitest::Mock.new(token_data2)
|
68
|
+
token2 = PrxAuth::Rails::Token.new(mock_token_data2)
|
69
|
+
|
70
|
+
refute token2.empty_resources?
|
71
|
+
assert token2.except("123").empty_resources?
|
72
|
+
end
|
45
73
|
end
|