rack-oauth2-revibe 1.0.7

data/spec/rack/oauth2/access_token/mac/verifier_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken::MAC::Verifier do
+  let(:verifier) { Rack::OAuth2::AccessToken::MAC::Verifier.new(:algorithm => algorithm) }
+  subject { verifier }
+
+  context 'when "hmac-sha-1" is specified' do
+    let(:algorithm) { 'hmac-sha-1' }
+    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA1 }
+  end
+
+  context 'when "hmac-sha-256" is specified' do
+    let(:algorithm) { 'hmac-sha-256' }
+    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA256 }
+  end
+
+  context 'otherwise' do
+    let(:algorithm) { 'invalid' }
+    it do
+      expect { verifier.send(:hash_generator) }.to raise_error(StandardError, 'Unsupported Algorithm')
+    end
+  end
+
+  
+end

data/spec/rack/oauth2/access_token/mac_spec.rb

@@ -0,0 +1,141 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken::MAC do
+  let(:ts) { 1305820234 }
+  let :token do
+    Rack::OAuth2::AccessToken::MAC.new(
+      :access_token => 'access_token',
+      :mac_key => 'secret',
+      :mac_algorithm => 'hmac-sha-256',
+      :ts => ts
+    )
+  end
+  let :token_with_ext_verifier do
+    Rack::OAuth2::AccessToken::MAC.new(
+      :access_token => 'access_token',
+      :mac_key => 'secret',
+      :mac_algorithm => 'hmac-sha-256',
+      :ts => ts,
+      :ext_verifier => Rack::OAuth2::AccessToken::MAC::Sha256HexVerifier
+    )
+  end
+  let(:nonce) { '1000:51e74de734c05613f37520872e68db5f' }
+  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
+  subject { token }
+
+  its(:mac_key)    { should == 'secret' }
+  its(:mac_algorithm) { should == 'hmac-sha-256' }
+  its(:token_response) do
+    should == {
+      :access_token => 'access_token',
+      :refresh_token => nil,
+      :token_type => :mac,
+      :expires_in => nil,
+      :scope => '',
+      :mac_key => 'secret',
+      :mac_algorithm => 'hmac-sha-256'
+    }
+  end
+  its(:generate_nonce) { should be_a String }
+
+  describe 'verify!' do
+    let(:request) { Rack::OAuth2::Server::Resource::MAC::Request.new(env) }
+
+    context 'when no ext_verifier is given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/protected_resources',
+          'HTTP_AUTHORIZATION' => %{MAC id="access_token", nonce="#{nonce}", ts="#{ts}" mac="#{signature}"}
+        )
+      end
+
+      context 'when signature is valid' do
+        let(:signature) { 'BgooS/voPOZWLwoVfx4+zbC3xAVKW3jtjhKYOfIGZOA=' }
+        it do
+
+          token.verify!(request.setup!).should == :verified
+        end
+      end
+
+      context 'otherwise' do
+        let(:signature) { 'invalid' }
+        it do
+          expect { token.verify!(request.setup!) }.to raise_error(
+            Rack::OAuth2::Server::Resource::MAC::Unauthorized,
+            'invalid_token :: Signature Invalid'
+          )
+        end
+      end
+    end
+
+    context 'when ext_verifier is given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/protected_resources',
+          :method => :POST,
+          :params => {
+            :key1 => 'value1'
+          },
+          'HTTP_AUTHORIZATION' => %{MAC id="access_token", nonce="#{nonce}", ts="#{ts}", mac="#{signature}", ext="#{ext}"}
+        )
+      end
+      let(:signature) { 'invalid' }
+
+      context 'when ext is invalid' do
+        let(:ext) { 'invalid' }
+        it do
+          expect { token_with_ext_verifier.verify!(request.setup!) }.to raise_error(
+            Rack::OAuth2::Server::Resource::MAC::Unauthorized,
+            'invalid_token :: Sha256HexVerifier Invalid'
+          )
+        end
+      end
+
+      context 'when ext is valid' do
+        let(:ext) { '4cfcd46c59f54b5ea6a5f9b05c28b52fef2864747194b5fdfc3d59c0057bf35a' }
+
+        context 'when signature is valid' do
+          let(:signature) { 'dZYR54n+Lym5qCRRmDqmRZ71rG+bkjSWmqrOv8OjYHk=' }
+          it do
+            Time.fix(Time.at(1302361200)) do
+              token_with_ext_verifier.verify!(request.setup!).should == :verified
+            end
+          end
+        end
+
+        context 'otherwise' do
+          it do
+            expect { token.verify!(request.setup!) }.to raise_error(
+              Rack::OAuth2::Server::Resource::MAC::Unauthorized,
+              'invalid_token :: Signature Invalid'
+            )
+          end
+        end
+      end
+    end
+  end
+
+  describe '.authenticate' do
+    let(:request) { HTTPClient.new.send(:create_request, :post, URI.parse(resource_endpoint), {}, {:hello => "world"}, {}) }
+    context 'when no ext_verifier is given' do
+      let(:signature) { 'pOBaL6HRawe4tUPmcU4vJEj1f2GJqrbQOlCcdAYgI/s=' }
+
+      it 'should set Authorization header' do
+        token.should_receive(:generate_nonce).and_return(nonce)
+        request.header.should_receive(:[]=).with('Authorization', "MAC id=\"access_token\", nonce=\"#{nonce}\", ts=\"#{ts.to_i}\", mac=\"#{signature}\"")
+        token.authenticate(request)
+      end
+    end
+
+    context 'when ext_verifier is given' do
+      let(:signature) { 'vgU0fj6rSpwUCAoCOrXlu8pZBR8a5Q5xIVlB4MCvJeM=' }
+      let(:ext) { '3d011e09502a84552a0f8ae112d024cc2c115597e3a577d5f49007902c221dc5' }
+      it 'should set Authorization header with ext_verifier' do
+        token_with_ext_verifier.should_receive(:generate_nonce).and_return(nonce)
+        request.header.should_receive(:[]=).with('Authorization', "MAC id=\"access_token\", nonce=\"#{nonce}\", ts=\"#{ts.to_i}\", mac=\"#{signature}\", ext=\"#{ext}\"")
+        token_with_ext_verifier.authenticate(request)
+      end
+    end
+
+  end
+end

data/spec/rack/oauth2/access_token_spec.rb

@@ -0,0 +1,69 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken do
+  let :token do
+    Rack::OAuth2::AccessToken::Bearer.new(
+      :access_token => 'access_token',
+      :refresh_token => 'refresh_token',
+      :expires_in => 3600,
+      :scope => [:scope1, :scope2]
+    )
+  end
+  subject { token }
+
+  its(:access_token)  { should == 'access_token' }
+  its(:refresh_token) { should == 'refresh_token' }
+  its(:expires_in)    { should == 3600 }
+  its(:scope)         { should == [:scope1, :scope2] }
+  its(:token_response) do
+    should == {
+      :token_type => :bearer,
+      :access_token => 'access_token',
+      :refresh_token => 'refresh_token',
+      :expires_in => 3600,
+      :scope => 'scope1 scope2'
+    }
+  end
+
+  context 'when access_token is missing' do
+    it do
+      expect do
+        Rack::OAuth2::AccessToken::Bearer.new(
+          :refresh_token => 'refresh_token',
+          :expires_in => 3600,
+          :scope => [:scope1, :scope2]
+        )
+      end.to raise_error AttrRequired::AttrMissing
+    end
+  end
+
+  context 'otherwise' do
+    it do
+      expect do
+        Rack::OAuth2::AccessToken::Bearer.new(
+          :access_token => 'access_token'
+        )
+      end.not_to raise_error
+    end
+  end
+
+  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
+  [:get, :delete, :post, :put].each do |method|
+    describe method do
+      it 'should delegate to HTTPClient with Authenticator filter' do
+        token.httpclient.should_receive(method).with(resource_endpoint)
+        token.httpclient.request_filter.last.should be_a Rack::OAuth2::AccessToken::Authenticator
+        token.send method, resource_endpoint
+      end
+    end
+
+    context 'in debug mode' do
+      it do
+        Rack::OAuth2.debug do
+          token.httpclient.request_filter[-2].should be_a Rack::OAuth2::AccessToken::Authenticator
+          token.httpclient.request_filter.last.should be_a Rack::OAuth2::Debugger::RequestFilter
+        end
+      end
+    end
+  end
+end

data/spec/rack/oauth2/client/error_spec.rb

@@ -0,0 +1,18 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client::Error do
+  let :error do
+    {
+      :error => :invalid_request,
+      :error_description => 'Include invalid parameters',
+      :error_uri => 'http://server.example.com/error/invalid_request'
+    }
+  end
+  subject do
+    Rack::OAuth2::Client::Error.new 400, error
+  end
+
+  its(:status)   { should == 400 }
+  its(:message)  { should == error[:error_description] }
+  its(:response) { should == error }
+end

data/spec/rack/oauth2/client/grant/authorization_code_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client::Grant::AuthorizationCode do
+  let(:redirect_uri) { 'https://client.example.com/callback' }
+  let(:grant) { Rack::OAuth2::Client::Grant::AuthorizationCode }
+
+  context 'when code is given' do
+    let :attributes do
+      {:code => 'code'}
+    end
+
+    context 'when redirect_uri is given' do
+      let :attributes do
+        {:code => 'code', :redirect_uri => redirect_uri}
+      end
+      subject { grant.new attributes }
+      its(:redirect_uri) { should == redirect_uri }
+      its(:as_json) do
+        should == {:grant_type => :authorization_code, :code => 'code', :redirect_uri => redirect_uri}
+      end
+    end
+
+    context 'otherwise' do
+      subject { grant.new attributes }
+      its(:redirect_uri) { should be_nil }
+      its(:as_json) do
+        should == {:grant_type => :authorization_code, :code => 'code', :redirect_uri => nil}
+      end
+    end
+  end
+
+  context 'otherwise' do
+    it do
+      expect { grant.new }.to raise_error AttrRequired::AttrMissing
+    end
+  end
+end

data/spec/rack/oauth2/client/grant/client_credentials_spec.rb

@@ -0,0 +1,7 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client::Grant::ClientCredentials do
+  its(:as_json) do
+    should == {:grant_type => :client_credentials}
+  end
+end

data/spec/rack/oauth2/client/grant/password_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client::Grant::Password do
+  let(:grant) { Rack::OAuth2::Client::Grant::Password }
+
+  context 'when username is given' do
+    let :attributes do
+      {:username => 'username'}
+    end
+
+    context 'when password is given' do
+      let :attributes do
+        {:username => 'username', :password => 'password'}
+      end
+      subject { grant.new attributes }
+      its(:as_json) do
+        should == {:grant_type => :password, :username => 'username', :password => 'password'}
+      end
+    end
+
+    context 'otherwise' do
+      it do
+        expect { grant.new attributes }.to raise_error AttrRequired::AttrMissing
+      end
+    end
+  end
+
+  context 'otherwise' do
+    it do
+      expect { grant.new }.to raise_error AttrRequired::AttrMissing
+    end
+  end
+end

data/spec/rack/oauth2/client/grant/refresh_token_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client::Grant::RefreshToken do
+  let(:grant) { Rack::OAuth2::Client::Grant::RefreshToken }
+
+  context 'when refresh_token is given' do
+    let :attributes do
+      {:refresh_token => 'refresh_token'}
+    end
+    subject { grant.new attributes }
+    its(:as_json) do
+      should == {:grant_type => :refresh_token, :refresh_token => 'refresh_token'}
+    end
+  end
+
+  context 'otherwise' do
+    it do
+      expect { grant.new }.to raise_error AttrRequired::AttrMissing
+    end
+  end
+end

data/spec/rack/oauth2/client_spec.rb

@@ -0,0 +1,287 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Client do
+  let :client do
+    Rack::OAuth2::Client.new(
+      :identifier => 'client_id',
+      :secret => 'client_secret',
+      :host => 'server.example.com',
+      :redirect_uri => 'https://client.example.com/callback'
+    )
+  end
+  subject { client }
+
+  its(:identifier) { should == 'client_id' }
+  its(:secret)     { should == 'client_secret' }
+  its(:authorization_endpoint) { should == '/oauth2/authorize' }
+  its(:token_endpoint)         { should == '/oauth2/token' }
+
+  context 'when identifier is missing' do
+    it do
+      expect { Rack::OAuth2::Client.new }.to raise_error AttrRequired::AttrMissing
+    end
+  end
+
+  describe '#authorization_uri' do
+    subject { client.authorization_uri }
+    it { should include 'https://server.example.com/oauth2/authorize' }
+    it { should include 'client_id=client_id' }
+    it { should include 'redirect_uri=https%3A%2F%2Fclient.example.com%2Fcallback' }
+    it { should include 'response_type=code' }
+
+    context 'when endpoints are absolute URIs' do
+      before do
+        client.authorization_endpoint = 'https://server2.example.com/oauth/authorize'
+        client.token_endpoint = 'https://server2.example.com/oauth/token'
+      end
+      it { should include 'https://server2.example.com/oauth/authorize' }
+    end
+
+    context 'when scheme is specified' do
+      before { client.scheme = 'http' }
+      it { should include 'http://server.example.com/oauth2/authorize' }
+    end
+
+    context 'when response_type is token' do
+      subject { client.authorization_uri(:response_type => :token) }
+      it { should include 'response_type=token' }
+    end
+
+    context 'when response_type is an Array' do
+      subject { client.authorization_uri(:response_type => [:token, :code]) }
+      it { should include 'response_type=token+code' }
+    end
+
+    context 'when scope is given' do
+      subject { client.authorization_uri(:scope => [:scope1, :scope2]) }
+      it { should include 'scope=scope1+scope2' }
+    end
+  end
+
+  describe '#authorization_code=' do
+    before  { client.authorization_code = 'code' }
+    subject { client.instance_variable_get('@grant') }
+    it { should be_instance_of Rack::OAuth2::Client::Grant::AuthorizationCode }
+  end
+
+  describe '#resource_owner_credentials=' do
+    before  { client.resource_owner_credentials = 'username', 'password' }
+    subject { client.instance_variable_get('@grant') }
+    it { should be_instance_of Rack::OAuth2::Client::Grant::Password }
+  end
+
+  describe '#refresh_token=' do
+    before  { client.refresh_token = 'refresh_token' }
+    subject { client.instance_variable_get('@grant') }
+    it { should be_instance_of Rack::OAuth2::Client::Grant::RefreshToken }
+  end
+
+  describe '#access_token!' do
+    subject { client.access_token! }
+
+    describe 'client authentication method' do
+      before do
+        client.authorization_code = 'code'
+      end
+
+      it 'should be Basic auth as default' do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/bearer.json',
+          :request_header => {
+            'Authorization' => 'Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ='
+          }
+        )
+        client.access_token!
+      end
+
+      context 'when other auth method specified' do
+        it do
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'tokens/bearer.json',
+            :params => {
+              :client_id => 'client_id',
+              :client_secret => 'client_secret',
+              :code => 'code',
+              :grant_type => 'authorization_code',
+              :redirect_uri => 'https://client.example.com/callback'
+            }
+          )
+          client.access_token! :client_auth_body
+        end
+      end
+    end
+
+    describe 'scopes' do
+      context 'when scope option given' do
+        it 'should specify given scope' do
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'tokens/bearer.json',
+            :params => {
+              :grant_type => 'client_credentials',
+              :scope => 'a b'
+            }
+          )
+          client.access_token! :scope => [:a, :b]
+        end
+      end
+    end
+
+    context 'when bearer token is given' do
+      before  do
+        client.authorization_code = 'code'
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/bearer.json'
+        )
+      end
+      it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
+      its(:token_type) { should == :bearer }
+      its(:access_token) { should == 'access_token' }
+      its(:refresh_token) { should == 'refresh_token' }
+      its(:expires_in) { should == 3600 }
+
+      context 'when token type is "Bearer", not "bearer"' do
+        before  do
+          client.authorization_code = 'code'
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'tokens/_Bearer.json'
+          )
+        end
+        it { should be_instance_of Rack::OAuth2::AccessToken::Bearer }
+        its(:token_type) { should == :bearer }
+      end
+    end
+
+    context 'when mac token is given' do
+      before  do
+        client.authorization_code = 'code'
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/mac.json'
+        )
+      end
+      it { should be_instance_of Rack::OAuth2::AccessToken::MAC }
+      its(:token_type) { should == :mac }
+      its(:access_token) { should == 'access_token' }
+      its(:refresh_token) { should == 'refresh_token' }
+      its(:expires_in) { should == 3600 }
+    end
+
+    context 'when no-type token is given (JSON)' do
+      before  do
+        client.authorization_code = 'code'
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/legacy.json'
+        )
+      end
+      it { should be_instance_of Rack::OAuth2::AccessToken::Legacy }
+      its(:token_type) { should == :legacy }
+      its(:access_token) { should == 'access_token' }
+      its(:refresh_token) { should == 'refresh_token' }
+      its(:expires_in) { should == 3600 }
+    end
+
+    context 'when no-type token is given (key-value)' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/legacy.txt'
+        )
+      end
+      it { should be_instance_of Rack::OAuth2::AccessToken::Legacy }
+      its(:token_type) { should == :legacy }
+      its(:access_token) { should == 'access_token' }
+      its(:expires_in) { should == 3600 }
+
+      context 'when expires_in is not given' do
+        before do
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'tokens/legacy_without_expires_in.txt'
+          )
+        end
+        its(:expires_in) { should be_nil }
+      end
+    end
+
+    context 'when unknown-type token is given' do
+      before  do
+        client.authorization_code = 'code'
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'tokens/unknown.json'
+        )
+      end
+      it do
+        expect { client.access_token! }.to raise_error(StandardError, 'Unknown Token Type')
+      end
+    end
+
+    context 'when error response is given' do
+      before do
+        mock_response(
+          :post,
+          'https://server.example.com/oauth2/token',
+          'errors/invalid_request.json',
+          :status => 400
+        )
+      end
+      it do
+        expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
+      end
+    end
+
+    context 'when no body given' do
+      context 'when error given' do
+        before do
+          mock_response(
+            :post,
+            'https://server.example.com/oauth2/token',
+            'blank',
+            :status => 400
+          )
+        end
+        it do
+          expect { client.access_token! }.to raise_error Rack::OAuth2::Client::Error
+        end
+      end
+    end
+  end
+
+  context 'when no host info' do
+    let :client do
+      Rack::OAuth2::Client.new(
+        :identifier => 'client_id',
+        :secret => 'client_secret',
+        :redirect_uri => 'https://client.example.com/callback'
+      )
+    end
+
+    describe '#authorization_uri' do
+      it do
+        expect { client.authorization_uri }.to raise_error 'No Host Info'
+      end
+    end
+
+    describe '#access_token!' do
+      it do
+        expect { client.access_token! }.to raise_error 'No Host Info'
+      end
+    end
+  end
+end