rack-oauth2-revibe 1.0.7

data/spec/rack/oauth2/server/authorize_spec.rb

@@ -0,0 +1,214 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Authorize do
+  let(:app)          { Rack::OAuth2::Server::Authorize.new }
+  let(:request)      { Rack::MockRequest.new app }
+  let(:redirect_uri) { 'http://client.example.com/callback' }
+  let(:bad_request)  { Rack::OAuth2::Server::Authorize::BadRequest }
+
+  context 'when response_type is missing' do
+    it do
+      expect { request.get "/?client_id=client&redirect_uri=#{redirect_uri}" }.to raise_error bad_request
+    end
+  end
+
+  context 'when redirect_uri is missing' do
+    it do
+      expect { request.get "/?response_type=code&client_id=client" }.not_to raise_error
+    end
+  end
+
+  context 'when client_id is missing' do
+    it do
+      expect { request.get "/?response_type=code&redirect_uri=#{redirect_uri}" }.to raise_error bad_request
+    end
+  end
+
+  context 'when unknown response_type is given' do
+    it do
+      expect { request.get "/?response_type=unknown&client_id=client&redirect_uri=#{redirect_uri}" }.to raise_error bad_request
+    end
+  end
+
+  context 'when all required parameters are valid' do
+    [:code, :token].each do |request_type|
+      context "when response_type = :#{request_type}" do
+        subject { request.get "/?response_type=#{request_type}&client_id=client&redirect_uri=#{redirect_uri}" }
+        its(:status) { should == 200 }
+      end
+    end
+  end
+
+  describe Rack::OAuth2::Server::Authorize::Request do
+    let(:env)     { Rack::MockRequest.env_for("/authorize?client_id=client&redirect_uri=#{redirect_uri}") }
+    let(:request) { Rack::OAuth2::Server::Authorize::Request.new env }
+
+    describe '#varified_redirect_uri' do
+      context 'when an Array of pre-registered URIs are given' do
+        context 'when given redirect_uri is valid against one of them' do
+          let :pre_registered do
+            [
+              redirect_uri,
+              'http://ja.client.example.com/callback',
+              'http://en.client.example.com/callback'
+            ]
+          end
+          it 'should be valid' do
+            request.verify_redirect_uri!(pre_registered).should == redirect_uri
+          end
+        end
+
+        context 'otherwise' do
+          let :pre_registered do
+            [
+              'http://ja.client.example.com/callback',
+              'http://en.client.example.com/callback'
+            ]
+          end
+          it do
+            expect do
+              request.verify_redirect_uri!(pre_registered)
+            end.to raise_error bad_request
+          end
+        end
+      end
+
+      context 'when exact mathed redirect_uri is given' do
+        let(:pre_registered) { redirect_uri }
+        it 'should be valid' do
+          request.verify_redirect_uri!(pre_registered).should == redirect_uri
+        end
+      end
+
+      context 'when partially mathed redirect_uri is given' do
+        let(:pre_registered) { 'http://client.example.com' }
+
+        context 'when partial matching allowed' do
+          it 'should be valid' do
+            request.verify_redirect_uri!(pre_registered, :allow_partial_match).should == redirect_uri
+          end
+        end
+
+        context 'otherwise' do
+          it do
+            expect do
+              request.verify_redirect_uri!(pre_registered)
+            end.to raise_error bad_request
+          end
+        end
+      end
+
+      context 'when invalid redirect_uri is given' do
+        let(:pre_registered) { 'http://client2.example.com' }
+        it do
+          expect do
+            request.verify_redirect_uri!(pre_registered)
+          end.to raise_error bad_request
+        end
+      end
+
+      context 'when redirect_uri is missing' do
+        let(:env) { Rack::MockRequest.env_for("/authorize?client_id=client") }
+
+        context 'when pre-registered redirect_uri is a String' do
+          let(:pre_registered) { redirect_uri }
+          it 'should use pre-registered redirect_uri' do
+            request.verify_redirect_uri!(pre_registered).should == pre_registered
+          end
+        end
+
+        context 'when pre-registered redirect_uri is an Array' do
+          context 'when only 1' do
+            let(:pre_registered) { [redirect_uri] }
+
+            context 'when partial match allowed' do
+              it do
+                expect do
+                  request.verify_redirect_uri!(pre_registered, :allow_partial_match)
+                end.to raise_error bad_request
+              end
+            end
+
+            context 'otherwise' do
+              it 'should use pre-registered redirect_uri' do
+                request.verify_redirect_uri!(pre_registered).should == pre_registered.first
+              end
+            end
+          end
+
+          context 'when more than 2' do
+            let(:pre_registered) { [redirect_uri, 'http://client.example.com/callback2'] }
+            it do
+              expect do
+                request.verify_redirect_uri!(pre_registered)
+              end.to raise_error bad_request
+            end
+          end
+        end
+      end
+    end
+  end
+
+  describe 'extensibility' do
+    before do
+      require 'rack/oauth2/server/authorize/extension/code_and_token'
+    end
+
+    let(:env) do
+      Rack::MockRequest.env_for("/authorize?response_type=#{response_type}&client_id=client")
+    end
+    let(:request) { Rack::OAuth2::Server::Authorize::Request.new env }
+    its(:extensions) { should == [Rack::OAuth2::Server::Authorize::Extension::CodeAndToken] }
+
+    describe 'code token' do
+      let(:response_type) { 'code%20token' }
+      it do
+        app.send(
+          :response_type_for, request
+        ).should == Rack::OAuth2::Server::Authorize::Extension::CodeAndToken
+      end
+    end
+
+    describe 'token code' do
+      let(:response_type) { 'token%20code' }
+      it do
+        app.send(
+          :response_type_for, request
+        ).should == Rack::OAuth2::Server::Authorize::Extension::CodeAndToken
+      end
+    end
+
+    describe 'token code id_token' do
+      let(:response_type) { 'token%20code%20id_token' }
+      it do
+        expect do
+          app.send(:response_type_for, request)
+        end.to raise_error bad_request
+      end
+    end
+
+    describe 'id_token' do
+      before do
+        class Rack::OAuth2::Server::Authorize::Extension::IdToken < Rack::OAuth2::Server::Abstract::Handler
+          def self.response_type_for?(response_type)
+            response_type == 'id_token'
+          end
+        end
+      end
+
+      its(:extensions) do
+        should == [
+          Rack::OAuth2::Server::Authorize::Extension::CodeAndToken,
+          Rack::OAuth2::Server::Authorize::Extension::IdToken
+        ]
+      end
+
+      let(:response_type) { 'id_token' }
+      it do
+        app.send(
+          :response_type_for, request
+        ).should == Rack::OAuth2::Server::Authorize::Extension::IdToken
+      end
+    end
+  end
+end

data/spec/rack/oauth2/server/resource/bearer/error_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource::Bearer::Unauthorized do
+  let(:error) { Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(:invalid_token) }
+
+  it { should be_a Rack::OAuth2::Server::Resource::Unauthorized }
+
+  describe '#scheme' do
+    subject { error }
+    its(:scheme) { should == :Bearer }
+  end
+
+  describe '#finish' do
+    it 'should use Bearer scheme' do
+      status, header, response = error.finish
+      header['WWW-Authenticate'].should include 'Bearer'
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Resource::Bearer::ErrorMethods do
+  let(:unauthorized)        { Rack::OAuth2::Server::Resource::Bearer::Unauthorized }
+  let(:redirect_uri)        { 'http://client.example.com/callback' }
+  let(:default_description) { Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION }
+  let(:env)                 { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+  let(:request)             { Rack::OAuth2::Server::Resource::Bearer::Request.new env }
+
+  describe 'unauthorized!' do
+    it do
+      expect { request.unauthorized! :invalid_client }.to raise_error unauthorized
+    end
+  end
+
+  Rack::OAuth2::Server::Resource::Bearer::ErrorMethods::DEFAULT_DESCRIPTION.keys.each do |error_code|
+    method = "#{error_code}!"
+    case error_code
+    when :invalid_request
+      # ignore
+    when :insufficient_scope
+      # ignore
+    else
+      describe method do
+        it "should raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(unauthorized) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    end
+  end
+end

data/spec/rack/oauth2/server/resource/bearer_spec.rb

@@ -0,0 +1,123 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource::Bearer do
+  let(:app) do
+    Rack::OAuth2::Server::Resource::Bearer.new(simple_app) do |request|
+      case request.access_token
+      when 'valid_token'
+        bearer_token
+      when 'insufficient_scope_token'
+        request.insufficient_scope!
+      else
+        request.invalid_token!
+      end
+    end
+  end
+  let(:bearer_token) do
+    Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'valid_token')
+  end
+  let(:access_token) { env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN] }
+  let(:request) { app.call(env) }
+  subject { app.call(env) }
+
+  shared_examples_for :authenticated_bearer_request do
+    it 'should be authenticated' do
+      status, header, response = request
+      status.should == 200
+      access_token.should == bearer_token
+    end
+  end
+  shared_examples_for :unauthorized_bearer_request do
+    it 'should be unauthorized' do
+      status, header, response = request
+      status.should == 401
+      header['WWW-Authenticate'].should include 'Bearer'
+      access_token.should be_nil
+    end
+  end
+  shared_examples_for :bad_bearer_request do
+    it 'should be bad_request' do
+      status, header, response = request
+      status.should == 400
+      access_token.should be_nil
+    end
+  end
+  shared_examples_for :skipped_authentication_request do
+    it 'should skip OAuth 2.0 authentication' do
+      status, header, response = request
+      status.should == 200
+      access_token.should be_nil
+    end
+  end
+
+  context 'when no access token is given' do
+    let(:env) { Rack::MockRequest.env_for('/protected_resource') }
+    it_behaves_like :skipped_authentication_request
+  end
+
+  context 'when valid_token is given' do
+    context 'when token is in Authorization header' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'Bearer valid_token') }
+      it_behaves_like :authenticated_bearer_request
+    end
+
+    context 'when token is in params' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', :params => {:access_token => 'valid_token'}) }
+      it_behaves_like :authenticated_bearer_request
+    end
+  end
+
+  context 'when invalid authorization header is given' do
+    let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => '') }
+    it_behaves_like :skipped_authentication_request
+  end
+
+  context 'when invalid_token is given' do
+    let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'Bearer invalid_token') }
+
+    context 'when token is in Authorization header' do
+      it_behaves_like :unauthorized_bearer_request
+    end
+
+    context 'when token is in params' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', :params => {:access_token => 'invalid_token'}) }
+      it_behaves_like :unauthorized_bearer_request
+    end
+
+    describe 'realm' do
+
+      context 'when specified' do
+        let(:realm) { 'server.example.com' }
+        let(:app) do
+          Rack::OAuth2::Server::Resource::Bearer.new(simple_app, realm) do |request|
+            request.unauthorized!
+          end
+        end
+        it 'should use specified realm' do
+          status, header, response = request
+          header['WWW-Authenticate'].should include "Bearer realm=\"#{realm}\""
+        end
+      end
+
+      context 'otherwize' do
+        it 'should use default realm' do
+          status, header, response = request
+          header['WWW-Authenticate'].should include "Bearer realm=\"#{Rack::OAuth2::Server::Resource::Bearer::DEFAULT_REALM}\""
+        end
+      end
+    end
+  end
+
+  context 'when multiple access_token is given' do
+    context 'when token is in Authorization header and params' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/protected_resource',
+          'HTTP_AUTHORIZATION' => 'Bearer valid_token',
+          :params => {:access_token => 'valid_token'}
+        )
+      end
+      it_behaves_like :bad_bearer_request
+    end
+  end
+end

data/spec/rack/oauth2/server/resource/error_spec.rb

@@ -0,0 +1,147 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource::BadRequest do
+  let(:error) { Rack::OAuth2::Server::Resource::BadRequest.new(:invalid_request) }
+
+  it { should be_a Rack::OAuth2::Server::Abstract::BadRequest }
+
+  describe '#finish' do
+    it 'should respond in JSON' do
+      status, header, response = error.finish
+      status.should == 400
+      header['Content-Type'].should == 'application/json'
+      response.body.should == ['{"error":"invalid_request"}']
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Resource::Unauthorized do
+  let(:error) { Rack::OAuth2::Server::Resource::Unauthorized.new(:invalid_token) }
+  let(:realm) { Rack::OAuth2::Server::Resource::DEFAULT_REALM }
+
+  it { should be_a Rack::OAuth2::Server::Abstract::Unauthorized }
+
+  describe '#scheme' do
+    it do
+      expect { error.scheme }.to raise_error(RuntimeError, 'Define me!')
+    end
+  end
+
+  context 'when scheme is defined' do
+    let :error_with_scheme do
+      e = error
+      e.instance_eval do
+        def scheme
+          :Scheme
+        end
+      end
+      e
+    end
+
+    describe '#finish' do
+      it 'should respond in JSON' do
+        status, header, response = error_with_scheme.finish
+        status.should == 401
+        header['Content-Type'].should == 'application/json'
+        header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\", error=\"invalid_token\""
+        response.body.should == ['{"error":"invalid_token"}']
+      end
+
+      context 'when error_code is not invalid_token' do
+        let(:error) { Rack::OAuth2::Server::Resource::Unauthorized.new(:something) }
+
+        it 'should have error_code in body but not in WWW-Authenticate header' do
+          status, header, response = error_with_scheme.finish
+          header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
+          response.body.first.should include '"error":"something"'
+        end
+      end
+
+      context 'when realm is specified' do
+        let(:realm) { 'server.example.com' }
+        let(:error) { Rack::OAuth2::Server::Resource::Bearer::Unauthorized.new(:something, nil, :realm => realm) }
+
+        it 'should use given realm' do
+          status, header, response = error_with_scheme.finish
+          header['WWW-Authenticate'].should == "Scheme realm=\"#{realm}\""
+          response.body.first.should include '"error":"something"'
+        end
+      end
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Resource::Forbidden do
+  let(:error) { Rack::OAuth2::Server::Resource::Forbidden.new(:insufficient_scope) }
+
+  it { should be_a Rack::OAuth2::Server::Abstract::Forbidden }
+
+  describe '#finish' do
+    it 'should respond in JSON' do
+      status, header, response = error.finish
+      status.should == 403
+      header['Content-Type'].should == 'application/json'
+      response.body.should == ['{"error":"insufficient_scope"}']
+    end
+  end
+
+  context 'when scope option is given' do
+    let(:error) { Rack::OAuth2::Server::Resource::Bearer::Forbidden.new(:insufficient_scope, 'Desc', :scope => [:scope1, :scope2]) }
+
+    it 'should have blank WWW-Authenticate header' do
+      status, header, response = error.finish
+      response.body.first.should include '"scope":"scope1 scope2"'
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Resource::Bearer::ErrorMethods do
+  let(:bad_request)         { Rack::OAuth2::Server::Resource::BadRequest }
+  let(:forbidden)           { Rack::OAuth2::Server::Resource::Forbidden }
+  let(:redirect_uri)        { 'http://client.example.com/callback' }
+  let(:default_description) { Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION }
+  let(:env)                 { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+  let(:request)             { Rack::OAuth2::Server::Resource::Request.new env }
+
+  describe 'bad_request!' do
+    it do
+      expect { request.bad_request! :invalid_request }.to raise_error bad_request
+    end
+  end
+
+  describe 'unauthorized!' do
+    it do
+      expect { request.unauthorized! :invalid_client }.to raise_error(RuntimeError, 'Define me!')
+    end
+  end
+
+  Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION.keys.each do |error_code|
+    method = "#{error_code}!"
+    case error_code
+    when :invalid_request
+      describe method do
+        it "should raise Rack::OAuth2::Server::Resource::BadRequest with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(bad_request) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    when :insufficient_scope
+      describe method do
+        it "should raise Rack::OAuth2::Server::Resource::Forbidden with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(forbidden) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    else
+      describe method do
+        it do
+          expect { request.send method }.to raise_error(RuntimeError, 'Define me!')
+        end
+      end
+    end
+  end
+end