rack-oauth2-revibe 1.0.7

data/spec/rack/oauth2/server/resource/mac/error_spec.rb

@@ -0,0 +1,52 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource::MAC::Unauthorized do
+  let(:error) { Rack::OAuth2::Server::Resource::MAC::Unauthorized.new(:invalid_token) }
+
+  it { should be_a Rack::OAuth2::Server::Resource::Unauthorized }
+
+  describe '#scheme' do
+    subject { error }
+    its(:scheme) { should == :MAC }
+  end
+
+  describe '#finish' do
+    it 'should use MAC scheme' do
+      status, header, response = error.finish
+      header['WWW-Authenticate'].should =~ /^MAC /
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Resource::MAC::ErrorMethods do
+  let(:unauthorized)        { Rack::OAuth2::Server::Resource::MAC::Unauthorized }
+  let(:redirect_uri)        { 'http://client.example.com/callback' }
+  let(:default_description) { Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION }
+  let(:env)                 { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+  let(:request)             { Rack::OAuth2::Server::Resource::MAC::Request.new env }
+
+  describe 'unauthorized!' do
+    it do
+      expect { request.unauthorized! :invalid_client }.to raise_error unauthorized
+    end
+  end
+
+  Rack::OAuth2::Server::Resource::Bearer::ErrorMethods::DEFAULT_DESCRIPTION.keys.each do |error_code|
+    method = "#{error_code}!"
+    case error_code
+    when :invalid_request
+      # ignore
+    when :insufficient_scope
+      # ignore
+    else
+      describe method do
+        it "should raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(unauthorized) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    end
+  end
+end

data/spec/rack/oauth2/server/resource/mac_spec.rb

@@ -0,0 +1,119 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource::MAC do
+  let(:app) do
+    Rack::OAuth2::Server::Resource::MAC.new(simple_app) do |request|
+      case request.access_token
+      when 'valid_token'
+        token = mac_token
+        token.verify!(request)
+        token
+      when 'insufficient_scope_token'
+        request.insufficient_scope!
+      else
+        request.invalid_token!
+      end
+    end
+  end
+  let(:mac_token) do
+    Rack::OAuth2::AccessToken::MAC.new(
+      :access_token => 'valid_token',
+      :mac_key => 'secret',
+      :mac_algorithm => 'hmac-sha-256',
+      :ts => 1305820230 # fix verification time
+    )
+  end
+  let(:access_token) { env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN] }
+  let(:request) { app.call(env) }
+  subject { app.call(env) }
+
+  shared_examples_for :non_mac_request do
+    it 'should skip OAuth 2.0 authentication' do
+      status, header, response = request
+      status.should == 200
+      access_token.should be_nil
+    end
+  end
+  shared_examples_for :authenticated_mac_request do
+    it 'should be authenticated' do
+      status, header, response = request
+      status.should == 200
+      access_token.should == mac_token
+    end
+  end
+  shared_examples_for :unauthorized_mac_request do
+    it 'should be unauthorized' do
+      status, header, response = request
+      status.should == 401
+      header['WWW-Authenticate'].should include 'MAC'
+      access_token.should be_nil
+    end
+  end
+  shared_examples_for :bad_mac_request do
+    it 'should be unauthorized' do
+      status, header, response = request
+      status.should == 400
+      access_token.should be_nil
+    end
+  end
+
+  context 'when no access token is given' do
+    let(:env) { Rack::MockRequest.env_for('/protected_resource') }
+    it 'should skip OAuth 2.0 authentication' do
+      status, header, response = request
+      status.should == 200
+      access_token.should be_nil
+    end
+  end
+
+  context 'when valid_token is given' do
+    context 'when other required params are missing' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="valid_token"') }
+      it_behaves_like :unauthorized_mac_request
+    end
+
+    context 'when other required params are invalid' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="valid_token", nonce="51e74de734c05613f37520872e68db5f", ts="1305820234", mac="invalid""') }
+      it_behaves_like :unauthorized_mac_request
+    end
+
+    context 'when all required params are valid' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="valid_token", nonce="51e74de734c05613f37520872e68db5f", ts="1305820234", mac="26JP6MMZyAHLHeMU8+m+NbVJgZbikp5SlT86/a62pwg="') }
+      it_behaves_like :authenticated_mac_request
+    end
+
+    context 'when all required params are valid and ts is expired' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="valid_token", nonce="51e74de734c05613f37520872e68db5f", ts="1305819234", mac="nuo4765MZrVL/qMsAtuTczhqZAE5y02ChaLCyOiVU68="') }
+      it_behaves_like :unauthorized_mac_request
+    end
+  end
+
+  context 'when invalid_token is given' do
+    let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="invalid_token"') }
+    it_behaves_like :unauthorized_mac_request
+
+    describe 'realm' do
+      let(:env) { Rack::MockRequest.env_for('/protected_resource', 'HTTP_AUTHORIZATION' => 'MAC id="invalid_token"') }
+
+      context 'when specified' do
+        let(:realm) { 'server.example.com' }
+        let(:app) do
+          Rack::OAuth2::Server::Resource::MAC.new(simple_app, realm) do |request|
+            request.unauthorized!
+          end
+        end
+        it 'should use specified realm' do
+          status, header, response = request
+          header['WWW-Authenticate'].should include "MAC realm=\"#{realm}\""
+        end
+      end
+
+      context 'otherwize' do
+        it 'should use default realm' do
+          status, header, response = request
+          header['WWW-Authenticate'].should include "MAC realm=\"#{Rack::OAuth2::Server::Resource::DEFAULT_REALM}\""
+        end
+      end
+    end
+  end
+end

data/spec/rack/oauth2/server/resource_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource do
+  subject { Rack::OAuth2::Server::Resource.new(simple_app, 'realm') }
+  its(:realm) { should == 'realm' }
+end
+
+describe Rack::OAuth2::Server::Resource::Request do
+  let(:env) { Rack::MockRequest.env_for('/protected_resource') }
+  let(:request) { Rack::OAuth2::Server::Resource::Request.new(env) }
+
+  describe '#setup!' do
+    it do
+      expect { request.setup! }.to raise_error(RuntimeError, 'Define me!')
+    end
+  end
+
+  describe '#oauth2?' do
+    it do
+      expect { request.oauth2? }.to raise_error(RuntimeError, 'Define me!')
+    end
+  end
+end

data/spec/rack/oauth2/server/token/authorization_code_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Token::AuthorizationCode do
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token')
+    end
+  end
+  let(:params) do
+    {
+      :grant_type => 'authorization_code',
+      :client_id => 'client_id',
+      :code => 'authorization_code',
+      :redirect_uri => 'http://client.example.com/callback'
+    }
+  end
+  let(:response) { request.post('/', :params => params) }
+  subject { response }
+
+  its(:status)       { should == 200 }
+  its(:content_type) { should == 'application/json' }
+  its(:body)         { should include '"access_token":"access_token"' }
+  its(:body)         { should include '"token_type":"bearer"' }
+
+  it 'should prevent to be cached' do
+    response.header['Cache-Control'].should == 'no-store'
+    response.header['Pragma'].should == 'no-cache'
+  end
+
+  [:code].each do |required|
+    context "when #{required} is missing" do
+      before do
+        params.delete_if do |key, value|
+          key == required
+        end
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+  end
+end

data/spec/rack/oauth2/server/token/client_credentials_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Token::ClientCredentials do
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token')
+    end
+  end
+  let(:params) do
+    {
+      :grant_type => 'client_credentials',
+      :client_id => 'client_id',
+      :client_secret => 'client_secret'
+    }
+  end
+  subject { request.post('/', :params => params) }
+
+  its(:status)       { should == 200 }
+  its(:content_type) { should == 'application/json' }
+  its(:body)         { should include '"access_token":"access_token"' }
+  its(:body)         { should include '"token_type":"bearer"' }
+end

data/spec/rack/oauth2/server/token/error_spec.rb

@@ -0,0 +1,77 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Token::BadRequest do
+  let(:error) { Rack::OAuth2::Server::Token::BadRequest.new(:invalid_request) }
+
+  it { should be_a Rack::OAuth2::Server::Abstract::BadRequest }
+
+  describe '#finish' do
+    it 'should respond in JSON' do
+      status, header, response = error.finish
+      status.should == 400
+      header['Content-Type'].should == 'application/json'
+      response.body.should == ['{"error":"invalid_request"}']
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Token::Unauthorized do
+  let(:error) { Rack::OAuth2::Server::Token::Unauthorized.new(:invalid_request) }
+
+  it { should be_a Rack::OAuth2::Server::Abstract::Unauthorized }
+
+  describe '#finish' do
+    it 'should respond in JSON' do
+      status, header, response = error.finish
+      status.should == 401
+      header['Content-Type'].should == 'application/json'
+      header['WWW-Authenticate'].should == 'Basic realm="OAuth2 Token Endpoint"'
+      response.body.should == ['{"error":"invalid_request"}']
+    end
+  end
+end
+
+describe Rack::OAuth2::Server::Token::ErrorMethods do
+  let(:bad_request)         { Rack::OAuth2::Server::Token::BadRequest }
+  let(:unauthorized)        { Rack::OAuth2::Server::Token::Unauthorized }
+  let(:redirect_uri)        { 'http://client.example.com/callback' }
+  let(:default_description) { Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION }
+  let(:env)                 { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
+  let(:request)             { Rack::OAuth2::Server::Token::Request.new env }
+
+  describe 'bad_request!' do
+    it do
+      expect { request.bad_request! :invalid_request }.to raise_error bad_request
+    end
+  end
+
+  describe 'unauthorized!' do
+    it do
+      expect { request.unauthorized! :invalid_client }.to raise_error unauthorized
+    end
+  end
+
+  Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.keys.each do |error_code|
+    method = "#{error_code}!"
+    case error_code
+    when :invalid_client
+      describe method do
+        it "should raise Rack::OAuth2::Server::Token::Unauthorized with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(unauthorized) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    else
+      describe method do
+        it "should raise Rack::OAuth2::Server::Token::BadRequest with error = :#{error_code}" do
+          expect { request.send method }.to raise_error(bad_request) { |error|
+            error.error.should       == error_code
+            error.description.should == default_description[error_code]
+          }
+        end
+      end
+    end
+  end
+end

data/spec/rack/oauth2/server/token/password_spec.rb

@@ -0,0 +1,37 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Token::Password do
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token')
+    end
+  end
+  let(:params) do
+    {
+      :grant_type => 'password',
+      :client_id => 'client_id',
+      :username => 'nov',
+      :password => 'secret'
+    }
+  end
+  subject { request.post('/', :params => params) }
+
+  its(:status)       { should == 200 }
+  its(:content_type) { should == 'application/json' }
+  its(:body)         { should include '"access_token":"access_token"' }
+  its(:body)         { should include '"token_type":"bearer"' }
+
+  [:username, :password].each do |required|
+    context "when #{required} is missing" do
+      before do
+        params.delete_if do |key, value|
+          key == required
+        end
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+  end
+end

data/spec/rack/oauth2/server/token/refresh_token_spec.rb

@@ -0,0 +1,34 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Token::RefreshToken do
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token')
+    end
+  end
+  let(:params) do
+    {
+      :grant_type => "refresh_token",
+      :client_id => "client_id",
+      :refresh_token => "refresh_token"
+    }
+  end
+  subject { request.post('/', :params => params) }
+
+  its(:status)       { should == 200 }
+  its(:content_type) { should == 'application/json' }
+  its(:body)         { should include '"access_token":"access_token"' }
+  its(:body)         { should include '"token_type":"bearer"' }
+
+  context 'when refresh_token is missing' do
+    before do
+      params.delete_if do |key, value|
+        key == :refresh_token
+      end
+    end
+    its(:status)       { should == 400 }
+    its(:content_type) { should == 'application/json' }
+    its(:body)         { should include '"error":"invalid_request"' }
+  end
+end

data/spec/rack/oauth2/server/token_spec.rb

@@ -0,0 +1,134 @@
+require 'spec_helper.rb'
+require 'base64'
+
+describe Rack::OAuth2::Server::Token do
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = Rack::OAuth2::AccessToken::Bearer.new(:access_token => 'access_token')
+    end
+  end
+  let(:params) do
+    {
+      :grant_type => 'authorization_code',
+      :client_id => 'client_id',
+      :code => 'authorization_code',
+      :redirect_uri => 'http://client.example.com/callback'
+    }
+  end
+  subject { request.post('/token', :params => params) }
+
+  context 'when multiple client credentials are given' do
+    context 'when different credentials are given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/token',
+          'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('client_id2:client_secret')}",
+          :params => params
+        )
+      end
+      it 'should fail with unsupported_grant_type' do
+        status, header, response = app.call(env)
+        status.should == 400
+        response.body.first.should include '"error":"invalid_request"'
+      end
+    end
+
+    context 'when same credentials are given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/token',
+          'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('client_id:client_secret')}",
+          :params => params
+        )
+      end
+      it 'should ignore duplicates' do
+        status, header, response = app.call(env)
+        status.should == 200
+      end
+    end
+  end
+
+  context 'when unsupported grant_type is given' do
+    before do
+      params.merge!(:grant_type => 'unknown')
+    end
+    its(:status)       { should == 400 }
+    its(:content_type) { should == 'application/json' }
+    its(:body)         { should include '"error":"unsupported_grant_type"' }
+  end
+
+  [:client_id, :grant_type].each do |required|
+    context "when #{required} is missing" do
+      before do
+        params.delete_if do |key, value|
+          key == required
+        end
+      end
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
+    end
+  end
+
+  Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
+    status = if error == :invalid_client
+      401
+    else
+      400
+    end
+    context "when #{error}" do
+      let(:app) do
+        Rack::OAuth2::Server::Token.new do |request, response|
+          request.send "#{error}!"
+        end
+      end
+      its(:status)       { should == status }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include "\"error\":\"#{error}\"" }
+      its(:body)         { should include "\"error_description\":\"#{default_message}\"" }
+    end
+  end
+
+  context 'when responding' do
+    context 'when access_token is missing' do
+      let(:app) do
+        Rack::OAuth2::Server::Token.new
+      end
+      it do
+        expect { request.post('/', :params => params) }.to raise_error AttrRequired::AttrMissing
+      end
+    end
+  end
+
+  describe 'extensibility' do
+    before do
+      require 'rack/oauth2/server/token/extension/jwt'
+    end
+
+    subject { app }
+    let(:env) do
+      Rack::MockRequest.env_for(
+        '/token',
+        :params => params
+      )
+    end
+    let(:request) { Rack::OAuth2::Server::Token::Request.new env }
+    its(:extensions) { should == [Rack::OAuth2::Server::Token::Extension::JWT] }
+
+    describe 'JWT assertion' do
+      let(:params) do
+        {
+          :grant_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          :assertion => 'header.payload.signature'
+        }
+      end
+
+      it do
+        app.send(
+          :grant_type_for, request
+        ).should == Rack::OAuth2::Server::Token::Extension::JWT
+      end
+    end
+  end
+end