rack-oauth2 0.2.3 → 0.3.0.alpha

data/spec/rack/oauth2/server/token_spec.rb

@@ -1,142 +1,103 @@
 require 'spec_helper.rb'
+require 'base64'
 
 describe Rack::OAuth2::Server::Token do
-  it "should support realm" do
-    app = Rack::OAuth2::Server::Token.new("server.example.com")
-    app.realm.should == "server.example.com"
-  end
-end
-
-describe Rack::OAuth2::Server::Token::Request do
-
-  before do
-    @app = Rack::OAuth2::Server::Token.new do |request, response|
-      response.access_token = "access_token"
+  let(:request) { Rack::MockRequest.new app }
+  let(:app) do
+    Rack::OAuth2::Server::Token.new do |request, response|
+      response.access_token = 'access_token'
     end
-    @request = Rack::MockRequest.new @app
   end
-
-  context "when any required parameters are missing" do
-    it "should return invalid_request error" do
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/')
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code"
-        })
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :client_id => "client"
-        })
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :redirect_uri => "http://client.example.com/callback"
-        })
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :client_id => "client",
-          :redirect_uri => "http://client.example.com/callback"
-        })
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :redirect_uri => "http://client.example.com/callback"
-        })
-      end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :client_id => "client",
-          :redirect_uri => "http://client.example.com/callback"
-        })
+  let(:params) do
+    {
+      :grant_type => 'authorization_code',
+      :client_id => 'client_id',
+      :code => 'authorization_code',
+      :redirect_uri => 'http://client.example.com/callback'
+    }
+  end
+  subject { request.post('/token', :params => params) }
+
+  context 'when multiple client credentials are given' do
+    context 'when different credentials are given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/token',
+          'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('client_id2:client_secret')}",
+          :params => params
+        )
       end
-      assert_error_response(:json, :invalid_request) do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :code => "authorization_code",
-          :redirect_uri => "http://client.example.com/callback"
-        })
+      it 'should fail with unsupported_grant_type' do
+        status, header, response = app.call(env)
+        status.should == 400
+        response.body.first.should include '"error":"invalid_request"'
       end
     end
-  end
 
-  context "when unsupported grant_type is given" do
-    it "should return unsupported_response_type error" do
-      assert_error_response(:json, :unsupported_grant_type) do
-        @request.post('/', :params => {
-          :grant_type => "hello",
-          :client_id => "client",
-          :code => "authorization_code",
-          :redirect_uri => "http://client.example.com/callback"
-        })
+    context 'when same credentials are given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/token',
+          'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('client_id:client_secret')}",
+          :params => params
+        )
+      end
+      it 'should ignore duplicates' do
+        status, header, response = app.call(env)
+        status.should == 200
       end
     end
   end
 
-  context "when all required parameters are valid" do
-    it "should succeed" do
-      response = @request.post('/', :params => {
-        :grant_type => "authorization_code",
-        :client_id => "client",
-        :code => "authorization_code",
-        :redirect_uri => "http://client.example.com/callback"
-      })
-      response.status.should == 200
+  context 'when unsupported grant_type is given' do
+    before do
+      params.merge!(:grant_type => 'unknown')
     end
+    its(:status)       { should == 400 }
+    its(:content_type) { should == 'application/json' }
+    its(:body)         { should include '"error":"unsupported_grant_type"' }
   end
 
-end
-
-describe Rack::OAuth2::Server::Token::Response do
-
-  context "when required response params are missing" do
-
-    before do
-      @app = Rack::OAuth2::Server::Token.new do |request, response|
-        # access_token is missing
+  [:client_id, :grant_type].each do |required|
+    context "when #{required} is missing" do
+      before do
+        params.delete_if do |key, value|
+          key == required
+        end
       end
-      @request = Rack::MockRequest.new @app
+      its(:status)       { should == 400 }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include '"error":"invalid_request"' }
     end
-
-    it "should raise an error" do
-      lambda do
-        @request.post('/', :params => {
-          :grant_type => "authorization_code",
-          :client_id => "client",
-          :code => "authorization_code",
-          :redirect_uri => "http://client.example.com/callback"
-        })
-      end.should raise_error(StandardError)
-    end
-
   end
 
-  context "when required response params are given" do
-
-    before do
-      @app = Rack::OAuth2::Server::Token.new do |request, response|
-        response.access_token = "access_token"
+  Rack::OAuth2::Server::Token::ErrorMethods::DEFAULT_DESCRIPTION.each do |error, default_message|
+    status = if error == :invalid_client
+      401
+    else
+      400
+    end
+    context "when #{error}" do
+      let(:app) do
+        Rack::OAuth2::Server::Token.new do |request, response|
+          request.send "#{error}!"
+        end
       end
-      @request = Rack::MockRequest.new @app
+      its(:status)       { should == status }
+      its(:content_type) { should == 'application/json' }
+      its(:body)         { should include "\"error\":\"#{error}\"" }
+      its(:body)         { should include "\"error_description\":\"#{default_message}\"" }
     end
+  end
 
-    it "should succeed" do
-      response = @request.post('/', :params => {
-        :grant_type => "authorization_code",
-        :client_id => "client",
-        :code => "authorization_code",
-        :redirect_uri => "http://client.example.com/callback"
-      })
-      response.status.should == 200
+  context 'when responding' do
+    context 'when access_token is missing' do
+      let(:app) do
+        Rack::OAuth2::Server::Token.new
+      end
+      it do
+        expect { request.post('/', :params => params) }.should raise_error AttrRequired::AttrMissing
+      end
     end
-
   end
-
 end

data/spec/rack/oauth2/server/util_spec.rb

@@ -1,28 +1,87 @@
 require 'spec_helper.rb'
 
-describe Rack::OAuth2::Server::Util, ".parse_uri" do
+describe Rack::OAuth2::Server::Util do
+  let :util do
+    Rack::OAuth2::Server::Util
+  end
 
-  context "when String is given" do
-    it "should parse it as URI" do
-      uri = Rack::OAuth2::Server::Util.parse_uri "http://client.example.com"
-      uri.should be_a_kind_of(URI::Generic)
-    end
+  let :uri do
+    'http://client.example.com/callback'
+  end
+
+  describe '.compact_hash' do
+    subject { util.compact_hash :k1 => 'v1', :k2 => '', :k3 => nil }
+    it { should == {:k1 => 'v1'} }
   end
 
-  context "when URI is given" do
-    it "should return itself" do
-      _uri_ = URI.parse "http://client.example.com"
-      uri = Rack::OAuth2::Server::Util.parse_uri _uri_
-      uri.should == _uri_
+  describe '.parse_uri' do
+    context 'when String is given' do
+      it { util.parse_uri(uri).should be_a URI::Generic }
+    end
+
+    context 'when URI is given' do
+      it 'should be itself' do
+        _uri_ = URI.parse uri
+        util.parse_uri(_uri_).should be _uri_
+      end
+    end
+
+    context 'when invalid URI is given' do
+      it do
+        expect do
+          util.parse_uri '::'
+        end.should raise_error URI::InvalidURIError
+      end
+    end
+
+    context 'otherwise' do
+      it do
+        expect { util.parse_uri nil }.should raise_error StandardError
+        expect { util.parse_uri 123 }.should raise_error StandardError
+      end
     end
   end
 
-  context "when Integer is given" do
-    it "should raise error" do
-      lambda do
-        Rack::OAuth2::Server::Util.parse_uri 123
-      end.should raise_error(StandardError)
+  describe '.redirect_uri' do
+    let(:base_uri) { 'http://client.example.com' }
+    let(:params) do
+      {:k1 => :v1, :k2 => ''}
+    end
+    subject { util.redirect_uri base_uri, location, params }
+
+    context 'when location = :fragment' do
+      let(:location) { :fragment }
+      it { should == "#{base_uri}##{util.compact_hash(params).to_query}" }
+    end
+
+    context 'when location = :query' do
+      let(:location) { :query }
+      it { should == "#{base_uri}?#{util.compact_hash(params).to_query}" }
     end
   end
 
+  describe '.verify_redirect_uri' do
+    context 'when invalid URI is given' do
+      it do
+        util.verify_redirect_uri('::', '::').should be_false
+        util.verify_redirect_uri(123, 'http://client.example.com/other').should be_false
+        util.verify_redirect_uri('http://client.example.com/other', nil).should be_false
+      end
+    end
+
+    context 'when exactry same' do
+      it { util.verify_redirect_uri(uri, uri).should be_true }
+    end
+
+    context 'when path prefix matches' do
+      it { util.verify_redirect_uri(uri, "#{uri}/deep_path").should be_true }
+    end
+
+    context 'otherwise' do
+      it do
+        util.verify_redirect_uri(uri, 'http://client.example.com/other').should be_false
+        util.verify_redirect_uri(uri, 'http://attacker.example.com/callback').should be_false
+      end
+    end
+  end
 end

data/spec/spec_helper.rb

@@ -8,16 +8,4 @@ def simple_app
   lambda do |env|
     [ 200, {'Content-Type' => 'text/plain'}, ["HELLO"] ]
   end
-end
-
-def assert_error_response(format, error)
-  response = yield
-  case format
-  when :json
-    response.status.should == 400
-    response.body.should match("\"error\":\"#{error}\"")
-  when :query
-    response.status.should == 302
-    response.location.should match("error=#{error}")
-  end
 end

metadata

@@ -1,13 +1,14 @@
 --- !ruby/object:Gem::Specification 
 name: rack-oauth2
 version: !ruby/object:Gem::Version 
-  hash: 17
-  prerelease: false
+  hash: -1851332186
+  prerelease: 6
   segments: 
   - 0
-  - 2
   - 3
-  version: 0.2.3
+  - 0
+  - alpha
+  version: 0.3.0.alpha
 platform: ruby
 authors: 
 - nov matake
@@ -15,7 +16,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-12-05 00:00:00 +09:00
+date: 2011-03-05 00:00:00 +09:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -86,12 +87,12 @@ dependencies:
     requirements: 
     - - ">="
       - !ruby/object:Gem::Version 
-        hash: 27
+        hash: 25
         segments: 
         - 0
         - 0
-        - 2
-        version: 0.0.2
+        - 3
+        version: 0.0.3
   type: :runtime
   version_requirements: *id005
 - !ruby/object:Gem::Dependency 
@@ -159,36 +160,33 @@ files:
 - lib/rack/oauth2.rb
 - lib/rack/oauth2/server.rb
 - lib/rack/oauth2/server/abstract.rb
+- lib/rack/oauth2/server/abstract/error.rb
 - lib/rack/oauth2/server/abstract/handler.rb
 - lib/rack/oauth2/server/abstract/request.rb
 - lib/rack/oauth2/server/abstract/response.rb
 - lib/rack/oauth2/server/authorize.rb
 - lib/rack/oauth2/server/authorize/code.rb
-- lib/rack/oauth2/server/authorize/code_and_token.rb
+- lib/rack/oauth2/server/authorize/error.rb
 - lib/rack/oauth2/server/authorize/token.rb
-- lib/rack/oauth2/server/error.rb
-- lib/rack/oauth2/server/error/authorize.rb
-- lib/rack/oauth2/server/error/resource.rb
-- lib/rack/oauth2/server/error/token.rb
 - lib/rack/oauth2/server/resource.rb
+- lib/rack/oauth2/server/resource/bearer.rb
+- lib/rack/oauth2/server/resource/bearer/error.rb
 - lib/rack/oauth2/server/token.rb
-- lib/rack/oauth2/server/token/assertion.rb
 - lib/rack/oauth2/server/token/authorization_code.rb
+- lib/rack/oauth2/server/token/error.rb
 - lib/rack/oauth2/server/token/password.rb
 - lib/rack/oauth2/server/token/refresh_token.rb
 - lib/rack/oauth2/server/util.rb
 - rack-oauth2.gemspec
-- spec/rack/oauth2/server/authorize/code_and_token_spec.rb
+- spec/rack/oauth2/server/abstract/error_spec.rb
 - spec/rack/oauth2/server/authorize/code_spec.rb
+- spec/rack/oauth2/server/authorize/error_spec.rb
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/authorize_spec.rb
-- spec/rack/oauth2/server/error/authorize_spec.rb
-- spec/rack/oauth2/server/error/resource_spec.rb
-- spec/rack/oauth2/server/error/token_spec.rb
-- spec/rack/oauth2/server/error_spec.rb
-- spec/rack/oauth2/server/resource_spec.rb
-- spec/rack/oauth2/server/token/assertion_spec.rb
+- spec/rack/oauth2/server/resource/bearer/error_spec.rb
+- spec/rack/oauth2/server/resource/bearer_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
+- spec/rack/oauth2/server/token/error_spec.rb
 - spec/rack/oauth2/server/token/password_spec.rb
 - spec/rack/oauth2/server/token/refresh_token_spec.rb
 - spec/rack/oauth2/server/token_spec.rb
@@ -226,22 +224,20 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.3.7
+rubygems_version: 1.5.3
 signing_key: 
 specification_version: 3
 summary: Rack Middleware for OAuth2 server
 test_files: 
-- spec/rack/oauth2/server/authorize/code_and_token_spec.rb
+- spec/rack/oauth2/server/abstract/error_spec.rb
 - spec/rack/oauth2/server/authorize/code_spec.rb
+- spec/rack/oauth2/server/authorize/error_spec.rb
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/authorize_spec.rb
-- spec/rack/oauth2/server/error/authorize_spec.rb
-- spec/rack/oauth2/server/error/resource_spec.rb
-- spec/rack/oauth2/server/error/token_spec.rb
-- spec/rack/oauth2/server/error_spec.rb
-- spec/rack/oauth2/server/resource_spec.rb
-- spec/rack/oauth2/server/token/assertion_spec.rb
+- spec/rack/oauth2/server/resource/bearer/error_spec.rb
+- spec/rack/oauth2/server/resource/bearer_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
+- spec/rack/oauth2/server/token/error_spec.rb
 - spec/rack/oauth2/server/token/password_spec.rb
 - spec/rack/oauth2/server/token/refresh_token_spec.rb
 - spec/rack/oauth2/server/token_spec.rb