rockoauth 0.1.0

data/lib/rockoauth/schema/20121025180447_rockoauth_schema_add_unique_indexes.rb

@@ -0,0 +1,31 @@
+class RockoauthSchemaAddUniqueIndexes < ActiveRecord::Migration
+  FIELDS = [:code, :refresh_token_hash]
+
+  def self.up
+    FIELDS.each do |field|
+      remove_index :oauth2_authorizations, :name => "index_oauth2_client_id_and_#{field}"
+      add_index :oauth2_authorizations, [:client_id, field], :unique => true, :name => "index_oauth2_client_id_#{field}"
+    end
+    remove_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:access_token_hash], :unique => true
+
+    remove_index :oauth2_clients, [:client_id]
+    add_index :oauth2_clients, [:client_id], :unique => true
+
+    add_index :oauth2_clients, [:name], :unique => true
+  end
+
+  def self.down
+    FIELDS.each do |field|
+      remove_index :oauth2_authorizations, [:client_id, field]
+      add_index :oauth2_authorizations, [:client_id, field]
+    end
+    remove_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:access_token_hash]
+
+    remove_index :oauth2_clients, [:client_id]
+    add_index :oauth2_clients, [:client_id]
+
+    remove_index :oauth2_clients, [:name]
+  end
+end

data/lib/rockoauth/schema.rb

@@ -0,0 +1,25 @@
+module RockOAuth
+
+  class Schema
+    def self.migrate
+      ActiveRecord::Base.logger ||= Logger.new(StringIO.new)
+      ActiveRecord::Migrator.up(migrations_path)
+    end
+    class << self
+      alias :up :migrate
+    end
+
+    def self.rollback
+      ActiveRecord::Base.logger ||= Logger.new(StringIO.new)
+      ActiveRecord::Migrator.down(migrations_path)
+    end
+    class << self
+      alias :down :rollback
+    end
+
+    def self.migrations_path
+      File.expand_path('../schema', __FILE__)
+    end
+  end
+
+end

data/lib/rockoauth.rb

@@ -0,0 +1 @@
+require 'rockoauth/provider'

data/spec/factories.rb

@@ -0,0 +1,20 @@
+require 'factory_girl'
+
+Factory.sequence :client_name do |n|
+  "Client ##{n}"
+end
+
+Factory.sequence :user_name do |n|
+  "User ##{n}"
+end
+
+Factory.define :owner, :class => TestApp::User do |u|
+  u.name { Factory.next :user_name }
+end
+
+Factory.define :client, :class => RockOAuth::Model::Client do |c|
+  c.client_id     { RockOAuth.random_string }
+  c.client_secret { RockOAuth.random_string }
+  c.name          { Factory.next :client_name }
+  c.redirect_uri  'https://client.example.com/cb'
+end

data/spec/request_helpers.rb

@@ -0,0 +1,62 @@
+require "socket"
+
+module RequestHelpers
+  require "net/http"
+
+  SERVER_PORT = TCPServer.new(0).addr[1]
+
+  def querystring(params)
+    params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join("&")
+  end
+
+  def get(query_params)
+    uri = URI.parse("http://localhost:#{SERVER_PORT}/authorize?" + querystring(query_params))
+    Net::HTTP.get_response(uri)
+  end
+
+  def allow_or_deny(query_params)
+    Net::HTTP.post_form(URI.parse("http://localhost:#{SERVER_PORT}/allow"), query_params)
+  end
+
+  def post_basic_auth(auth_params, query_params)
+    url = "http://#{ auth_params["client_id"] }:#{ auth_params["client_secret"] }@localhost:#{SERVER_PORT}/authorize"
+    Net::HTTP.post_form(URI.parse(url), query_params)
+  end
+
+  def post(body_params, query_params = {})
+    uri = URI.parse("http://localhost:#{SERVER_PORT}/authorize?" + querystring(query_params))
+    Net::HTTP.start(uri.host, uri.port) do |http|
+      http.post(uri.path + "?" + uri.query.to_s, querystring(body_params))
+    end
+  end
+
+  def validate_response(response, status, body)
+    expect(response.code.to_i).to eq(status)
+    expect(response.body).to eq(body)
+    expect(response["Cache-Control"]).to eq("no-store")
+  end
+
+  def validate_json_response(response, status, body)
+    expect(response.code.to_i).to eq(status)
+    expect(JSON.parse(response.body)).to eq(body)
+    expect(response["Content-Type"]).to eq("application/json")
+    expect(response["Cache-Control"]).to eq("no-store")
+  end
+
+  def mock_request(request_class, stubs = {})
+    mock_request = double(request_class)
+    method_stubs = {
+      :redirect?        => false,
+      :response_body    => nil,
+      :response_headers => {},
+      :response_status  => 200
+    }.merge(stubs)
+
+    method_stubs.each do |method, value|
+      expect(mock_request).to receive(method).and_return(value)
+    end
+
+    mock_request
+  end
+end
+

data/spec/rockoauth/model/authorization_spec.rb

@@ -0,0 +1,237 @@
+require 'spec_helper'
+
+describe RockOAuth::Model::Authorization do
+  let(:client)   { Factory :client }
+  let(:impostor) { Factory :client }
+  let(:owner)    { Factory :owner }
+  let(:user)     { Factory :owner }
+  let(:tester)   { Factory(:owner) }
+
+  let(:authorization) do
+    create_authorization(:owner => tester, :client => client)
+  end
+
+  it "is valid" do
+    expect(authorization).to be_valid
+  end
+
+  it "is not valid without a client" do
+    authorization.client = nil
+    expect(authorization).not_to be_valid
+  end
+
+  it "is not valid without an owner" do
+    authorization.owner = nil
+    expect(authorization).not_to be_valid
+  end
+
+  describe "when there are existing authorizations" do
+    before do
+      create_authorization(
+        :owner         => user,
+        :client        => impostor,
+        :access_token  => 'existing_access_token')
+
+      create_authorization(
+        :owner         => user,
+        :client        => client,
+        :code          => 'existing_code')
+
+      create_authorization(
+        :owner         => owner,
+        :client        => client,
+        :refresh_token => 'existing_refresh_token')
+    end
+
+    it "is valid if its access_token is unique" do
+      expect(authorization).to be_valid
+    end
+
+    it "is valid if both access_tokens are nil" do
+      RockOAuth::Model::Authorization.first.update_attribute(:access_token, nil)
+      authorization.access_token = nil
+      expect(authorization).to be_valid
+    end
+
+    it "is not valid if its access_token is not unique" do
+      authorization.access_token = 'existing_access_token'
+      expect(authorization).not_to be_valid
+    end
+
+    it "is valid if it has a unique code for its client" do
+      authorization.client = impostor
+      authorization.code = 'existing_code'
+      expect(authorization).to be_valid
+    end
+
+    it "is not valid if it does not have a unique client and code" do
+      authorization.code = 'existing_code'
+      expect(authorization).not_to be_valid
+    end
+
+    it "is valid if it has a unique refresh_token for its client" do
+      authorization.client = impostor
+      authorization.refresh_token = 'existing_refresh_token'
+      expect(authorization).to be_valid
+    end
+
+    it "is not valid if it does not have a unique client and refresh_token" do
+      authorization.refresh_token = 'existing_refresh_token'
+      expect(authorization).not_to be_valid
+    end
+
+    describe ".create_code" do
+      before { allow(RockOAuth).to receive(:random_string).and_return('existing_code', 'new_code') }
+
+      it "returns the first code the client has not used" do
+        expect(RockOAuth::Model::Authorization.create_code(client)).to eq('new_code')
+      end
+
+      it "returns the first code another client has not used" do
+        expect(RockOAuth::Model::Authorization.create_code(impostor)).to eq('existing_code')
+      end
+    end
+
+    describe ".create_access_token" do
+      before { allow(RockOAuth).to receive(:random_string).and_return('existing_access_token', 'new_access_token') }
+
+      it "returns the first unused token it can find" do
+        expect(RockOAuth::Model::Authorization.create_access_token).to eq('new_access_token')
+      end
+    end
+
+    describe ".create_refresh_token" do
+      before { allow(RockOAuth).to receive(:random_string).and_return('existing_refresh_token', 'new_refresh_token') }
+
+      it "returns the first refresh_token the client has not used" do
+        expect(RockOAuth::Model::Authorization.create_refresh_token(client)).to eq('new_refresh_token')
+      end
+
+      it "returns the first refresh_token another client has not used" do
+        expect(RockOAuth::Model::Authorization.create_refresh_token(impostor)).to eq('existing_refresh_token')
+      end
+    end
+
+    describe "duplicate records" do
+      it "raises an error if a duplicate authorization is created" do
+        expect {
+          authorization = RockOAuth::Model::Authorization.__send__(:new)
+          authorization.owner = user
+          authorization.client = client
+          authorization.save
+        }.to raise_error
+      end
+
+      it "finds an existing record after a race" do
+        allow(user).to receive(:oauth2_authorization_for) do
+          allow(user).to receive(:oauth2_authorization_for).and_call_original
+          raise TypeError, 'Mysql::Error: Duplicate entry'
+        end
+        authorization = RockOAuth::Model::Authorization.for(user, client)
+        expect(authorization.owner).to eq(user)
+        expect(authorization.client).to eq(client)
+      end
+    end
+  end
+
+  describe "#exchange!" do
+    it "saves the record" do
+      expect(authorization).to receive(:save!)
+      authorization.exchange!
+    end
+
+    it "uses its helpers to find unique tokens" do
+      expect(RockOAuth::Model::Authorization).to receive(:create_access_token).and_return('access_token')
+      authorization.exchange!
+      expect(authorization.access_token).to eq('access_token')
+    end
+
+    it "updates the tokens correctly" do
+      authorization.exchange!
+      expect(authorization).to be_valid
+      expect(authorization.code).to be_nil
+      expect(authorization.refresh_token).to be_nil
+    end
+  end
+
+  describe "#expired?" do
+    it "returns false when not expiry is set" do
+      expect(authorization).not_to be_expired
+    end
+
+    it "returns false when expiry is in the future" do
+      authorization.expires_at = 2.days.from_now
+      expect(authorization).not_to be_expired
+    end
+
+    it "returns true when expiry is in the past" do
+      authorization.expires_at = 2.days.ago
+      expect(authorization).to be_expired
+    end
+  end
+
+  describe "#grants_access?" do
+    it "returns true given the right user" do
+      expect(authorization.grants_access?(tester)).to eq(true)
+    end
+
+    it "returns false given the wrong user" do
+      expect(authorization.grants_access?(user)).to eq(false)
+    end
+
+    describe "when the authorization is expired" do
+      before { authorization.expires_at = 2.days.ago }
+
+      it "returns false in all cases" do
+        expect(authorization.grants_access?(tester)).to eq(false)
+        expect(authorization.grants_access?(user)).to eq(false)
+      end
+    end
+  end
+
+  describe "with a scope" do
+    before { authorization.scope = 'foo bar' }
+
+    describe "#in_scope?" do
+      it "returns true for authorized scopes" do
+        expect(authorization).to be_in_scope('foo')
+        expect(authorization).to be_in_scope('bar')
+      end
+
+      it "returns false for unauthorized scopes" do
+        expect(authorization).not_to be_in_scope('qux')
+        expect(authorization).not_to be_in_scope('fo')
+      end
+    end
+
+    describe "#grants_access?" do
+      it "returns true given the right user and all authorization scopes" do
+        expect(authorization.grants_access?(tester, 'foo', 'bar')).to eq(true)
+      end
+
+      it "returns true given the right user and some authorization scopes" do
+        expect(authorization.grants_access?(tester, 'bar')).to eq(true)
+      end
+
+      it "returns false given the right user and some unauthorization scopes" do
+        expect(authorization.grants_access?(tester, 'foo', 'bar', 'qux')).to eq(false)
+      end
+
+      it "returns false given an unauthorized scope" do
+        expect(authorization.grants_access?(tester, 'qux')).to eq(false)
+      end
+
+      it "returns true given the right user" do
+        expect(authorization.grants_access?(tester)).to eq(true)
+      end
+
+      it "returns false given the wrong user" do
+        expect(authorization.grants_access?(user)).to eq(false)
+      end
+
+      it "returns false given the wrong user and an authorized scope" do
+        expect(authorization.grants_access?(user, 'foo')).to eq(false)
+      end
+    end
+  end
+end

data/spec/rockoauth/model/client_spec.rb

@@ -0,0 +1,44 @@
+require 'spec_helper'
+
+describe RockOAuth::Model::Client do
+  before do
+    @client = RockOAuth::Model::Client.create(:name => 'App', :redirect_uri => 'http://example.com/cb')
+    @owner  = Factory(:owner)
+    RockOAuth::Model::Authorization.for(@owner, @client)
+  end
+
+  it "is valid" do
+    expect(@client).to be_valid
+  end
+
+  it "is invalid without a name" do
+    @client.name = nil
+    expect(@client).not_to be_valid
+  end
+
+  it "is invalid without a redirect_uri" do
+    @client.redirect_uri = nil
+    expect(@client).not_to be_valid
+  end
+
+  it "is invalid with a non-URI redirect_uri" do
+    @client.redirect_uri = 'foo'
+    expect(@client).not_to be_valid
+  end
+
+  # http://en.wikipedia.org/wiki/HTTP_response_splitting
+  it "is invalid if the URI contains HTTP line breaks" do
+    @client.redirect_uri = "http://example.com/c\r\nb"
+    expect(@client).not_to be_valid
+  end
+
+  it "has client_id and client_secret filled in" do
+    expect(@client.client_id).not_to be_nil
+    expect(@client.client_secret).not_to be_nil
+  end
+
+  it "destroys its authorizations on destroy" do
+    @client.destroy
+    expect(RockOAuth::Model::Authorization.count).to be_zero
+  end
+end

data/spec/rockoauth/model/helpers_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+describe RockOAuth::Model::Helpers do
+  subject { RockOAuth::Model::Helpers }
+
+  describe '.count' do
+    let(:owner) { Factory(:owner) }
+
+    before do
+      3.times { Factory(:client, :owner => owner) }
+    end
+
+    context 'when conditions are not passed' do
+      it 'returns count of total rows' do
+        expect(subject.count(owner.oauth2_clients)).to eq(3)
+      end
+    end
+
+    context 'when conditions are passed' do
+      it 'returns count of rows satisfying supplied conditions' do
+        expect(subject.count(RockOAuth::Model::Client, :client_id => RockOAuth::Model::Client.first.client_id)).to eq(1)
+      end
+    end
+  end
+end

data/spec/rockoauth/model/resource_owner_spec.rb

@@ -0,0 +1,87 @@
+require 'spec_helper'
+
+describe RockOAuth::Model::ResourceOwner do
+  before do
+    @owner  = Factory(:owner)
+    @client = Factory(:client)
+  end
+
+  describe "#grant_access!" do
+    it "raises an error when passed an invalid client argument" do
+      expect{ @owner.grant_access!('client') }.to raise_error(ArgumentError)
+    end
+
+    it "creates an authorization between the owner and the client" do
+      authorization = RockOAuth::Model::Authorization.__send__(:new)
+      expect(RockOAuth::Model::Authorization).to receive(:new).and_return(authorization)
+      @owner.grant_access!(@client)
+    end
+
+    # This is hacky, but doubleing ActiveRecord turns out to get messy
+    it "creates an Authorization" do
+      expect(RockOAuth::Model::Authorization.count).to eq(0)
+      @owner.grant_access!(@client)
+      expect(RockOAuth::Model::Authorization.count).to eq(1)
+    end
+
+    it "returns the authorization" do
+      expect(@owner.grant_access!(@client)).to be_kind_of(RockOAuth::Model::Authorization)
+    end
+
+    # This method must return the same owner object, since the assertion
+    # handler may modify it -- either by changing its attributes or by extending
+    # it with new methods. These changes must be returned to the app calling the
+    # Provider interface.
+    it "sets the receiver as the authorization's owner" do
+      authorization = @owner.grant_access!(@client)
+      expect(authorization.owner).to be_equal(@owner)
+    end
+
+    it "sets the duration of the authorization" do
+      authorization = @owner.grant_access!(@client, :duration => 5.hours)
+      expect(authorization.expires_at.to_i).to eq((Time.now + 5.hours.to_i).to_i)
+    end
+  end
+
+  describe "when there is an existing authorization" do
+    before do
+      @authorization = create_authorization(:owner => @owner, :client => @client)
+    end
+
+    it "does not create a new one" do
+      expect(RockOAuth::Model::Authorization).not_to receive(:new)
+      @owner.grant_access!(@client)
+    end
+
+    it "updates the authorization with scopes" do
+      @owner.grant_access!(@client, :scopes => ['foo', 'bar'])
+      @authorization.reload
+      expect(@authorization.scopes).to eq(Set.new(['foo', 'bar']))
+    end
+
+    describe "with scopes" do
+      before do
+        @authorization.update_attribute(:scope, 'foo bar')
+      end
+
+      it "merges the new scopes with the existing ones" do
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @authorization.reload
+        expect(@authorization.scopes).to eq(Set.new(['foo', 'bar', 'qux']))
+      end
+
+      it "does not add duplicate scopes to the list" do
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @authorization.reload
+        expect(@authorization.scopes).to eq(Set.new(['foo', 'bar', 'qux']))
+      end
+    end
+  end
+
+  it "destroys its authorizations on destroy" do
+    RockOAuth::Model::Authorization.for(@owner, @client)
+    @owner.destroy
+    expect(RockOAuth::Model::Authorization.count).to be_zero
+  end
+end

data/spec/rockoauth/provider/access_token_spec.rb

@@ -0,0 +1,138 @@
+require 'spec_helper'
+
+describe RockOAuth::Provider::AccessToken do
+  before do
+    @alice = TestApp::User['Alice']
+    @bob   = TestApp::User['Bob']
+
+    create_authorization(
+      :owner        => @alice,
+      :client       => Factory(:client),
+      :scope        => 'profile',
+      :access_token => 'sesame')
+
+    @authorization = create_authorization(
+      :owner        => @bob,
+      :client       => Factory(:client),
+      :scope        => 'profile',
+      :access_token => 'magic-key')
+
+    RockOAuth::Provider.realm = 'Demo App'
+  end
+
+  let :token do
+    RockOAuth::Provider::AccessToken.new(@bob, ['profile'], 'magic-key')
+  end
+
+  shared_examples_for "valid token" do
+    it "is valid" do
+      expect(token).to be_valid
+    end
+    it "does not add headers" do
+      expect(token.response_headers).to eq({})
+    end
+    it "has an OK status code" do
+      expect(token.response_status).to eq(200)
+    end
+    it "returns the owner who granted the authorization" do
+      expect(token.owner).to eq(@bob)
+    end
+  end
+
+  shared_examples_for "invalid token" do
+    it "is not valid" do
+      expect(token).not_to be_valid
+    end
+    it "does not return the owner" do
+      expect(token.owner).to be_nil
+    end
+  end
+
+  describe "with the right user, scope and token" do
+    it_should_behave_like "valid token"
+  end
+
+  describe "with an implicit user" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(:implicit, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+
+  describe "with no user" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='invalid_token'")
+      expect(token.response_status).to eq(401)
+    end
+  end
+
+  describe "with less scope than was granted" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(@bob, [], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+
+  describe "when the authorization has expired" do
+    before { @authorization.update_attribute(:expires_at, 1.hour.ago) }
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='expired_token'")
+      expect(token.response_status).to eq(401)
+    end
+  end
+
+  describe "with a non-existent token" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(@bob, ['profile'], 'is-the-password-books')
+    end
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='invalid_token'")
+      expect(token.response_status).to eq(401)
+    end
+  end
+
+  describe "with a token for the wrong user" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(@bob, ['profile'], 'sesame')
+    end
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='insufficient_scope'")
+      expect(token.response_status).to eq(403)
+    end
+  end
+
+  describe "with a token for an ungranted scope" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(@bob, ['offline_access'], 'magic-key')
+    end
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='insufficient_scope'")
+      expect(token.response_status).to eq(403)
+    end
+  end
+
+  describe "with no token string" do
+    let :token do
+      RockOAuth::Provider::AccessToken.new(@bob, ['profile'], nil)
+    end
+    it_should_behave_like "invalid token"
+
+    it "returns an error response" do
+      expect(token.response_headers['WWW-Authenticate']).to eq("OAuth realm='Demo App'")
+      expect(token.response_status).to eq(401)
+    end
+  end
+end