rockoauth 0.1.0

data/spec/rockoauth/provider_spec.rb

@@ -0,0 +1,560 @@
+require 'spec_helper'
+
+describe RockOAuth::Provider do
+  include RequestHelpers
+
+  before(:all) { TestApp::Provider.start(RequestHelpers::SERVER_PORT) }
+  after(:all)  { TestApp::Provider.stop }
+
+  let(:params) { { 'response_type' => 'code',
+                   'client_id'     => @client.client_id,
+                   'redirect_uri'  => @client.redirect_uri }
+               }
+
+  before do
+    @client = Factory(:client, :name => 'Test client')
+    @owner  = TestApp::User['Bob']
+  end
+
+  describe "access grant request" do
+    shared_examples_for "asks for user permission" do
+      it "creates an authorization" do
+        auth = mock_request(RockOAuth::Provider::Authorization, :client => @client, :params => {}, :scopes => [], :valid? => true)
+        expect(RockOAuth::Provider::Authorization).to receive(:new).with(@owner, params, nil).and_return(auth)
+        get(params)
+      end
+
+      it "displays an authorization page" do
+        response = get(params)
+        expect(response.code.to_i).to eq(200)
+        expect(response.body).to match(/Do you want to allow Test client/)
+        expect(response['Content-Type']).to match(/text\/html/)
+      end
+    end
+
+    describe "with valid parameters" do
+      it_should_behave_like "asks for user permission"
+    end
+
+    describe "for token requests" do
+      before { params['response_type'] = 'token' }
+      it_should_behave_like "asks for user permission"
+    end
+
+    describe "for code_and_token requests" do
+      before { params['response_type'] = 'code_and_token' }
+      it_should_behave_like "asks for user permission"
+    end
+
+    describe "enforcing SSL" do
+      before { RockOAuth::Provider.enforce_ssl = true }
+
+      it "does not allow non-SSL requests" do
+        response = get(params)
+        validate_response(response, 400, 'WAT')
+      end
+    end
+
+    describe "when there is already a pending authorization from the user" do
+      before do
+        @authorization = create_authorization(
+          :owner  => @owner,
+          :client => @client,
+          :code   => 'pending_code',
+          :scope  => 'offline_access')
+      end
+
+      it "immediately redirects with the code" do
+        response = get(params)
+        expect(response.code.to_i).to eq(302)
+        expect(response['location']).to eq('https://client.example.com/cb?code=pending_code')
+      end
+
+      describe "when the client is requesting scopes it already has access to" do
+        before { params['scope'] = 'offline_access' }
+
+        it "immediately redirects with the code" do
+          response = get(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=pending_code&scope=offline_access')
+        end
+      end
+
+      describe "when the client is requesting scopes it doesn't have yet" do
+        before { params['scope'] = 'wall_publish' }
+        it_should_behave_like "asks for user permission"
+      end
+
+      describe "and the authorization does not have a code" do
+        before { @authorization.update_attribute(:code, nil) }
+
+        it "generates a new code and redirects" do
+          expect(RockOAuth::Model::Authorization).not_to receive(:create)
+          expect(RockOAuth::Model::Authorization).not_to receive(:new)
+          expect(RockOAuth).to receive(:random_string).and_return('new_code')
+          response = get(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=new_code')
+        end
+      end
+
+      describe "and the authorization is expired" do
+        before { @authorization.update_attribute(:expires_at, 2.hours.ago) }
+        it_should_behave_like "asks for user permission"
+      end
+    end
+
+    describe "when there is already a completed authorization from the user" do
+      before do
+        @authorization = create_authorization(
+          :owner  => @owner,
+          :client => @client,
+          :code   => nil,
+          :access_token => RockOAuth.hashify('complete_token'))
+      end
+
+      it "immediately redirects with a new code" do
+        expect(RockOAuth).to receive(:random_string).and_return('new_code')
+        response = get(params)
+        expect(response.code.to_i).to eq(302)
+        expect(response['location']).to eq('https://client.example.com/cb?code=new_code')
+      end
+
+      describe "for token requests" do
+        before { params['response_type'] = 'token' }
+
+        it "immediately redirects with a new token" do
+          expect(RockOAuth).to receive(:random_string).and_return('new_access_token')
+          response = get(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb#access_token=new_access_token')
+        end
+
+        describe "with an invalid client_id" do
+          before { params['client_id'] = 'unknown_id' }
+
+          it "does not generate any new tokens" do
+            expect(RockOAuth).not_to receive(:random_string)
+            get(params)
+          end
+        end
+      end
+
+      it "does not create a new Authorization" do
+        get(params)
+        expect(RockOAuth::Model::Authorization.count).to eq(1)
+      end
+
+      it "keeps the code and access token on the Authorization" do
+        get(params)
+        authorization = RockOAuth::Model::Authorization.first
+        expect(authorization.code).not_to be_nil
+        expect(authorization.access_token_hash).not_to be_nil
+      end
+    end
+
+    describe "with no parameters" do
+      let(:params) { {} }
+
+      it "renders an error page" do
+        response = get(params)
+        validate_response(response, 400, 'WAT')
+      end
+    end
+
+    describe "with a redirect_uri and no client_id" do
+      let(:params) { {'redirect_uri' => 'http://evilsite.com/callback'} }
+
+      it "renders an error page" do
+        response = get(params)
+        validate_response(response, 400, 'WAT')
+      end
+    end
+
+    describe "with a client_id and a bad redirect_uri" do
+      let(:params) { {'redirect_uri' => 'http://evilsite.com/callback',
+                      'client_id'    => @client.client_id} }
+
+      it "redirects to the client's registered redirect_uri" do
+        response = get(params)
+        expect(response.code.to_i).to eq(302)
+        expect(response['location']).to eq('https://client.example.com/cb?error=invalid_request&error_description=Missing+required+parameter+response_type')
+      end
+    end
+
+    describe "with an invalid request" do
+      before { params.delete('response_type') }
+
+      it "redirects to the client's redirect_uri on error" do
+        response = get(params)
+        expect(response.code.to_i).to eq(302)
+        expect(response['location']).to eq('https://client.example.com/cb?error=invalid_request&error_description=Missing+required+parameter+response_type')
+      end
+
+      describe "with a state parameter" do
+        before { params['state'] = "Facebook\nmesses this\nup" }
+
+        it "redirects to the client, including the state param" do
+          response = get(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq("https://client.example.com/cb?error=invalid_request&error_description=Missing+required+parameter+response_type&state=Facebook%0Amesses+this%0Aup")
+        end
+      end
+    end
+  end
+
+  describe "authorization confirmation from the user" do
+    let(:mock_auth) do
+      mock = double RockOAuth::Provider::Authorization,
+                    :redirect_uri    => 'http://example.com/',
+                    :response_status => 302
+
+      allow(RockOAuth::Provider::Authorization).to receive(:new).and_return(mock)
+      mock
+    end
+
+    describe "without the user's permission" do
+      before { params['allow'] = '' }
+
+      it "does not grant access" do
+        expect(mock_auth).to receive(:deny_access!)
+        allow_or_deny(params)
+      end
+
+      it "redirects to the client with an error" do
+        response = allow_or_deny(params)
+        expect(response.code.to_i).to eq(302)
+        expect(response['location']).to eq('https://client.example.com/cb?error=access_denied&error_description=The+user+denied+you+access')
+      end
+    end
+
+    describe "with valid parameters and user permission" do
+      before { allow(RockOAuth).to receive(:random_string).and_return('foo') }
+      before { params['allow'] = '1' }
+
+      describe "for code requests" do
+        it "grants access" do
+          expect(mock_auth).to receive(:grant_access!)
+          allow_or_deny(params)
+        end
+
+        it "redirects to the client with an authorization code" do
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo')
+        end
+
+        it "passes the state parameter through" do
+          params['state'] = 'illinois'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo&state=illinois')
+        end
+
+        it "passes the scope parameter through" do
+          params['scope'] = 'foo bar'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo&scope=foo+bar')
+        end
+      end
+
+      describe "for token requests" do
+        before { params['response_type'] = 'token' }
+
+        it "grants access" do
+          expect(mock_auth).to receive(:grant_access!)
+          allow_or_deny(params)
+        end
+
+        it "redirects to the client with an access token" do
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb#access_token=foo&expires_in=10800')
+        end
+
+        it "passes the state parameter through" do
+          params['state'] = 'illinois'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb#access_token=foo&expires_in=10800&state=illinois')
+        end
+
+        it "passes the scope parameter through" do
+          params['scope'] = 'foo bar'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb#access_token=foo&expires_in=10800&scope=foo+bar')
+        end
+      end
+
+      describe "for code_and_token requests" do
+        before { params['response_type'] = 'code_and_token' }
+
+        it "grants access" do
+          expect(mock_auth).to receive(:grant_access!)
+          allow_or_deny(params)
+        end
+
+        it "redirects to the client with an access token" do
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo#access_token=foo&expires_in=10800')
+        end
+
+        it "passes the state parameter through" do
+          params['state'] = 'illinois'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo&state=illinois#access_token=foo&expires_in=10800')
+        end
+
+        it "passes the scope parameter through" do
+          params['scope'] = 'foo bar'
+          response = allow_or_deny(params)
+          expect(response.code.to_i).to eq(302)
+          expect(response['location']).to eq('https://client.example.com/cb?code=foo#access_token=foo&expires_in=10800&scope=foo+bar')
+        end
+      end
+    end
+  end
+
+  describe "access token request" do
+    before do
+      @client = Factory(:client)
+      @authorization = create_authorization(
+          :owner      => @owner,
+          :client     => @client,
+          :code       => 'a_fake_code',
+          :expires_at => 3.hours.from_now)
+    end
+
+    let(:auth_params)  { { 'client_id'     => @client.client_id,
+                           'client_secret' => @client.client_secret }
+                       }
+
+    describe "using authorization_code request" do
+      let(:query_params) { { 'client_id'    => @client.client_id,
+                             'grant_type'   => 'authorization_code',
+                             'code'         => @authorization.code,
+                             'redirect_uri' => @client.redirect_uri }
+                         }
+
+      let(:params) { auth_params.merge(query_params) }
+
+      describe "with valid parameters" do
+        it "does not respond to GET" do
+          expect(RockOAuth::Provider::Authorization).not_to receive(:new)
+          params.delete('client_secret')
+          response = get(params)
+          validate_json_response(response, 400,
+            'error'             => 'invalid_request',
+            'error_description' => 'Bad request: must be a POST request'
+          )
+        end
+
+        it "does not allow client credentials to be passed in the query string" do
+          expect(RockOAuth::Provider::Authorization).not_to receive(:new)
+          query_string = {'client_id' => params.delete('client_id'), 'client_secret' => params.delete('client_secret')}
+          response = post(params, query_string)
+          validate_json_response(response, 400,
+            'error'             => 'invalid_request',
+            'error_description' => 'Bad request: must not send client credentials in the URI'
+          )
+        end
+
+        describe "enforcing SSL" do
+          before { RockOAuth::Provider.enforce_ssl = true }
+
+          it "does not allow non-SSL requests" do
+            response = get(params)
+            validate_json_response(response, 400,
+              'error'             => 'invalid_request',
+              'error_description' => 'Bad request: must make requests using HTTPS'
+            )
+          end
+        end
+
+        it "creates a Token when using Basic Auth" do
+          token = mock_request(RockOAuth::Provider::Exchange, :response_body => 'Hello')
+          expect(RockOAuth::Provider::Exchange).to receive(:new).with(@owner, params, nil).and_return(token)
+          post_basic_auth(auth_params, query_params)
+        end
+
+        it "creates a Token when passing params in the POST body" do
+          token = mock_request(RockOAuth::Provider::Exchange, :response_body => 'Hello')
+          expect(RockOAuth::Provider::Exchange).to receive(:new).with(@owner, params, nil).and_return(token)
+          post(params)
+        end
+
+        it "returns a successful response" do
+          allow(RockOAuth).to receive(:random_string).and_return('random_access_token')
+          response = post_basic_auth(auth_params, query_params)
+          validate_json_response(response, 200, 'access_token' => 'random_access_token', 'expires_in' => 10800)
+        end
+
+        describe "with a scope parameter" do
+          before do
+            @authorization.update_attribute(:scope, 'foo bar')
+          end
+
+          it "passes the scope back in the success response" do
+            allow(RockOAuth).to receive(:random_string).and_return('random_access_token')
+            response = post_basic_auth(auth_params, query_params)
+            validate_json_response(response, 200,
+              'access_token'  => 'random_access_token',
+              'scope'         => 'foo bar',
+              'expires_in'    => 10800
+            )
+          end
+        end
+      end
+
+      describe "with invalid parameters" do
+        before { query_params.delete('code') }
+
+        it "returns an error response" do
+          response = post_basic_auth(auth_params, query_params)
+          validate_json_response(response, 400,
+            'error'             => 'invalid_request',
+            'error_description' => 'Missing required parameter code'
+          )
+        end
+      end
+
+      describe "with mismatched client_id in POST params and Basic Auth params" do
+        before { query_params['client_id'] = 'foo' }
+
+        it "returns an error response" do
+          response = post_basic_auth(auth_params, query_params)
+          validate_json_response(response, 400,
+            'error'             => 'invalid_request',
+            'error_description' => 'Bad request: client_id from Basic Auth and request body do not match'
+          )
+        end
+      end
+
+      describe "when there is an Authorization with code and token" do
+        before do
+          @authorization.update_attributes(:code => 'pending_code', :access_token => 'working_token')
+          allow(RockOAuth).to receive(:random_string).and_return('random_access_token')
+        end
+
+        it "returns a new access token" do
+          response = post(params)
+          validate_json_response(response, 200,
+            'access_token' => 'random_access_token',
+            'expires_in'   => 10800
+          )
+        end
+
+        it "exchanges the code for the new token on the existing Authorization" do
+          post(params)
+          @authorization.reload
+          expect(@authorization.code).to be_nil
+          expect(@authorization.access_token_hash).to eq(RockOAuth.hashify('random_access_token'))
+        end
+      end
+    end
+  end
+
+  describe "protected resource request" do
+    before do
+      @authorization = create_authorization(
+        :owner        => @owner,
+        :client       => @client,
+        :access_token => 'magic-key',
+        :scope        => 'profile')
+    end
+
+    shared_examples_for "protected resource" do
+      it "creates an AccessToken response" do
+        mock_token = double(RockOAuth::Provider::AccessToken)
+        expect(mock_token).to receive(:response_headers).and_return({})
+        expect(mock_token).to receive(:response_status).and_return(200)
+        expect(mock_token).to receive(:valid?).and_return(true)
+        expect(RockOAuth::Provider::AccessToken).to receive(:new).with(TestApp::User['Bob'], ['profile'], 'magic-key', nil).and_return(mock_token)
+        request('/user_profile', 'oauth_token' => 'magic-key')
+      end
+
+      it "allows access when the key is passed" do
+        response = request('/user_profile', 'oauth_token' => 'magic-key')
+        expect(JSON.parse(response.body)['data']).to eq('Top secret')
+        expect(response.code.to_i).to eq(200)
+      end
+
+      it "blocks access when the wrong key is passed" do
+        response = request('/user_profile', 'oauth_token' => 'is-the-password-books')
+        expect(JSON.parse(response.body)['data']).to eq('No soup for you')
+        expect(response.code.to_i).to eq(401)
+        expect(response['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='invalid_token'")
+      end
+
+      it "blocks access when the no key is passed" do
+        response = request('/user_profile')
+        expect(JSON.parse(response.body)['data']).to eq('No soup for you')
+        expect(response.code.to_i).to eq(401)
+        expect(response['WWW-Authenticate']).to eq("OAuth realm='Demo App'")
+      end
+
+      describe "enforcing SSL" do
+        before { RockOAuth::Provider.enforce_ssl = true }
+
+        let(:authorization) do
+          RockOAuth::Model::Authorization.find_by_access_token_hash(RockOAuth.hashify('magic-key'))
+        end
+
+        it "blocks access when not using HTTPS" do
+          response = request('/user_profile', 'oauth_token' => 'magic-key')
+          expect(JSON.parse(response.body)['data']).to eq('No soup for you')
+          expect(response.code.to_i).to eq(401)
+          expect(response['WWW-Authenticate']).to eq("OAuth realm='Demo App', error='invalid_request'")
+        end
+
+        it "destroys the access token since it's been leaked" do
+          expect(authorization.access_token_hash).to eq(RockOAuth.hashify('magic-key'))
+          request('/user_profile', 'oauth_token' => 'magic-key')
+          authorization.reload
+          expect(authorization.access_token_hash).to be_nil
+        end
+
+        it "keeps the access token if the wrong key is passed" do
+          expect(authorization.access_token_hash).to eq(RockOAuth.hashify('magic-key'))
+          request('/user_profile', 'oauth_token' => 'is-the-password-books')
+          authorization.reload
+          expect(authorization.access_token_hash).to eq(RockOAuth.hashify('magic-key'))
+        end
+      end
+    end
+
+    describe "for header-based requests" do
+      def request(path, params = {})
+        access_token = params.delete('oauth_token')
+        http   = Net::HTTP.new('localhost', RequestHelpers::SERVER_PORT)
+        qs     = params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join('&')
+        header = {'Authorization' => "OAuth #{access_token}"}
+        http.request_get(path + '?' + qs, header)
+      end
+
+      it_should_behave_like "protected resource"
+    end
+
+    describe "for GET requests" do
+      def request(path, params = {})
+        qs  = params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join('&')
+        uri = URI.parse("http://localhost:#{RequestHelpers::SERVER_PORT}" + path + '?' + qs)
+        Net::HTTP.get_response(uri)
+      end
+
+      it_should_behave_like "protected resource"
+    end
+
+    describe "for POST requests" do
+      def request(path, params = {})
+        Net::HTTP.post_form(URI.parse("http://localhost:#{RequestHelpers::SERVER_PORT}" + path), params)
+      end
+
+      it_should_behave_like "protected resource"
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,80 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'active_record'
+
+require 'rockoauth/provider'
+
+case ENV['DB']
+  when 'mysql'
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'mysql',
+        :host     => '127.0.0.1',
+        :username => 'root',
+        :database => 'oauth2_test')
+  when 'postgres'
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'postgresql',
+        :host     => '127.0.0.1',
+        :username => 'postgres',
+        :database => 'oauth2_test')
+  else
+    dbfile = File.expand_path('../test.sqlite3', __FILE__)
+    File.unlink(dbfile) if File.file?(dbfile)
+
+    ActiveRecord::Base.establish_connection(
+        :adapter  => 'sqlite3',
+        :database => dbfile)
+end
+
+require 'logger'
+ActiveRecord::Base.logger = Logger.new(STDERR)
+ActiveRecord::Base.logger.level = Logger::INFO
+
+RockOAuth::Model::Schema.up
+
+ActiveRecord::Schema.define do |version|
+  create_table :users, :force => true do |t|
+    t.string :name
+  end
+end
+
+require 'test_app/provider/application'
+require 'request_helpers'
+require 'factories'
+
+require 'thin'
+Thin::Logging.silent = true
+$VERBOSE = nil
+
+RSpec.configure do |config|
+  # to run only specific specs, add :focus to the spec
+  #   describe "foo", :focus do
+  # OR
+  #   it "should foo", :focus do
+
+  config.filter_run :focus => true
+  config.run_all_when_everything_filtered = true
+
+  config.before do
+    RockOAuth::Provider.enforce_ssl = false
+    time = Time.now
+    allow(Time).to receive(:now).and_return time
+  end
+
+  config.after do
+    [ RockOAuth::Model::Client,
+      RockOAuth::Model::Authorization,
+      TestApp::User
+
+    ].each { |k| k.delete_all }
+  end
+end
+
+def create_authorization(params)
+  RockOAuth::Model::Authorization.__send__(:create) do |authorization|
+    params.each do |key, value|
+      authorization.__send__ "#{key}=", value
+    end
+  end
+end

data/spec/test_app/helper.rb

@@ -0,0 +1,36 @@
+module TestApp
+
+  class User < ActiveRecord::Base
+    self.table_name = :users
+
+    include RockOAuth::Model::ResourceOwner
+    include RockOAuth::Model::ClientOwner
+
+    def self.[](name)
+      if respond_to?(:find_or_create_by)
+        find_or_create_by(:name => name)
+      else
+        find_or_create_by_name(name)
+      end
+    end
+  end
+
+  module Helper
+    module RackRunner
+      def start(port)
+        handler = Rack::Handler.get('thin')
+        Thread.new do
+          handler.run(new, :Port => port) { |server| @server = server }
+        end
+        sleep 0.1 until @server
+      end
+
+      def stop
+        @server.stop if @server
+        @server = nil
+        sleep 0.1 while EM.reactor_running?
+      end
+    end
+  end
+
+end