songkick-oauth2-provider 0.10.0

data/spec/songkick/oauth2/model/authorization_spec.rb

@@ -0,0 +1,216 @@
+require 'spec_helper'
+
+describe Songkick::OAuth2::Model::Authorization do
+  let(:client)   { Factory :client }
+  let(:impostor) { Factory :client }
+  let(:owner)    { Factory :owner }
+  let(:user)     { Factory :owner }
+  
+  let(:authorization) do
+    create_authorization(:owner => owner, :client => client)
+  end
+  
+  it "is vaid" do
+    authorization.should be_valid
+  end
+  
+  it "is not valid without a client" do
+    authorization.client = nil
+    authorization.should_not be_valid
+  end
+  
+  it "is not valid without an owner" do
+    authorization.owner = nil
+    authorization.should_not be_valid
+  end
+  
+  describe "when there are existing authorizations" do
+    before do
+      create_authorization(
+        :owner         => user,
+        :client        => impostor,
+        :access_token  => 'existing_access_token')
+        
+      create_authorization(
+        :owner         => owner,
+        :client        => client,
+        :code          => 'existing_code')
+        
+      create_authorization(
+        :owner         => owner,
+        :client        => client,
+        :refresh_token => 'existing_refresh_token')
+    end
+    
+    it "is valid if its access_token is unique" do
+      authorization.should be_valid
+    end
+    
+    it "is valid if both access_tokens are nil" do
+      Songkick::OAuth2::Model::Authorization.first.update_attribute(:access_token, nil)
+      authorization.access_token = nil
+      authorization.should be_valid
+    end
+    
+    it "is not valid if its access_token is not unique" do
+      authorization.access_token = 'existing_access_token'
+      authorization.should_not be_valid
+    end
+    
+    it "is valid if it has a unique code for its client" do
+      authorization.client = impostor
+      authorization.code = 'existing_code'
+      authorization.should be_valid
+    end
+    
+    it "is not valid if it does not have a unique client and code" do
+      authorization.code = 'existing_code'
+      authorization.should_not be_valid
+    end
+    
+    it "is valid if it has a unique refresh_token for its client" do
+      authorization.client = impostor
+      authorization.refresh_token = 'existing_refresh_token'
+      authorization.should be_valid
+    end
+    
+    it "is not valid if it does not have a unique client and refresh_token" do
+      authorization.refresh_token = 'existing_refresh_token'
+      authorization.should_not be_valid
+    end
+    
+    describe ".create_code" do
+      before { Songkick::OAuth2.stub(:random_string).and_return('existing_code', 'new_code') }
+      
+      it "returns the first code the client has not used" do
+        Songkick::OAuth2::Model::Authorization.create_code(client).should == 'new_code'
+      end
+      
+      it "returns the first code another client has not used" do
+        Songkick::OAuth2::Model::Authorization.create_code(impostor).should == 'existing_code'
+      end
+    end
+    
+    describe ".create_access_token" do
+      before { Songkick::OAuth2.stub(:random_string).and_return('existing_access_token', 'new_access_token') }
+      
+      it "returns the first unused token it can find" do
+        Songkick::OAuth2::Model::Authorization.create_access_token.should == 'new_access_token'
+      end
+    end
+    
+    describe ".create_refresh_token" do
+      before { Songkick::OAuth2.stub(:random_string).and_return('existing_refresh_token', 'new_refresh_token') }
+      
+      it "returns the first refresh_token the client has not used" do
+        Songkick::OAuth2::Model::Authorization.create_refresh_token(client).should == 'new_refresh_token'
+      end
+      
+      it "returns the first refresh_token another client has not used" do
+        Songkick::OAuth2::Model::Authorization.create_refresh_token(impostor).should == 'existing_refresh_token'
+      end
+    end
+  end
+  
+  describe "#exchange!" do
+    it "saves the record" do
+      authorization.should_receive(:save!)
+      authorization.exchange!
+    end
+    
+    it "uses its helpers to find unique tokens" do
+      Songkick::OAuth2::Model::Authorization.should_receive(:create_access_token).and_return('access_token')
+      authorization.exchange!
+      authorization.access_token.should == 'access_token'
+    end
+    
+    it "updates the tokens correctly" do
+      authorization.exchange!
+      authorization.should be_valid
+      authorization.code.should be_nil
+      authorization.refresh_token.should be_nil
+    end
+  end
+  
+  describe "#expired?" do
+    it "returns false when not expiry is set" do
+      authorization.should_not be_expired
+    end
+    
+    it "returns false when expiry is in the future" do
+      authorization.expires_at = 2.days.from_now
+      authorization.should_not be_expired
+    end
+    
+    it "returns true when expiry is in the past" do
+      authorization.expires_at = 2.days.ago
+      authorization.should be_expired
+    end
+  end
+  
+  describe "#grants_access?" do
+    it "returns true given the right user" do
+      authorization.grants_access?(owner).should be_true
+    end
+    
+    it "returns false given the wrong user" do
+      authorization.grants_access?(user).should be_false
+    end
+    
+    describe "when the authorization is expired" do
+      before { authorization.expires_at = 2.days.ago }
+      
+      it "returns false in all cases" do
+        authorization.grants_access?(owner).should be_false
+        authorization.grants_access?(user).should be_false
+      end
+    end
+  end
+  
+  describe "with a scope" do
+    before { authorization.scope = 'foo bar' }
+    
+    describe "#in_scope?" do
+      it "returns true for authorized scopes" do
+        authorization.should be_in_scope('foo')
+        authorization.should be_in_scope('bar')
+      end
+      
+      it "returns false for unauthorized scopes" do
+        authorization.should_not be_in_scope('qux')
+        authorization.should_not be_in_scope('fo')
+      end
+    end
+    
+    describe "#grants_access?" do
+      it "returns true given the right user and all authorization scopes" do
+        authorization.grants_access?(owner, 'foo', 'bar').should be_true
+      end
+      
+      it "returns true given the right user and some authorization scopes" do
+        authorization.grants_access?(owner, 'bar').should be_true
+      end
+      
+      it "returns false given the right user and some unauthorization scopes" do
+        authorization.grants_access?(owner, 'foo', 'bar', 'qux').should be_false
+      end
+      
+      it "returns false given an unauthorized scope" do
+        authorization.grants_access?(owner, 'qux').should be_false
+      end
+      
+      it "returns true given the right user" do
+        authorization.grants_access?(owner).should be_true
+      end
+      
+      it "returns false given the wrong user" do
+        authorization.grants_access?(user).should be_false
+      end
+      
+      it "returns false given the wrong user and an authorized scope" do
+        authorization.grants_access?(user, 'foo').should be_false
+      end
+    end
+  end
+end
+

data/spec/songkick/oauth2/model/client_spec.rb

@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+describe Songkick::OAuth2::Model::Client do
+  before do
+    @client = Songkick::OAuth2::Model::Client.create(:name => 'App', :redirect_uri => 'http://example.com/cb')
+    @owner  = Factory(:owner)
+    Factory(:authorization, :client => @client, :owner => @owner)
+  end
+  
+  it "is valid" do
+    @client.should be_valid
+  end
+  
+  it "is invalid without a name" do
+    @client.name = nil
+    @client.should_not be_valid
+  end
+  
+  it "is invalid without a redirect_uri" do
+    @client.redirect_uri = nil
+    @client.should_not be_valid
+  end
+  
+  it "is invalid with a non-URI redirect_uri" do
+    @client.redirect_uri = 'foo'
+    @client.should_not be_valid
+  end
+  
+  # http://en.wikipedia.org/wiki/HTTP_response_splitting
+  it "is invalid if the URI contains HTTP line breaks" do
+    @client.redirect_uri = "http://example.com/c\r\nb"
+    @client.should_not be_valid
+  end
+  
+  it "cannot mass-assign client_id" do
+    @client.update_attributes(:client_id => 'foo')
+    @client.client_id.should_not == 'foo'
+  end
+  
+  it "cannot mass-assign client_secret" do
+    @client.update_attributes(:client_secret => 'foo')
+    @client.client_secret.should_not == 'foo'
+  end
+  
+  it "has client_id and client_secret filled in" do
+    @client.client_id.should_not be_nil
+    @client.client_secret.should_not be_nil
+  end
+  
+  it "destroys its authorizations on destroy" do
+    @client.destroy
+    Songkick::OAuth2::Model::Authorization.count.should be_zero
+  end
+end
+

data/spec/songkick/oauth2/model/resource_owner_spec.rb

@@ -0,0 +1,88 @@
+require 'spec_helper'
+
+describe Songkick::OAuth2::Model::ResourceOwner do
+  before do
+    @owner  = Factory(:owner)
+    @client = Factory(:client)
+  end
+  
+  describe "#grant_access!" do
+    it "raises an error when passed an invalid client argument" do
+      lambda{ @owner.grant_access!('client') }.should raise_error(ArgumentError)
+    end
+    
+    it "creates an authorization between the owner and the client" do
+      authorization = Songkick::OAuth2::Model::Authorization.new
+      Songkick::OAuth2::Model::Authorization.should_receive(:new).and_return(authorization)
+      @owner.grant_access!(@client)
+    end
+    
+    # This is hacky, but mocking ActiveRecord turns out to get messy
+    it "creates an Authorization" do
+      Songkick::OAuth2::Model::Authorization.count.should == 0
+      @owner.grant_access!(@client)
+      Songkick::OAuth2::Model::Authorization.count.should == 1
+    end
+    
+    it "returns the authorization" do
+      @owner.grant_access!(@client).should be_kind_of(Songkick::OAuth2::Model::Authorization)
+    end
+    
+    # This method must return the same owner object, since the assertion
+    # handler may modify it -- either by changing its attributes or by extending
+    # it with new methods. These changes must be returned to the app calling the
+    # Provider interface.
+    it "sets the receiver as the authorization's owner" do
+      authorization = @owner.grant_access!(@client)
+      authorization.owner.should be_equal(@owner)
+    end
+    
+    it "sets the duration of the authorization" do
+      authorization = @owner.grant_access!(@client, :duration => 5.hours)
+      authorization.expires_at.to_i.should == (Time.now + 5.hours.to_i).to_i
+    end
+  end
+  
+  describe "when there is an existing authorization" do
+    before do
+      @authorization = Factory(:authorization, :owner => @owner, :client => @client)
+    end
+    
+    it "does not create a new one" do
+      Songkick::OAuth2::Model::Authorization.should_not_receive(:new)
+      @owner.grant_access!(@client)
+    end
+    
+    it "updates the authorization with scopes" do
+      @owner.grant_access!(@client, :scopes => ['foo', 'bar'])
+      @authorization.reload
+      @authorization.scopes.should == Set.new(['foo', 'bar'])
+    end
+    
+    describe "with scopes" do
+      before do
+        @authorization.update_attribute(:scope, 'foo bar')
+      end
+      
+      it "merges the new scopes with the existing ones" do
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @authorization.reload
+        @authorization.scopes.should == Set.new(['foo', 'bar', 'qux'])
+      end
+
+      it "does not add duplicate scopes to the list" do
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @owner.grant_access!(@client, :scopes => ['qux'])
+        @authorization.reload
+        @authorization.scopes.should == Set.new(['foo', 'bar', 'qux'])
+      end
+    end
+  end
+  
+  it "destroys its authorizations on destroy" do
+    Factory(:authorization, :owner => @owner, :client => @client)
+    @owner.destroy
+    Songkick::OAuth2::Model::Authorization.count.should be_zero
+  end
+end
+

data/spec/songkick/oauth2/provider/access_token_spec.rb

@@ -0,0 +1,125 @@
+require 'spec_helper'
+
+describe Songkick::OAuth2::Provider::AccessToken do
+  before do
+    @alice = TestApp::User['Alice']
+    @bob   = TestApp::User['Bob']
+    
+    Factory(:authorization,
+      :owner        => @alice,
+      :scope        => 'profile',
+      :access_token => 'sesame')
+    
+    @authorization = Factory(:authorization,
+      :owner        => @bob,
+      :scope        => 'profile',
+      :access_token => 'magic-key')
+    
+    Songkick::OAuth2::Provider.realm = 'Demo App'
+  end
+  
+  let :token do
+    Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'magic-key')
+  end
+  
+  shared_examples_for "valid token" do
+    it "is valid" do
+      token.should be_valid
+    end
+    it "does not add headers" do
+      token.response_headers.should == {}
+    end
+    it "has an OK status code" do
+      token.response_status.should == 200
+    end
+    it "returns the owner who granted the authorization" do
+      token.owner.should == @bob
+    end
+  end
+  
+  shared_examples_for "invalid token" do
+    it "is not valid" do
+      token.should_not be_valid
+    end
+    it "does not return the owner" do
+      token.owner.should be_nil
+    end
+  end
+  
+  describe "with the right user, scope and token" do
+    it_should_behave_like "valid token"
+  end
+  
+  describe "with no user" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(nil, ['profile'], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+  
+  describe "with less scope than was granted" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(@bob, [], 'magic-key')
+    end
+    it_should_behave_like "valid token"
+  end
+  
+  describe "when the authorization has expired" do
+    before { @authorization.update_attribute(:expires_at, 1.hour.ago) }
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='expired_token'"
+      token.response_status.should == 401
+    end
+  end
+  
+  describe "with a non-existent token" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'is-the-password-books')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='invalid_token'"
+      token.response_status.should == 401
+    end
+  end
+  
+  describe "with a token for the wrong user" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], 'sesame')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
+      token.response_status.should == 403
+    end
+  end
+  
+  describe "with a token for an ungranted scope" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(@bob, ['offline_access'], 'magic-key')
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App', error='insufficient_scope'"
+      token.response_status.should == 403
+    end
+  end
+  
+  describe "with no token string" do
+    let :token do
+      Songkick::OAuth2::Provider::AccessToken.new(@bob, ['profile'], nil)
+    end
+    it_should_behave_like "invalid token"
+    
+    it "returns an error response" do
+      token.response_headers['WWW-Authenticate'].should == "OAuth realm='Demo App'"
+      token.response_status.should == 401
+    end
+  end
+end
+