tpitale-rack-oauth2-server 2.2.1

data/test/oauth/authorization_test.rb

@@ -0,0 +1,298 @@
+require "test/setup"
+
+
+# 3.  Obtaining End-User Authorization
+class AuthorizationTest < Test::Unit::TestCase
+  module Helpers
+
+    def should_redirect_with_error(error)
+      should "respond with status code 302 (Found)" do
+        assert_equal 302, last_response.status
+      end
+      should "redirect back to redirect_uri" do
+        assert_equal URI.parse(last_response["Location"]).host, "uberclient.dot"
+      end
+      should "redirect with error code #{error}" do
+        assert_equal error.to_s, Rack::Utils.parse_query(URI.parse(last_response["Location"]).query)["error"]
+      end
+      should "redirect with state parameter" do
+        assert_equal "bring this back", Rack::Utils.parse_query(URI.parse(last_response["Location"]).query)["state"]
+      end
+    end
+
+    def should_ask_user_for_authorization(&block)
+      should "inform user about client" do
+        response = last_response.body.split("\n").inject({}) { |h,l| n,v = l.split(/:\s*/) ; h[n.downcase] = v ; h }
+        assert_equal "UberClient", response["client"]
+      end
+      should "inform user about scope" do
+        response = last_response.body.split("\n").inject({}) { |h,l| n,v = l.split(/:\s*/) ; h[n.downcase] = v ; h }
+        assert_equal "read, write", response["scope"]
+      end
+    end
+
+  end
+  extend Helpers
+
+  def setup
+    super
+    @params = { :redirect_uri=>client.redirect_uri, :client_id=>client.id, :client_secret=>client.secret, :response_type=>"code",
+                :scope=>"read write", :state=>"bring this back" }
+  end
+
+  def request_authorization(changes = nil)
+    get "/oauth/authorize?" + Rack::Utils.build_query(@params.merge(changes || {}))
+    get last_response["Location"] if last_response.status == 303
+  end
+
+  def authorization
+    last_response.body[/authorization:\s*(\S+)/, 1]
+  end
+
+
+  # Checks before we request user for authorization.
+  # 3.2.  Error Response
+
+  context "no redirect URI" do
+    setup { request_authorization :redirect_uri=>nil }
+    should "return status 400" do
+      assert_equal 400, last_response.status
+    end
+  end
+
+  context "invalid redirect URI" do
+    setup { request_authorization :redirect_uri=>"http:not-valid" }
+    should "return status 400" do
+      assert_equal 400, last_response.status
+    end
+  end
+
+  context "no client ID" do
+    setup { request_authorization :client_id=>nil }
+    should_redirect_with_error :invalid_client
+  end
+
+  context "invalid client ID" do
+    setup { request_authorization :client_id=>"foobar" }
+    should_redirect_with_error :invalid_client
+  end
+
+  context "client ID but no such client" do
+    setup { request_authorization :client_id=>"4cc7bc483321e814b8000000" }
+    should_redirect_with_error :invalid_client
+  end
+
+  context "mismatched redirect URI" do
+    setup { request_authorization :redirect_uri=>"http://uberclient.dot/oz" }
+    should_redirect_with_error :redirect_uri_mismatch
+  end
+
+  context "revoked client" do
+    setup do
+      client.revoke!
+      request_authorization
+    end
+    should_redirect_with_error :invalid_client
+  end
+
+  context "no response type" do
+    setup { request_authorization :response_type=>nil }
+    should_redirect_with_error :unsupported_response_type
+  end
+
+  context "unknown response type" do
+    setup { request_authorization :response_type=>"foobar" }
+    should_redirect_with_error :unsupported_response_type
+  end
+
+  context "unsupported scope" do
+    setup do
+      request_authorization :scope=>"read write math"
+    end
+    should_redirect_with_error :invalid_scope
+  end
+
+
+  # 3.1.  Authorization Response
+  
+  context "expecting authorization code" do
+    setup do
+      @params[:response_type] = "code"
+      request_authorization
+    end
+    should_ask_user_for_authorization
+
+    context "and granted" do
+      setup { post "/oauth/grant", :authorization=>authorization }
+
+      should "redirect" do
+        assert_equal 302, last_response.status
+      end
+      should "redirect back to client" do
+        uri = URI.parse(last_response["Location"])
+        assert_equal "uberclient.dot", uri.host
+        assert_equal "/callback", uri.path
+      end
+
+      context "redirect URL query parameters" do
+        setup { @return = Rack::Utils.parse_query(URI.parse(last_response["Location"]).query) }
+
+        should "include authorization code" do
+          assert_match /[a-f0-9]{32}/i, @return["code"]
+        end
+
+        should "include original scope" do
+          assert_equal "read write", @return["scope"]
+        end
+
+        should "include state from requet" do
+          assert_equal "bring this back", @return["state"]
+        end
+      end
+    end
+
+    context "and denied" do
+      setup { post "/oauth/deny", :authorization=>authorization }
+
+      should "redirect" do
+        assert_equal 302, last_response.status
+      end
+      should "redirect back to client" do
+        uri = URI.parse(last_response["Location"])
+        assert_equal "uberclient.dot", uri.host
+        assert_equal "/callback", uri.path
+      end
+
+      context "redirect URL" do
+        setup { @return = Rack::Utils.parse_query(URI.parse(last_response["Location"]).query) }
+
+        should "not include authorization code" do
+          assert !@return["code"]
+        end
+
+        should "include error code" do
+          assert_equal "access_denied", @return["error"]
+        end
+
+        should "include state from requet" do
+          assert_equal "bring this back", @return["state"]
+        end
+      end
+    end
+  end
+
+
+  context "expecting access token" do
+    setup do
+      @params[:response_type] = "token"
+      request_authorization
+    end
+    should_ask_user_for_authorization
+
+    context "and granted" do
+      setup { post "/oauth/grant", :authorization=>authorization }
+
+      should "redirect" do
+        assert_equal 302, last_response.status
+      end
+      should "redirect back to client" do
+        uri = URI.parse(last_response["Location"])
+        assert_equal "uberclient.dot", uri.host
+        assert_equal "/callback", uri.path
+      end
+
+      context "redirect URL fragment identifier" do
+        setup { @return = Rack::Utils.parse_query(URI.parse(last_response["Location"]).fragment) }
+
+        should "include access token" do
+          assert_match /[a-f0-9]{32}/i, @return["access_token"]
+        end
+
+        should "include original scope" do
+          assert_equal "read write", @return["scope"]
+        end
+
+        should "include state from requet" do
+          assert_equal "bring this back", @return["state"]
+        end
+      end
+    end
+
+    context "and denied" do
+      setup { post "/oauth/deny", :authorization=>authorization }
+
+      should "redirect" do
+        assert_equal 302, last_response.status
+      end
+      should "redirect back to client" do
+        uri = URI.parse(last_response["Location"])
+        assert_equal "uberclient.dot", uri.host
+        assert_equal "/callback", uri.path
+      end
+
+      context "redirect URL" do
+        setup { @return = Rack::Utils.parse_query(URI.parse(last_response["Location"]).fragment) }
+
+        should "not include authorization code" do
+          assert !@return["code"]
+        end
+
+        should "include error code" do
+          assert_equal "access_denied", @return["error"]
+        end
+
+        should "include state from requet" do
+          assert_equal "bring this back", @return["state"]
+        end
+      end
+    end
+  end
+
+
+  # Using existing authorization request
+
+  context "with authorization request" do
+    setup do
+      request_authorization
+      get "/oauth/authorize?" + Rack::Utils.build_query(:authorization=>authorization)
+    end
+
+    should_ask_user_for_authorization
+  end
+
+  context "with invalid authorization request" do
+    setup do
+      request_authorization
+      get "/oauth/authorize?" + Rack::Utils.build_query(:authorization=>"foobar")
+    end
+
+    should "return status 400" do
+      assert_equal 400, last_response.status
+    end
+  end
+
+  context "with revoked authorization request" do
+    setup do
+      request_authorization
+      response = last_response.body.split("\n").inject({}) { |h,l| n,v = l.split(/:\s*/) ; h[n.downcase] = v ; h }
+      client.revoke!
+      get "/oauth/authorize?" + Rack::Utils.build_query(:authorization=>response["authorization"])
+    end
+
+    should "return status 400" do
+      assert_equal 400, last_response.status
+    end
+  end
+
+
+  # Edge cases
+
+  context "unregistered redirect URI" do
+    setup do
+      Rack::OAuth2::Server::Client.collection.update({ :_id=>client._id }, { :$set=>{ :redirect_uri=>nil } })
+      request_authorization :redirect_uri=>"http://uberclient.dot/oz"
+    end
+    should_ask_user_for_authorization
+  end
+
+end

data/test/oauth/server_methods_test.rb

@@ -0,0 +1,292 @@
+require "test/setup"
+
+
+# Tests the Server API
+class ServerTest < Test::Unit::TestCase
+  def setup
+    super
+  end
+
+  context "get_auth_request" do
+    setup { @request = Server::AuthRequest.create(client, client.scope.join(" "), client.redirect_uri, "token", nil) }
+    should "return authorization request" do
+      assert_equal @request.id, Server.get_auth_request(@request.id).id
+    end
+
+    should "return nil if no request found" do
+      assert !Server.get_auth_request("4ce2488e3321e87ac1000004")
+    end
+  end
+
+
+  context "get_client" do
+    should "return authorization request" do
+      assert_equal client.display_name, Server.get_client(client.id).display_name
+    end
+
+    should "return nil if no client found" do
+      assert !Server.get_client("4ce2488e3321e87ac1000004")
+    end
+  end
+
+
+  context "register" do
+    context "no client ID" do
+      setup do
+        @client = Server.register(:display_name=>"MyApp", :link=>"http://example.org", :image_url=>"http://example.org/favicon.ico",
+                                  :redirect_uri=>"http://example.org/oauth/callback", :scope=>%w{read write})
+      end
+
+      should "create new client" do
+        assert_equal 2, Server::Client.collection.count
+        assert_contains Server::Client.all.map(&:id), @client.id
+      end
+
+      should "set display name" do
+        assert_equal "MyApp", Server.get_client(@client.id).display_name
+      end
+
+      should "set link" do
+        assert_equal "http://example.org", Server.get_client(@client.id).link
+      end
+
+      should "set image URL" do
+        assert_equal "http://example.org/favicon.ico", Server.get_client(@client.id).image_url
+      end
+
+      should "set redirect URI" do
+        assert_equal "http://example.org/oauth/callback", Server.get_client(@client.id).redirect_uri
+      end
+
+      should "set scope" do
+        assert_equal %w{read write}, Server.get_client(@client.id).scope
+      end
+
+      should "assign client an ID" do
+        assert_match /[0-9a-f]{24}/, @client.id.to_s
+      end
+
+      should "assign client a secret" do
+        assert_match /[0-9a-f]{64}/, @client.secret
+      end
+    end
+
+    context "with client ID" do
+
+      context "no such client" do
+        setup do
+          @client = Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+        end
+
+        should "create new client" do
+          assert_equal 2, Server::Client.collection.count
+        end
+
+        should "should assign it the client identifier" do
+          assert_equal "4ce24c423321e88ac5000015", @client.id.to_s
+        end
+
+        should "should assign it the client secret" do
+          assert_equal "foobar", @client.secret
+        end
+
+        should "should assign it the other properties" do
+          assert_equal "MyApp", @client.display_name
+        end
+      end
+
+      context "existing client" do
+        setup do
+          Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+          @client = Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"Rock Star")
+        end
+
+        should "not create new client" do
+          assert_equal 2, Server::Client.collection.count
+        end
+
+        should "should not change the client identifier" do
+          assert_equal "4ce24c423321e88ac5000015", @client.id.to_s
+        end
+
+        should "should not change the client secret" do
+          assert_equal "foobar", @client.secret
+        end
+
+        should "should change all the other properties" do
+          assert_equal "Rock Star", @client.display_name
+        end
+      end
+
+      context "secret mismatch" do
+        setup do
+          Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"foobar", :display_name=>"MyApp")
+        end
+
+        should "raise error" do
+          assert_raises RuntimeError do
+            Server.register(:id=>"4ce24c423321e88ac5000015", :secret=>"wrong", :display_name=>"MyApp")
+          end
+        end
+      end
+
+    end
+  end
+
+  
+  context "access_grant" do
+    setup do
+      code = Server.access_grant("Batman", client.id, %w{read})
+      basic_authorize client.id, client.secret
+      post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>code, :redirect_uri=>client.redirect_uri
+      @token = JSON.parse(last_response.body)["access_token"]
+    end
+
+    should "resolve into an access token" do
+      assert Server.get_access_token(@token)
+    end
+
+    should "resolve into access token with grant identity" do
+      assert_equal "Batman", Server.get_access_token(@token).identity
+    end
+
+    should "resolve into access token with grant scope" do
+      assert_equal %w{read}, Server.get_access_token(@token).scope
+    end
+
+    should "resolve into access token with grant client" do
+      assert_equal client.id, Server.get_access_token(@token).client_id
+    end
+
+    context "with no scope" do
+      setup { @code = Server.access_grant("Batman", client.id) }
+
+      should "pick client scope" do
+        assert_equal %w{oauth-admin read write}, Server::AccessGrant.from_code(@code).scope
+      end
+    end
+
+    context "no expiration" do
+      setup do
+        @code = Server.access_grant("Batman", client.id)
+      end
+
+      should "not expire in a minute" do
+        Timecop.travel 60 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 200, last_response.status
+        end
+      end
+
+      should "expire after 5 minutes" do
+        Timecop.travel 300 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 400, last_response.status
+        end
+      end
+    end
+
+    context "expiration set" do
+      setup do
+        @code = Server.access_grant("Batman", client.id, nil, 1800)
+      end
+
+      should "not expire prematurely" do
+        Timecop.travel 1750 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 200, last_response.status
+        end
+      end
+
+      should "expire after specified seconds" do
+        Timecop.travel 1800 do
+          basic_authorize client.id, client.secret
+          post "/oauth/access_token", :scope=>"read", :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri
+          assert_equal 400, last_response.status
+        end
+      end
+    end
+
+  end
+
+
+  context "get_access_token" do
+    setup { @token = Server.token_for("Batman", client.id, %w{read}) }
+    should "return authorization request" do
+      assert_equal @token, Server.get_access_token(@token).token
+    end
+
+    should "return nil if no client found" do
+      assert !Server.get_access_token("4ce2488e3321e87ac1000004")
+    end
+
+    context "with no scope" do
+      setup { @token = Server.token_for("Batman", client.id) }
+
+      should "pick client scope" do
+        assert_equal %w{oauth-admin read write}, Server::AccessToken.from_token(@token).scope
+      end
+    end
+  end
+
+
+  context "token_for" do
+    setup { @token = Server.token_for("Batman", client.id, %w{read write}) }
+
+    should "return access token" do
+      assert_match /[0-9a-f]{32}/, @token
+    end
+
+    should "associate token with client" do
+      assert_equal client.id, Server.get_access_token(@token).client_id
+    end
+
+    should "associate token with identity" do
+      assert_equal "Batman", Server.get_access_token(@token).identity
+    end
+
+    should "associate token with scope" do
+      assert_equal %w{read write}, Server.get_access_token(@token).scope
+    end
+
+    should "return same token for same parameters" do
+      assert_equal @token, Server.token_for("Batman", client.id, %w{write read})
+    end
+
+    should "return different token for different identity" do
+      assert @token != Server.token_for("Superman", client.id, %w{read write})
+    end
+
+    should "return different token for different client" do
+      client = Server.register(:display_name=>"MyApp")
+      assert @token != Server.token_for("Batman", client.id, %w{read write})
+    end
+
+    should "return different token for different scope" do
+      assert @token != Server.token_for("Batman", client.id, %w{read})
+    end
+  end
+
+
+  context "list access tokens" do
+    setup do
+      @one = Server.token_for("Batman", client.id, %w{read})
+      @two = Server.token_for("Superman", client.id, %w{read})
+      @three = Server.token_for("Batman", client.id, %w{write})
+    end
+
+    should "return all tokens for identity" do
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @one
+      assert_contains Server.list_access_tokens("Batman").map(&:token), @three
+    end
+
+    should "not return tokens for other identities" do
+      assert !Server.list_access_tokens("Batman").map(&:token).include?(@two)
+    end
+
+  end
+
+end