Skip to content
Extraits de code Groupes Projets
Valider 73cc5594 rédigé par Augier's avatar Augier Validation de theworldbright
Parcourir les fichiers

Fix travis errors and refactor

parent c6eb7225
Aucune branche associée trouvée
Aucune étiquette associée trouvée
Aucune requête de fusion associée trouvée
Affichage de
avec 104 ajouts et 232 suppressions
......@@ -4,24 +4,30 @@ module OpenidConnect
def initialize(current_user)
super(current_user)
end
def handleResponseType(req, res)
def handle_response_type(req, res)
@response_type = req.response_type
end
def buildAttributes(req, res)
def build_attributes(req, res)
super(req, res)
verifyNonce(req, res)
buildScopes(req)
verify_nonce(req, res)
build_scopes(req)
# TODO: buildRequestObject(req)
end
def verifyNonce(req, res)
def verify_nonce(req, res)
if res.protocol_params_location == :fragment && req.nonce.blank?
req.invalid_request! "nonce required"
end
end
def buildScopes(req)
@scopes = req.scope.inject([]) do |_scopes_, scope|
_scopes_ << (Scope.find_by_name(scope) or req.invalid_scope! "Unknown scope: #{scope}")
end
def build_scopes(req)
@scopes = req.scope.map {|scope|
Scope.where(name: scope).first.tap do |scope|
req.invalid_scope! "Unknown scope: #{scope}" unless scope
end
}
end
end
end
......
module OpenidConnect
module ProtectedResourceEndpoint
def self.included(klass)
klass.send :include, ProtectedResourceEndpoint::Helper
end
......
......@@ -5,25 +5,25 @@ module OpenidConnect
def initialize
@app = Rack::OAuth2::Server::Token.new do |req, res|
o_auth_app = retrieveClient(req)
if isAppValid(o_auth_app, req)
handleFlows(req, res)
o_auth_app = retrieve_client(req)
if app_valid?(o_auth_app, req)
handle_flows(req, res)
else
req.invalid_client!
end
end
end
def handleFlows(req, res)
def handle_flows(req, res)
case req.grant_type
when :password
handlePasswordFlow(req, res)
else
req.unsupported_grant_type!
when :password
handle_password_flow(req, res)
else
req.unsupported_grant_type!
end
end
def handlePasswordFlow(req, res)
def handle_password_flow(req, res)
user = User.find_for_database_authentication(username: req.username)
if user
if user.valid_password?(req.password)
......@@ -36,11 +36,11 @@ module OpenidConnect
end
end
def retrieveClient(req)
def retrieve_client(req)
OAuthApplication.find_by_client_id req.client_id
end
def isAppValid(o_auth_app, req)
def app_valid?(o_auth_app, req)
o_auth_app.client_secret == req.client_secret
end
end
......
require 'spec_helper'
require "spec_helper"
describe Api::V0::BaseController do
end
require 'spec_helper'
require "spec_helper"
describe OpenidConnect::AuthorizationsController, type: :controller do
let!(:client) { OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/"]) }
let!(:client_with_multiple_redirects) { OAuthApplication.create!(name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/","http://localhost/"]) }
let!(:client_with_multiple_redirects) do
OAuthApplication.create!(
name: "Diaspora Test Client", redirect_uris: ["http://localhost:3000/", "http://localhost/"])
end
before do
sign_in :user, alice
allow(@controller).to receive(:current_user).and_return(alice)
Scope.create!(name:"openid")
Scope.create!(name: "openid")
end
describe "#new" do
......@@ -15,113 +18,71 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
render_views
context "as GET request" do
it "should return a form page" do
get :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("Diaspora Test Client")
end
end
context "as POST request" do
it "should return a form page" do
post :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("Diaspora Test Client")
end
end
end
context "when client id is missing" do
it "should return an bad request error" do
post :new,
{
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
post :new, redirect_uri: "http://localhost:3000/", response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("bad_request")
end
end
context "when redirect uri is missing" do
context "when only one redirect URL is pre-registered" do
it "should return a form pager" do
# Note this intentionally behavior diverts from OIDC spec http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
# When client has only one redirect uri registered, only that redirect uri can be used. Hence,
# we should implicitly assume the client wants to use that registered URI.
# See https://github.com/nov/rack-oauth2/blob/master/lib/rack/oauth2/server/authorize.rb#L63
post :new,
{
client_id: client.client_id,
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
post :new, client_id: client.client_id, response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("Diaspora Test Client")
end
end
end
context "when multiple redirect URLs are pre-registered" do
it "should return an invalid request error" do
post :new,
{
client_id: client_with_multiple_redirects.client_id,
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
post :new, client_id: client_with_multiple_redirects.client_id, response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("bad_request")
end
end
context "when redirect URI does not match pre-registered URIs" do
it "should return an invalid request error" do
post :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:2000/",
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16)
}
post :new, client_id: client.client_id, redirect_uri: "http://localhost:2000/",
response_type: "id_token", scope: "openid", nonce: SecureRandom.hex(16)
expect(response.body).to match("bad_request")
end
end
context "when an unsupported scope is passed in" do
it "should return an invalid scope error" do
post :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "random",
nonce: SecureRandom.hex(16),
state: SecureRandom.hex(16)
}
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
scope: "random", nonce: SecureRandom.hex(16), state: SecureRandom.hex(16)
expect(response.body).to match("error=invalid_scope")
end
end
context "when nonce is missing" do
it "should return an invalid request error" do
post :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "openid",
state: SecureRandom.hex(16)
}
post :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/",
response_type: "id_token", scope: "openid", state: SecureRandom.hex(16)
expect(response.location).to match("error=invalid_request")
end
end
......@@ -129,44 +90,36 @@ describe OpenidConnect::AuthorizationsController, type: :controller do
describe "#create" do
before do
get :new,
{
client_id: client.client_id,
redirect_uri: "http://localhost:3000/",
response_type: "id_token",
scope: "openid",
nonce: SecureRandom.hex(16),
state: 4180930983
}
get :new, client_id: client.client_id, redirect_uri: "http://localhost:3000/", response_type: "id_token",
scope: "openid", nonce: SecureRandom.hex(16), state: 418_093_098_3
end
context "when authorization is approved" do
before do
post :create,
{
approve: "true"
}
post :create, approve: "true"
end
it "should return the id token in a fragment" do
expect(response.location).to have_content("id_token=")
end
it "should return the passed in state" do
expect(response.location).to have_content("state=4180930983")
end
end
context "when authorization is denied" do
before do
post :create,
{
approve: "false"
}
post :create, approve: "false"
end
it "should return an error in the fragment" do
expect(response.location).to have_content("error=")
end
it "should NOT contain a id token in the fragment" do
expect(response.location).to_not have_content("id_token=")
end
end
end
end
require 'spec_helper'
require "spec_helper"
describe OpenidConnect::ClientsController, type: :controller do
describe "#create" do
context "when valid parameters are passed" do
it "should return a client id" do
post :create,
{
redirect_uris: ["http://localhost"]
}
clientJSON = JSON.parse(response.body)
expect(clientJSON["o_auth_application"]["client_id"].length).to eq(32)
post :create, redirect_uris: ["http://localhost"]
client_json = JSON.parse(response.body)
expect(client_json["o_auth_application"]["client_id"].length).to eq(32)
end
end
context "when redirect uri is missing" do
it "should return a invalid_client_metadata error" do
post :create
clientJSON = JSON.parse(response.body)
expect(clientJSON["error"]).to have_content("invalid_client_metadata")
client_json = JSON.parse(response.body)
expect(client_json["error"]).to have_content("invalid_client_metadata")
end
end
end
......
require 'spec_helper'
require "spec_helper"
describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
describe "getting the user info" do
......@@ -8,19 +8,13 @@ describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when access token is valid" do
it "shows the user's username and email" do
get "/api/v0/user/",
{
access_token: token
}
jsonBody = JSON.parse(response.body)
expect(jsonBody["username"]).to eq(bob.username)
expect(jsonBody["email"]).to eq(bob.email)
get "/api/v0/user/", access_token: token
json_body = JSON.parse(response.body)
expect(json_body["username"]).to eq(bob.username)
expect(json_body["email"]).to eq(bob.email)
end
it "should include private in the cache-control header" do
get "/api/v0/user/",
{
access_token: token
}
get "/api/v0/user/", access_token: token
expect(response.headers["Cache-Control"]).to include("private")
end
end
......@@ -38,24 +32,15 @@ describe OpenidConnect::ProtectedResourceEndpoint, type: :request do
context "when an invalid access token is provided" do
it "should respond with a 401 Unauthorized response" do
get "/api/v0/user/",
{
access_token: invalid_token
}
get "/api/v0/user/", access_token: invalid_token
expect(response.status).to be(401)
end
it "should have an auth-scheme value of Bearer" do
get "/api/v0/user/",
{
access_token: invalid_token
}
get "/api/v0/user/", access_token: invalid_token
expect(response.headers["WWW-Authenticate"]).to include("Bearer")
end
it "should contain an invalid_token error" do
get "/api/v0/user/",
{
access_token: invalid_token
}
get "/api/v0/user/", access_token: invalid_token
expect(response.body).to include("invalid_token")
end
end
......
require 'spec_helper'
require "spec_helper"
describe OpenidConnect::TokenEndpoint, type: :request do
let!(:client) { OAuthApplication.create!(redirect_uris: ["http://localhost"]) }
describe "the password grant type" do
context "when the username field is missing" do
it "should return an invalid request error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
password: "bluepin7",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", password: "bluepin7",
client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include("'username' required")
end
end
context "when the password field is missing" do
it "should return an invalid request error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "bob",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "bob",
client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include("'password' required")
end
end
context "when the username does not match an existing user" do
it "should return an invalid request error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "randomnoexist",
password: "bluepin7",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "randomnoexist",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include("invalid_grant")
end
end
context "when the password is invalid" do
it "should return an invalid request error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "bob",
password: "wrongpassword",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "bob",
password: "wrongpassword", client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include("invalid_grant")
end
end
context "when the request is valid" do
it "should return an access token" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "bob",
password: "bluepin7",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "bob",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret
json = JSON.parse(response.body)
expect(json["access_token"].length).to eq(64)
expect(json["token_type"]).to eq("bearer")
......@@ -71,44 +43,25 @@ describe OpenidConnect::TokenEndpoint, type: :request do
end
context "when there are duplicate fields" do
it "should return an invalid request error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "bob",
password: "bluepin7",
username: "bob",
password: "bluepin6",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "bob", password: "bluepin7",
username: "bob", password: "bluepin6", client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include("invalid_grant")
end
end
context "when the client is unregistered" do
it "should return an error" do
post "/openid_connect/access_tokens",
{
grant_type: "password",
username: "bob",
password: "bluepin7",
client_id: SecureRandom.hex(16).to_s,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "password", username: "bob",
password: "bluepin7", client_id: SecureRandom.hex(16).to_s, client_secret: client.client_secret
expect(response.body).to include("invalid_client")
end
end
# TODO: Support a way to prevent brute force attacks using rate-limitation? as specified by RFC 6749 4.3.2 Access Token Request
# TODO: Support a way to prevent brute force attacks using rate-limitation
# as specified by RFC 6749 4.3.2 Access Token Request
end
describe "an unsupported grant type" do
it "should return an unsupported grant type error" do
post "/openid_connect/access_tokens",
{
grant_type: "noexistgrant",
username: "bob",
password: "bluepin7",
client_id: client.client_id,
client_secret: client.client_secret
}
post "/openid_connect/access_tokens", grant_type: "noexistgrant", username: "bob",
password: "bluepin7", client_id: client.client_id, client_secret: client.client_secret
expect(response.body).to include "unsupported_grant_type"
end
end
......
require 'rails_helper'
RSpec.describe OAuthApplication, type: :model do
pending "add some examples to (or delete) #{__FILE__}"
end
require 'rails_helper'
RSpec.describe Token, type: :model do
pending "add some examples to (or delete) #{__FILE__}"
end
require 'spec_helper'
require "spec_helper"
describe Api::V0::BasePresenter do
end
require 'spec_helper'
require "spec_helper"
describe Api::V0::BaseController do
end
......@@ -59,14 +59,6 @@ def photo_fixture_name
@photo_fixture_name = File.join(File.dirname(__FILE__), "fixtures", "button.png")
end
def retrieveAccessToken(user)
o_auth_app = OAuthApplication.create!(client_id: 4, client_secret: "azerty")
user = User.find_for_database_authentication(username: user.username)
if o_auth_app && user && user.valid_password?("bluepin7") # Hard coded password for bob
o_auth_app.tokens.create!.bearer_token.to_s
end
end
# Force fixture rebuild
FileUtils.rm_f(Rails.root.join("tmp", "fixture_builder.yml"))
......
0% Chargement en cours ou .
You are about to add 0 people to the discussion. Proceed with caution.
Terminez d'abord l'édition de ce message.
Veuillez vous inscrire ou vous pour commenter