google-auth-library-ruby/spec/googleauth/web_user_authorizer_spec.rb

# Copyright 2015, Google Inc.
# All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions are
# met:
#
#     * Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
#     * Redistributions in binary form must reproduce the above
# copyright notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#     * Neither the name of Google Inc. nor the names of its
# contributors may be used to endorse or promote products derived from
# this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

spec_dir = File.expand_path(File.join(File.dirname(__FILE__)))
$LOAD_PATH.unshift(spec_dir)
$LOAD_PATH.uniq!

require 'googleauth'
require 'googleauth/web_user_authorizer'
require 'uri'
require 'multi_json'
require 'spec_helper'
require 'rack'

describe Google::Auth::WebUserAuthorizer do
  include TestHelpers

  let(:client_id) { Google::Auth::ClientId.new('testclient', 'notasecret') }
  let(:scope) { %w(email profile) }
  let(:token_store) { DummyTokenStore.new }
  let(:authorizer) do
    Google::Auth::WebUserAuthorizer.new(client_id, scope, token_store)
  end

  describe '#get_authorization_url' do
    let(:env) do
      Rack::MockRequest.env_for(
        'http://example.com:8080/test',
        'REMOTE_ADDR' => '10.10.10.10'
      )
    end
    let(:request) { Rack::Request.new(env) }
    it 'should include current url in state' do
      url = authorizer.get_authorization_url(request: request)
      expect(url).to match(
        %r{%22current_uri%22:%22http://example.com:8080/test%22}
      )
    end

    it 'should include request forgery token in state' do
      expect(SecureRandom).to receive(:base64).and_return('aGVsbG8=')
      url = authorizer.get_authorization_url(request: request)
      expect(url).to match(/%22session_id%22:%22aGVsbG8=%22/)
    end

    it 'should include request forgery token in session' do
      expect(SecureRandom).to receive(:base64).and_return('aGVsbG8=')
      authorizer.get_authorization_url(request: request)
      expect(request.session['g-xsrf-token']).to eq 'aGVsbG8='
    end

    it 'should resolve callback against base URL' do
      url = authorizer.get_authorization_url(request: request)
      expect(url).to match(
        %r{redirect_uri=http://example.com:8080/oauth2callback}
      )
    end

    it 'should allow overriding the current URL' do
      url = authorizer.get_authorization_url(
        request: request,
        redirect_to: '/foo'
      )
      expect(url).to match %r{%22current_uri%22:%22/foo%22}
    end

    it 'should pass through login hint' do
      url = authorizer.get_authorization_url(
        request: request,
        login_hint: 'user@example.com'
      )
      expect(url).to match(/login_hint=user@example.com/)
    end
  end

  shared_examples 'handles callback' do
    let(:token_json) do
      MultiJson.dump('access_token' => '1/abc123',
                     'token_type' => 'Bearer',
                     'expires_in' => 3600)
    end

    before(:example) do
      stub_request(:post, 'https://oauth2.googleapis.com/token')
        .to_return(body: token_json,
                   status: 200,
                   headers: { 'Content-Type' => 'application/json' })
    end

    let(:env) do
      Rack::MockRequest.env_for(
        'http://example.com:8080/oauth2callback?code=authcode&'\
        'state=%7B%22current_uri%22%3A%22%2Ffoo%22%2C%22'\
        'session_id%22%3A%22abc%22%7D',
        'REMOTE_ADDR' => '10.10.10.10'
      )
    end
    let(:request) { Rack::Request.new(env) }

    before(:example) do
      request.session['g-xsrf-token'] = 'abc'
    end

    it 'should return credentials when valid code present' do
      expect(credentials).to be_instance_of(
        Google::Auth::UserRefreshCredentials
      )
    end

    it 'should return next URL to redirect to' do
      expect(next_url).to eq '/foo'
    end

    it 'should fail if xrsf token in session and does not match request' do
      request.session['g-xsrf-token'] = '123'
      expect { credentials }.to raise_error(Signet::AuthorizationError)
    end
  end

  describe '#handle_auth_callback' do
    let(:result) { authorizer.handle_auth_callback('user1', request) }
    let(:credentials) { result[0] }
    let(:next_url) { result[1] }

    it_behaves_like 'handles callback'
  end

  describe '#handle_auth_callback_deferred and #get_credentials' do
    let(:next_url) do
      Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred(request)
    end

    let(:credentials) do
      next_url
      authorizer.get_credentials('user1', request)
    end

    it_behaves_like 'handles callback'
  end
end