167 lines
5.5 KiB
Ruby
167 lines
5.5 KiB
Ruby
# Copyright 2015, Google Inc.
|
|
# All rights reserved.
|
|
#
|
|
# Redistribution and use in source and binary forms, with or without
|
|
# modification, are permitted provided that the following conditions are
|
|
# met:
|
|
#
|
|
# * Redistributions of source code must retain the above copyright
|
|
# notice, this list of conditions and the following disclaimer.
|
|
# * Redistributions in binary form must reproduce the above
|
|
# copyright notice, this list of conditions and the following disclaimer
|
|
# in the documentation and/or other materials provided with the
|
|
# distribution.
|
|
# * Neither the name of Google Inc. nor the names of its
|
|
# contributors may be used to endorse or promote products derived from
|
|
# this software without specific prior written permission.
|
|
#
|
|
# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
spec_dir = File.expand_path File.join(File.dirname(__FILE__))
|
|
$LOAD_PATH.unshift spec_dir
|
|
$LOAD_PATH.uniq!
|
|
|
|
require "googleauth"
|
|
require "googleauth/web_user_authorizer"
|
|
require "uri"
|
|
require "multi_json"
|
|
require "spec_helper"
|
|
require "rack"
|
|
|
|
describe Google::Auth::WebUserAuthorizer do
|
|
include TestHelpers
|
|
|
|
let(:client_id) { Google::Auth::ClientId.new "testclient", "notasecret" }
|
|
let(:scope) { %w[email profile] }
|
|
let(:token_store) { DummyTokenStore.new }
|
|
let :authorizer do
|
|
Google::Auth::WebUserAuthorizer.new client_id, scope, token_store
|
|
end
|
|
|
|
describe "#get_authorization_url" do
|
|
let :env do
|
|
Rack::MockRequest.env_for(
|
|
"http://example.com:8080/test",
|
|
"REMOTE_ADDR" => "10.10.10.10"
|
|
)
|
|
end
|
|
let(:request) { Rack::Request.new env }
|
|
it "should include current url in state" do
|
|
url = authorizer.get_authorization_url request: request
|
|
expect(url).to match(
|
|
%r{%22current_uri%22:%22http://example.com:8080/test%22}
|
|
)
|
|
end
|
|
|
|
it "should include request forgery token in state" do
|
|
expect(SecureRandom).to receive(:base64).and_return("aGVsbG8=")
|
|
url = authorizer.get_authorization_url request: request
|
|
expect(url).to match(/%22session_id%22:%22aGVsbG8=%22/)
|
|
end
|
|
|
|
it "should include request forgery token in session" do
|
|
expect(SecureRandom).to receive(:base64).and_return("aGVsbG8=")
|
|
authorizer.get_authorization_url request: request
|
|
expect(request.session["g-xsrf-token"]).to eq "aGVsbG8="
|
|
end
|
|
|
|
it "should resolve callback against base URL" do
|
|
url = authorizer.get_authorization_url request: request
|
|
expect(url).to match(
|
|
%r{redirect_uri=http://example.com:8080/oauth2callback}
|
|
)
|
|
end
|
|
|
|
it "should allow overriding the current URL" do
|
|
url = authorizer.get_authorization_url(
|
|
request: request,
|
|
redirect_to: "/foo"
|
|
)
|
|
expect(url).to match %r{%22current_uri%22:%22/foo%22}
|
|
end
|
|
|
|
it "should pass through login hint" do
|
|
url = authorizer.get_authorization_url(
|
|
request: request,
|
|
login_hint: "user@example.com"
|
|
)
|
|
expect(url).to match(/login_hint=user@example.com/)
|
|
end
|
|
end
|
|
|
|
shared_examples "handles callback" do
|
|
let :token_json do
|
|
MultiJson.dump("access_token" => "1/abc123",
|
|
"token_type" => "Bearer",
|
|
"expires_in" => 3600)
|
|
end
|
|
|
|
before :example do
|
|
stub_request(:post, "https://oauth2.googleapis.com/token")
|
|
.to_return(body: token_json,
|
|
status: 200,
|
|
headers: { "Content-Type" => "application/json" })
|
|
end
|
|
|
|
let :env do
|
|
Rack::MockRequest.env_for(
|
|
"http://example.com:8080/oauth2callback?code=authcode&"\
|
|
"state=%7B%22current_uri%22%3A%22%2Ffoo%22%2C%22"\
|
|
"session_id%22%3A%22abc%22%7D",
|
|
"REMOTE_ADDR" => "10.10.10.10"
|
|
)
|
|
end
|
|
let(:request) { Rack::Request.new env }
|
|
|
|
before :example do
|
|
request.session["g-xsrf-token"] = "abc"
|
|
end
|
|
|
|
it "should return credentials when valid code present" do
|
|
expect(credentials).to be_instance_of(
|
|
Google::Auth::UserRefreshCredentials
|
|
)
|
|
end
|
|
|
|
it "should return next URL to redirect to" do
|
|
expect(next_url).to eq "/foo"
|
|
end
|
|
|
|
it "should fail if xrsf token in session and does not match request" do
|
|
request.session["g-xsrf-token"] = "123"
|
|
expect { credentials }.to raise_error(Signet::AuthorizationError)
|
|
end
|
|
end
|
|
|
|
describe "#handle_auth_callback" do
|
|
let(:result) { authorizer.handle_auth_callback "user1", request }
|
|
let(:credentials) { result[0] }
|
|
let(:next_url) { result[1] }
|
|
|
|
it_behaves_like "handles callback"
|
|
end
|
|
|
|
describe "#handle_auth_callback_deferred and #get_credentials" do
|
|
let :next_url do
|
|
Google::Auth::WebUserAuthorizer.handle_auth_callback_deferred request
|
|
end
|
|
|
|
let :credentials do
|
|
next_url
|
|
authorizer.get_credentials "user1", request
|
|
end
|
|
|
|
it_behaves_like "handles callback"
|
|
end
|
|
end
|