Add some OAuth tests
authorTom Hughes <tom@compton.nu>
Sat, 19 Nov 2011 17:12:40 +0000 (17:12 +0000)
committerTom Hughes <tom@compton.nu>
Sat, 19 Nov 2011 17:38:06 +0000 (17:38 +0000)
test/fixtures/client_applications.yml
test/integration/oauth_test.rb [new file with mode: 0644]

index 9fe0889ac458708999de0e94dc54dd27797e3e94..e8087eb98dfa3bd24ef4ffe093e5617319125c7a 100644 (file)
@@ -10,3 +10,24 @@ oauth_web_app:
   user_id: 2
   secret: Ur1s9LWWJJuYBiV9cDi3za3OV8TGCoRgUvVXJ5zp7pc
   key: ewvENqsaTXFnZbMWmGDX2g
+  allow_read_prefs: true
+  allow_write_prefs: false
+  allow_write_diary: false
+  allow_write_api: true
+  allow_read_gpx: true
+  allow_write_gpx: false
+
+oauth_desktop_app:
+  name: Some OAuth Desktop App
+  created_at: "2009-04-21 00:00:00"
+  support_url: http://some.desktop.app.org/support
+  updated_at: "2009-04-21 00:00:00"
+  user_id: 2
+  secret: V9DOm1H5qSdIG9IeCTiOkAcCx15bK8bkGxf7XEpF
+  key: rlEdPM6Tp8lpLwvSyNJQ4w
+  allow_read_prefs: true
+  allow_write_prefs: false
+  allow_write_diary: false
+  allow_write_api: true
+  allow_read_gpx: true
+  allow_write_gpx: false
diff --git a/test/integration/oauth_test.rb b/test/integration/oauth_test.rb
new file mode 100644 (file)
index 0000000..9c37ff7
--- /dev/null
@@ -0,0 +1,303 @@
+require File.dirname(__FILE__) + '/../test_helper'
+
+class OAuthTest < ActionController::IntegrationTest
+  fixtures :users, :client_applications
+
+  include OAuth::Helper
+
+  def test_oauth10_web_app
+    client = client_applications(:oauth_web_app)
+
+    post_via_redirect "/login", 
+      :username => client.user.email, :password => "test"
+    assert_response :success
+
+    signed_get "/oauth/request_token", :consumer => client
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize", 
+      :oauth_token => token.token, 
+      :allow_read_prefs => true, :allow_write_prefs => true
+    assert_response :redirect
+    assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}"
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/request_token", :consumer => client
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize", 
+      :oauth_token => token.token, 
+      :oauth_callback => "http://another.web.app.org/callback", 
+      :allow_write_api => true, :allow_read_gpx => true
+    assert_response :redirect
+    assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}"
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
+  end
+
+  def test_oauth10_desktop_app
+    client = client_applications(:oauth_desktop_app)
+
+    post_via_redirect "/login", 
+      :username => client.user.email, :password => "test"
+    assert_response :success
+
+    signed_get "/oauth/request_token", :consumer => client
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize", 
+      :oauth_token => token.token, 
+      :allow_read_prefs => true, :allow_write_prefs => true
+    assert_response :success
+    assert_template "authorize_success"
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+  end
+
+  def test_oauth10a_web_app
+    client = client_applications(:oauth_web_app)
+
+    post_via_redirect "/login",
+      :username => client.user.email, :password => "test"
+    assert_response :success
+
+    signed_get "/oauth/request_token",
+      :consumer => client, :oauth_callback => "oob"
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize",
+      :oauth_token => token.token,
+      :allow_read_prefs => true, :allow_write_prefs => true
+    assert_response :redirect
+    verifier = parse_verifier(response)
+    assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :unauthorized
+
+    signed_get "/oauth/access_token",
+      :consumer => client, :token => token, :oauth_verifier => verifier
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/request_token",
+      :consumer => client,
+      :oauth_callback => "http://another.web.app.org/callback"
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize",
+      :oauth_token => token.token,
+      :allow_write_api => true, :allow_read_gpx => true
+    assert_response :redirect
+    verifier = parse_verifier(response)
+    assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :unauthorized
+
+    signed_get "/oauth/access_token",
+      :consumer => client, :token => token, :oauth_verifier => verifier
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_write_api, :allow_read_gpx ]
+  end
+
+  def test_oauth10a_desktop_app
+    client = client_applications(:oauth_desktop_app)
+
+    post_via_redirect "/login", 
+      :username => client.user.email, :password => "test"
+    assert_response :success
+
+    signed_get "/oauth/request_token",
+      :consumer => client, :oauth_callback => "oob"
+    assert_response :success
+    token = parse_token(response)
+    assert_instance_of RequestToken, token
+    assert_not_nil token.created_at
+    assert_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, client.permissions
+
+    post "/oauth/authorize", 
+      :oauth_token => token.token, 
+      :allow_read_prefs => true, :allow_write_prefs => true
+    assert_response :success
+    assert_template "authorize_success"
+    m = response.body.match("<p>The verification code is ([A-Za-z0-9]+)</p>")
+    assert_not_nil m
+    verifier = m[1]
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+
+    signed_get "/oauth/access_token", :consumer => client, :token => token
+    assert_response :unauthorized
+
+    signed_get "/oauth/access_token",
+      :consumer => client, :token => token, :oauth_verifier => verifier
+    assert_response :success
+    token.reload
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_not_nil token.invalidated_at
+    token = parse_token(response)
+    assert_instance_of AccessToken, token
+    assert_not_nil token.created_at
+    assert_not_nil token.authorized_at
+    assert_nil token.invalidated_at
+    assert_allowed token, [ :allow_read_prefs ]
+  end
+
+private
+
+  def signed_get(uri, options)
+    uri = URI.parse(uri)
+    uri.scheme ||= "http"
+    uri.host ||= host
+
+    helper = OAuth::Client::Helper.new(nil, options)
+
+    request = OAuth::RequestProxy.proxy(
+      "method" => "GET",
+      "uri" => uri,
+      "parameters" => helper.oauth_parameters
+    )
+
+    request.sign!(options)
+
+    get request.signed_uri
+  end
+
+  def parse_token(response)
+    params = CGI.parse(response.body)
+
+    token = OauthToken.find_by_token(params["oauth_token"].first)
+    assert_equal token.secret, params["oauth_token_secret"].first
+
+    token
+  end
+
+  def parse_verifier(response)
+    params = CGI.parse(URI.parse(response.location).query)
+
+    assert_not_nil params["oauth_verifier"]
+    assert_present params["oauth_verifier"].first
+
+    params["oauth_verifier"].first
+  end
+
+  def assert_allowed(token, allowed)
+    ClientApplication.all_permissions.each do |p|
+      assert_equal allowed.include?(p), token.attributes[p.to_s]
+    end
+  end
+end