]> git.openstreetmap.org Git - rails.git/blob - test/controllers/oauth2_authorizations_controller_test.rb
Merge remote-tracking branch 'upstream/pull/3982'
[rails.git] / test / controllers / oauth2_authorizations_controller_test.rb
1 require "test_helper"
2
3 class Oauth2AuthorizationsControllerTest < ActionDispatch::IntegrationTest
4   ##
5   # test all routes which lead to this controller
6   def test_routes
7     assert_routing(
8       { :path => "/oauth2/authorize", :method => :get },
9       { :controller => "oauth2_authorizations", :action => "new" }
10     )
11     assert_routing(
12       { :path => "/oauth2/authorize", :method => :post },
13       { :controller => "oauth2_authorizations", :action => "create" }
14     )
15     assert_routing(
16       { :path => "/oauth2/authorize", :method => :delete },
17       { :controller => "oauth2_authorizations", :action => "destroy" }
18     )
19     assert_routing(
20       { :path => "/oauth2/authorize/native", :method => :get },
21       { :controller => "oauth2_authorizations", :action => "show" }
22     )
23   end
24
25   def test_new
26     application = create(:oauth_application, :scopes => "write_api")
27
28     get oauth_authorization_path(:client_id => application.uid,
29                                  :redirect_uri => application.redirect_uri,
30                                  :response_type => "code",
31                                  :scope => "write_api")
32     assert_response :redirect
33     assert_redirected_to login_path(:referer => oauth_authorization_path(:client_id => application.uid,
34                                                                          :redirect_uri => application.redirect_uri,
35                                                                          :response_type => "code",
36                                                                          :scope => "write_api"))
37
38     session_for(create(:user))
39
40     get oauth_authorization_path(:client_id => application.uid,
41                                  :redirect_uri => application.redirect_uri,
42                                  :response_type => "code",
43                                  :scope => "write_api")
44     assert_response :success
45     assert_template "oauth2_authorizations/new"
46   end
47
48   def test_new_native
49     application = create(:oauth_application, :scopes => "write_api", :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")
50
51     get oauth_authorization_path(:client_id => application.uid,
52                                  :redirect_uri => application.redirect_uri,
53                                  :response_type => "code",
54                                  :scope => "write_api")
55     assert_response :redirect
56     assert_redirected_to login_path(:referer => oauth_authorization_path(:client_id => application.uid,
57                                                                          :redirect_uri => application.redirect_uri,
58                                                                          :response_type => "code",
59                                                                          :scope => "write_api"))
60
61     session_for(create(:user))
62
63     get oauth_authorization_path(:client_id => application.uid,
64                                  :redirect_uri => application.redirect_uri,
65                                  :response_type => "code",
66                                  :scope => "write_api")
67     assert_response :success
68     assert_template "oauth2_authorizations/new"
69   end
70
71   def test_new_bad_uri
72     application = create(:oauth_application, :scopes => "write_api")
73
74     session_for(create(:user))
75
76     get oauth_authorization_path(:client_id => application.uid,
77                                  :redirect_uri => "https://bad.example.com/",
78                                  :response_type => "code",
79                                  :scope => "write_api")
80     assert_response :success
81     assert_template "oauth2_authorizations/error"
82     assert_select "p", "The requested redirect uri is malformed or doesn't match client redirect URI."
83   end
84
85   def test_new_bad_scope
86     application = create(:oauth_application, :scopes => "write_api")
87
88     session_for(create(:user))
89
90     get oauth_authorization_path(:client_id => application.uid,
91                                  :redirect_uri => application.redirect_uri,
92                                  :response_type => "code",
93                                  :scope => "bad_scope")
94     assert_response :success
95     assert_template "oauth2_authorizations/error"
96     assert_select "p", "The requested scope is invalid, unknown, or malformed."
97
98     get oauth_authorization_path(:client_id => application.uid,
99                                  :redirect_uri => application.redirect_uri,
100                                  :response_type => "code",
101                                  :scope => "write_prefs")
102     assert_response :success
103     assert_template "oauth2_authorizations/error"
104     assert_select "p", "The requested scope is invalid, unknown, or malformed."
105   end
106
107   def test_create
108     application = create(:oauth_application, :scopes => "write_api")
109
110     post oauth_authorization_path(:client_id => application.uid,
111                                   :redirect_uri => application.redirect_uri,
112                                   :response_type => "code",
113                                   :scope => "write_api")
114     assert_response :forbidden
115
116     session_for(create(:user))
117
118     post oauth_authorization_path(:client_id => application.uid,
119                                   :redirect_uri => application.redirect_uri,
120                                   :response_type => "code",
121                                   :scope => "write_api")
122     assert_response :redirect
123     assert_redirected_to(/^#{Regexp.escape(application.redirect_uri)}\?code=/)
124   end
125
126   def test_create_native
127     application = create(:oauth_application, :scopes => "write_api", :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")
128
129     post oauth_authorization_path(:client_id => application.uid,
130                                   :redirect_uri => application.redirect_uri,
131                                   :response_type => "code",
132                                   :scope => "write_api")
133     assert_response :forbidden
134
135     session_for(create(:user))
136
137     post oauth_authorization_path(:client_id => application.uid,
138                                   :redirect_uri => application.redirect_uri,
139                                   :response_type => "code",
140                                   :scope => "write_api")
141     assert_response :redirect
142     assert_equal native_oauth_authorization_path, URI.parse(response.location).path
143     follow_redirect!
144     assert_response :success
145     assert_template "oauth2_authorizations/show"
146   end
147
148   def test_destroy
149     application = create(:oauth_application)
150
151     delete oauth_authorization_path(:client_id => application.uid,
152                                     :redirect_uri => application.redirect_uri,
153                                     :response_type => "code",
154                                     :scope => "write_api")
155     assert_response :forbidden
156
157     session_for(create(:user))
158
159     delete oauth_authorization_path(:client_id => application.uid,
160                                     :redirect_uri => application.redirect_uri,
161                                     :response_type => "code",
162                                     :scope => "write_api")
163     assert_response :redirect
164     assert_redirected_to(/^#{Regexp.escape(application.redirect_uri)}\?error=access_denied/)
165   end
166
167   def test_destroy_native
168     application = create(:oauth_application, :redirect_uri => "urn:ietf:wg:oauth:2.0:oob")
169
170     delete oauth_authorization_path(:client_id => application.uid,
171                                     :redirect_uri => application.redirect_uri,
172                                     :response_type => "code",
173                                     :scope => "write_api")
174     assert_response :forbidden
175
176     session_for(create(:user))
177
178     delete oauth_authorization_path(:client_id => application.uid,
179                                     :redirect_uri => application.redirect_uri,
180                                     :response_type => "code",
181                                     :scope => "write_api")
182     assert_response :bad_request
183   end
184 end