From: Tom Hughes Date: Sat, 19 Nov 2011 17:12:40 +0000 (+0000) Subject: Add some OAuth tests X-Git-Tag: live~6671 X-Git-Url: https://git.openstreetmap.org./rails.git/commitdiff_plain/c00dd8c7125cdac05af2515d5563a35a252987b0 Add some OAuth tests --- diff --git a/test/fixtures/client_applications.yml b/test/fixtures/client_applications.yml index 9fe0889ac..e8087eb98 100644 --- a/test/fixtures/client_applications.yml +++ b/test/fixtures/client_applications.yml @@ -10,3 +10,24 @@ oauth_web_app: user_id: 2 secret: Ur1s9LWWJJuYBiV9cDi3za3OV8TGCoRgUvVXJ5zp7pc key: ewvENqsaTXFnZbMWmGDX2g + allow_read_prefs: true + allow_write_prefs: false + allow_write_diary: false + allow_write_api: true + allow_read_gpx: true + allow_write_gpx: false + +oauth_desktop_app: + name: Some OAuth Desktop App + created_at: "2009-04-21 00:00:00" + support_url: http://some.desktop.app.org/support + updated_at: "2009-04-21 00:00:00" + user_id: 2 + secret: V9DOm1H5qSdIG9IeCTiOkAcCx15bK8bkGxf7XEpF + key: rlEdPM6Tp8lpLwvSyNJQ4w + allow_read_prefs: true + allow_write_prefs: false + allow_write_diary: false + allow_write_api: true + allow_read_gpx: true + allow_write_gpx: false diff --git a/test/integration/oauth_test.rb b/test/integration/oauth_test.rb new file mode 100644 index 000000000..9c37ff739 --- /dev/null +++ b/test/integration/oauth_test.rb @@ -0,0 +1,303 @@ +require File.dirname(__FILE__) + '/../test_helper' + +class OAuthTest < ActionController::IntegrationTest + fixtures :users, :client_applications + + include OAuth::Helper + + def test_oauth10_web_app + client = client_applications(:oauth_web_app) + + post_via_redirect "/login", + :username => client.user.email, :password => "test" + assert_response :success + + signed_get "/oauth/request_token", :consumer => client + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :allow_read_prefs => true, :allow_write_prefs => true + assert_response :redirect + assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}" + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/request_token", :consumer => client + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :oauth_callback => "http://another.web.app.org/callback", + :allow_write_api => true, :allow_read_gpx => true + assert_response :redirect + assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}" + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_write_api, :allow_read_gpx ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_write_api, :allow_read_gpx ] + end + + def test_oauth10_desktop_app + client = client_applications(:oauth_desktop_app) + + post_via_redirect "/login", + :username => client.user.email, :password => "test" + assert_response :success + + signed_get "/oauth/request_token", :consumer => client + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :allow_read_prefs => true, :allow_write_prefs => true + assert_response :success + assert_template "authorize_success" + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + end + + def test_oauth10a_web_app + client = client_applications(:oauth_web_app) + + post_via_redirect "/login", + :username => client.user.email, :password => "test" + assert_response :success + + signed_get "/oauth/request_token", + :consumer => client, :oauth_callback => "oob" + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :allow_read_prefs => true, :allow_write_prefs => true + assert_response :redirect + verifier = parse_verifier(response) + assert_redirected_to "http://some.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}" + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :unauthorized + + signed_get "/oauth/access_token", + :consumer => client, :token => token, :oauth_verifier => verifier + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/request_token", + :consumer => client, + :oauth_callback => "http://another.web.app.org/callback" + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :allow_write_api => true, :allow_read_gpx => true + assert_response :redirect + verifier = parse_verifier(response) + assert_redirected_to "http://another.web.app.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}" + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_write_api, :allow_read_gpx ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :unauthorized + + signed_get "/oauth/access_token", + :consumer => client, :token => token, :oauth_verifier => verifier + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_write_api, :allow_read_gpx ] + end + + def test_oauth10a_desktop_app + client = client_applications(:oauth_desktop_app) + + post_via_redirect "/login", + :username => client.user.email, :password => "test" + assert_response :success + + signed_get "/oauth/request_token", + :consumer => client, :oauth_callback => "oob" + assert_response :success + token = parse_token(response) + assert_instance_of RequestToken, token + assert_not_nil token.created_at + assert_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, client.permissions + + post "/oauth/authorize", + :oauth_token => token.token, + :allow_read_prefs => true, :allow_write_prefs => true + assert_response :success + assert_template "authorize_success" + m = response.body.match("

The verification code is ([A-Za-z0-9]+)

") + assert_not_nil m + verifier = m[1] + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + + signed_get "/oauth/access_token", :consumer => client, :token => token + assert_response :unauthorized + + signed_get "/oauth/access_token", + :consumer => client, :token => token, :oauth_verifier => verifier + assert_response :success + token.reload + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_not_nil token.invalidated_at + token = parse_token(response) + assert_instance_of AccessToken, token + assert_not_nil token.created_at + assert_not_nil token.authorized_at + assert_nil token.invalidated_at + assert_allowed token, [ :allow_read_prefs ] + end + +private + + def signed_get(uri, options) + uri = URI.parse(uri) + uri.scheme ||= "http" + uri.host ||= host + + helper = OAuth::Client::Helper.new(nil, options) + + request = OAuth::RequestProxy.proxy( + "method" => "GET", + "uri" => uri, + "parameters" => helper.oauth_parameters + ) + + request.sign!(options) + + get request.signed_uri + end + + def parse_token(response) + params = CGI.parse(response.body) + + token = OauthToken.find_by_token(params["oauth_token"].first) + assert_equal token.secret, params["oauth_token_secret"].first + + token + end + + def parse_verifier(response) + params = CGI.parse(URI.parse(response.location).query) + + assert_not_nil params["oauth_verifier"] + assert_present params["oauth_verifier"].first + + params["oauth_verifier"].first + end + + def assert_allowed(token, allowed) + ClientApplication.all_permissions.each do |p| + assert_equal allowed.include?(p), token.attributes[p.to_s] + end + end +end