cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Drop support for OAuth 1

Browse source
This commit is contained in:
Tom Hughes 2024-07-24 19:12:14 +01:00 committed by Anton Khorev
parent cee9818dfc
commit 17bc0853a0
48 changed files with 52 additions and 2395 deletions
Download patch file Download diff file Expand all files Collapse all files

27
test/controllers/api/permissions_controller_test.rb
View file

@ -37,9 +37,9 @@ module Api
get permissions_path, :headers => auth_header
assert_response :success
assert_select "osm > permissions", :count => 1 do
assert_select "permission", :count => ClientApplication.all_permissions.size
ClientApplication.all_permissions.each do |p|
assert_select "permission[name='#{p}']", :count => 1
assert_select "permission", :count => Oauth.scopes.size
Oauth.scopes.each do |p|
assert_select "permission[name='allow_#{p.name}']", :count => 1
end
end
@ -50,24 +50,9 @@ module Api
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
assert_equal ClientApplication.all_permissions.size, js["permissions"].count
ClientApplication.all_permissions.each do |p|
assert_includes js["permissions"], p.to_s
end
end
def test_permissions_oauth1
token = create(:access_token,
:allow_read_prefs => true,
:allow_write_api => true,
:allow_read_gpx => false)
signed_get permissions_path, :oauth => { :token => token }
assert_response :success
assert_select "osm > permissions", :count => 1 do
assert_select "permission", :count => 2
assert_select "permission[name='allow_read_prefs']", :count => 1
assert_select "permission[name='allow_write_api']", :count => 1
assert_select "permission[name='allow_read_gpx']", :count => 0
assert_equal Oauth.scopes.size, js["permissions"].count
Oauth.scopes.each do |p|
assert_includes js["permissions"], "allow_#{p.name}"
end
end

206
test/controllers/api/users_controller_test.rb
View file

@ -75,80 +75,6 @@ module Api
check_json_details(js, user, false, false)
end
def test_show_oauth1
user = create(:user,
:home_lat => 12.1, :home_lon => 23.4,
:languages => ["en"])
good_token = create(:access_token,
:user => user,
:allow_read_prefs => true)
bad_token = create(:access_token,
:user => user)
other_user = create(:user,
:home_lat => 12.1, :home_lon => 23.4,
:languages => ["en"])
# check that we can fetch our own details as XML with read_prefs
signed_get api_user_path(:id => user.id), :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
# check the data that is returned
check_xml_details(user, true, false)
# check that we can fetch a different user's details as XML with read_prefs
signed_get api_user_path(:id => other_user.id), :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
# check the data that is returned
check_xml_details(other_user, false, false)
# check that we can fetch our own details as XML without read_prefs
signed_get api_user_path(:id => user.id), :oauth => { :token => bad_token }
assert_response :success
assert_equal "application/xml", response.media_type
# check the data that is returned
check_xml_details(user, false, false)
# check that we can fetch our own details as JSON with read_prefs
signed_get api_user_path(:id => user.id, :format => "json"), :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
# parse the response
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
# check the data that is returned
check_json_details(js, user, true, false)
# check that we can fetch a different user's details as JSON with read_prefs
signed_get api_user_path(:id => other_user.id, :format => "json"), :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
# parse the response
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
# check the data that is returned
check_json_details(js, other_user, false, false)
# check that we can fetch our own details as JSON without read_prefs
signed_get api_user_path(:id => other_user.id, :format => "json"), :oauth => { :token => bad_token }
assert_response :success
assert_equal "application/json", response.media_type
# parse the response
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
# check the data that is returned
check_json_details(js, other_user, false, false)
end
def test_show_oauth2
user = create(:user,
:home_lat => 12.1, :home_lon => 23.4,
@ -260,45 +186,6 @@ module Api
check_json_details(js, user, true, false)
end
def test_details_oauth1
user = create(:user,
:home_lat => 12.1, :home_lon => 23.4,
:languages => ["en"])
good_token = create(:access_token,
:user => user,
:allow_read_prefs => true)
bad_token = create(:access_token,
:user => user)
# check that we can't fetch details as XML without read_prefs
signed_get user_details_path, :oauth => { :token => bad_token }
assert_response :forbidden
# check that we can fetch details as XML
signed_get user_details_path, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
# check the data that is returned
check_xml_details(user, true, false)
# check that we can't fetch details as JSON without read_prefs
signed_get user_details_path(:format => "json"), :oauth => { :token => bad_token }
assert_response :forbidden
# check that we can fetch details as JSON
signed_get user_details_path(:format => "json"), :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
# parse the response
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
# check the data that is returned
check_json_details(js, user, true, false)
end
def test_details_oauth2
user = create(:user,
:home_lat => 12.1, :home_lon => 23.4,
@ -434,99 +321,6 @@ module Api
assert_select "user", :count => 0
end
def test_index_oauth1
user1 = create(:user, :description => "test1", :terms_agreed => Date.yesterday)
user2 = create(:user, :description => "test2", :terms_agreed => Date.yesterday)
user3 = create(:user, :description => "test3", :terms_agreed => Date.yesterday)
good_token = create(:access_token, :user => user1, :allow_read_prefs => true)
bad_token = create(:access_token, :user => user1)
signed_get api_users_path, :params => { :users => user1.id }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 1 do
check_xml_details(user1, true, false)
assert_select "user[id='#{user2.id}']", :count => 0
assert_select "user[id='#{user3.id}']", :count => 0
end
signed_get api_users_path, :params => { :users => user2.id }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 1 do
assert_select "user[id='#{user1.id}']", :count => 0
check_xml_details(user2, false, false)
assert_select "user[id='#{user3.id}']", :count => 0
end
signed_get api_users_path, :params => { :users => "#{user1.id},#{user3.id}" }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 2 do
check_xml_details(user1, true, false)
assert_select "user[id='#{user2.id}']", :count => 0
check_xml_details(user3, false, false)
end
signed_get api_users_path, :params => { :users => "#{user1.id},#{user3.id}" }, :oauth => { :token => bad_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 2 do
check_xml_details(user1, false, false)
assert_select "user[id='#{user2.id}']", :count => 0
check_xml_details(user3, false, false)
end
signed_get api_users_path, :params => { :users => user1.id, :format => "json" }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
assert_equal 1, js["users"].count
check_json_details(js["users"][0], user1, true, false)
signed_get api_users_path, :params => { :users => user2.id, :format => "json" }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
assert_equal 1, js["users"].count
check_json_details(js["users"][0], user2, false, false)
signed_get api_users_path, :params => { :users => "#{user1.id},#{user3.id}", :format => "json" }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/json", response.media_type
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
assert_equal 2, js["users"].count
check_json_details(js["users"][0], user1, true, false)
check_json_details(js["users"][1], user3, false, false)
signed_get api_users_path, :params => { :users => "#{user1.id},#{user3.id}", :format => "json" }, :oauth => { :token => bad_token }
assert_response :success
assert_equal "application/json", response.media_type
js = ActiveSupport::JSON.decode(@response.body)
assert_not_nil js
assert_equal 2, js["users"].count
check_json_details(js["users"][0], user1, false, false)
check_json_details(js["users"][1], user3, false, false)
signed_get api_users_path, :params => { :users => create(:user, :suspended).id }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 0
signed_get api_users_path, :params => { :users => create(:user, :deleted).id }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 0
signed_get api_users_path, :params => { :users => 0 }, :oauth => { :token => good_token }
assert_response :success
assert_equal "application/xml", response.media_type
assert_select "user", :count => 0
end
def test_index_oauth2
user1 = create(:user, :description => "test1", :terms_agreed => Date.yesterday)
user2 = create(:user, :description => "test2", :terms_agreed => Date.yesterday)

204
test/controllers/oauth_clients_controller_test.rb
View file

@ -1,204 +0,0 @@
require "test_helper"
class OauthClientsControllerTest < ActionDispatch::IntegrationTest
##
# test all routes which lead to this controller
def test_routes
assert_routing(
{ :path => "/user/username/oauth_clients", :method => :get },
{ :controller => "oauth_clients", :action => "index", :display_name => "username" }
)
assert_routing(
{ :path => "/user/username/oauth_clients/new", :method => :get },
{ :controller => "oauth_clients", :action => "new", :display_name => "username" }
)
assert_routing(
{ :path => "/user/username/oauth_clients", :method => :post },
{ :controller => "oauth_clients", :action => "create", :display_name => "username" }
)
assert_routing(
{ :path => "/user/username/oauth_clients/1", :method => :get },
{ :controller => "oauth_clients", :action => "show", :display_name => "username", :id => "1" }
)
assert_routing(
{ :path => "/user/username/oauth_clients/1/edit", :method => :get },
{ :controller => "oauth_clients", :action => "edit", :display_name => "username", :id => "1" }
)
assert_routing(
{ :path => "/user/username/oauth_clients/1", :method => :put },
{ :controller => "oauth_clients", :action => "update", :display_name => "username", :id => "1" }
)
assert_routing(
{ :path => "/user/username/oauth_clients/1", :method => :delete },
{ :controller => "oauth_clients", :action => "destroy", :display_name => "username", :id => "1" }
)
end
def test_index
user = create(:user)
create_list(:client_application, 2, :user => user)
create_list(:access_token, 2, :user => user)
get oauth_clients_path(user)
assert_redirected_to login_path(:referer => oauth_clients_path(user))
session_for(user)
get oauth_clients_path(user)
assert_response :success
assert_template "index"
assert_select "li.client_application", 2
end
def test_new
user = create(:user)
get new_oauth_client_path(user)
assert_redirected_to login_path(:referer => new_oauth_client_path(user))
session_for(user)
get new_oauth_client_path(user)
assert_response :success
assert_template "new"
assert_select "form", 1 do
assert_select "input#client_application_name", 1
assert_select "input#client_application_url", 1
assert_select "input#client_application_callback_url", 1
assert_select "input#client_application_support_url", 1
ClientApplication.all_permissions.each do |perm|
assert_select "input#client_application_#{perm}", 1
end
end
end
def test_new_disabled
user = create(:user)
with_settings(:oauth_10_registration => false) do
get new_oauth_client_path(user)
assert_redirected_to login_path(:referer => new_oauth_client_path(user))
session_for(user)
get new_oauth_client_path(user)
assert_redirected_to oauth_clients_path(user)
end
end
def test_create
user = create(:user)
assert_difference "ClientApplication.count", 0 do
post oauth_clients_path(user)
end
assert_response :forbidden
session_for(user)
assert_difference "ClientApplication.count", 0 do
post oauth_clients_path(user, :client_application => { :name => "Test Application" })
end
assert_response :success
assert_template "new"
assert_difference "ClientApplication.count", 1 do
post oauth_clients_path(user, :client_application => { :name => "Test Application",
:url => "http://test.example.com/" })
end
assert_redirected_to oauth_client_path(:id => ClientApplication.find_by(:name => "Test Application").id)
end
def test_show
user = create(:user)
client = create(:client_application, :user => user)
other_client = create(:client_application)
get oauth_client_path(user, client)
assert_redirected_to login_path(:referer => oauth_client_path(user, client.id))
session_for(user)
get oauth_client_path(user, other_client)
assert_response :not_found
assert_template "not_found"
get oauth_client_path(user, client)
assert_response :success
assert_template "show"
end
def test_edit
user = create(:user)
client = create(:client_application, :user => user)
other_client = create(:client_application)
get edit_oauth_client_path(user, client)
assert_redirected_to login_path(:referer => edit_oauth_client_path(user, client.id))
session_for(user)
get edit_oauth_client_path(user, other_client)
assert_response :not_found
assert_template "not_found"
get edit_oauth_client_path(user, client)
assert_response :success
assert_template "edit"
assert_select "form", 1 do
assert_select "input#client_application_name", 1
assert_select "input#client_application_url", 1
assert_select "input#client_application_callback_url", 1
assert_select "input#client_application_support_url", 1
ClientApplication.all_permissions.each do |perm|
assert_select "input#client_application_#{perm}", 1
end
end
end
def test_update
user = create(:user)
client = create(:client_application, :user => user)
other_client = create(:client_application)
put oauth_client_path(user, client)
assert_response :forbidden
session_for(user)
put oauth_client_path(user, other_client)
assert_response :not_found
assert_template "not_found"
put oauth_client_path(user, client, :client_application => { :name => "New Name", :url => nil })
assert_response :success
assert_template "edit"
put oauth_client_path(user, client, :client_application => { :name => "New Name", :url => "http://new.example.com/url" })
assert_redirected_to oauth_client_path(:id => client.id)
end
def test_destroy
user = create(:user)
client = create(:client_application, :user => user)
other_client = create(:client_application)
assert_difference "ClientApplication.count", 0 do
delete oauth_client_path(user, client)
end
assert_response :forbidden
session_for(user)
assert_difference "ClientApplication.count", 0 do
delete oauth_client_path(user, other_client)
end
assert_response :not_found
assert_template "not_found"
assert_difference "ClientApplication.count", -1 do
delete oauth_client_path(user, client)
end
assert_redirected_to oauth_clients_path(user)
end
end

48
test/controllers/oauth_controller_test.rb
View file

@ -1,48 +0,0 @@
require "test_helper"
class OauthControllerTest < ActionDispatch::IntegrationTest
##
# test all routes which lead to this controller
def test_routes
assert_routing(
{ :path => "/oauth/revoke", :method => :get },
{ :controller => "oauth", :action => "revoke" }
)
assert_routing(
{ :path => "/oauth/revoke", :method => :post },
{ :controller => "oauth", :action => "revoke" }
)
assert_routing(
{ :path => "/oauth/authorize", :method => :get },
{ :controller => "oauth", :action => "authorize" }
)
assert_routing(
{ :path => "/oauth/authorize", :method => :post },
{ :controller => "oauth", :action => "authorize" }
)
assert_routing(
{ :path => "/oauth/token", :method => :get },
{ :controller => "oauth", :action => "token" }
)
assert_routing(
{ :path => "/oauth/request_token", :method => :get },
{ :controller => "oauth", :action => "request_token" }
)
assert_routing(
{ :path => "/oauth/request_token", :method => :post },
{ :controller => "oauth", :action => "request_token" }
)
assert_routing(
{ :path => "/oauth/access_token", :method => :get },
{ :controller => "oauth", :action => "access_token" }
)
assert_routing(
{ :path => "/oauth/access_token", :method => :post },
{ :controller => "oauth", :action => "access_token" }
)
assert_routing(
{ :path => "/oauth/test_request", :method => :get },
{ :controller => "oauth", :action => "test_request" }
)
end
end

8
test/factories/client_applications.rb
View file

@ -1,8 +0,0 @@
FactoryBot.define do
factory :client_application do
sequence(:name) { |n| "Client application #{n}" }
sequence(:url) { |n| "http://example.com/app/#{n}" }
user
end
end

91
test/integration/client_applications_test.rb
View file

@ -1,91 +0,0 @@
require "test_helper"
class ClientApplicationsTest < ActionDispatch::IntegrationTest
##
# run through the procedure of creating a client application and checking
# that it shows up on the user's account page.
def test_create_application
user = create(:user)
get "/login"
assert_redirected_to login_path(:cookie_test => "true")
follow_redirect!
assert_response :success
post "/login", :params => { "username" => user.email, "password" => "test", :referer => "/user/#{ERB::Util.u(user.display_name)}" }
assert_response :redirect
follow_redirect!
assert_response :success
assert_template "users/show"
get "/account/edit"
assert_response :success
assert_template "accounts/edit"
# check that the form to allow new client application creations exists
assert_in_heading do
assert_select "ul.nav.nav-tabs li.nav-item a[href='/user/#{ERB::Util.u(user.display_name)}/oauth_clients']"
end
# now we follow the link to the oauth client list
get "/user/#{ERB::Util.u(user.display_name)}/oauth_clients"
assert_response :success
assert_in_body do
assert_select "a[href='/user/#{ERB::Util.u(user.display_name)}/oauth_clients/new']"
end
# now we follow the link to the new oauth client page
get "/user/#{ERB::Util.u(user.display_name)}/oauth_clients/new"
assert_response :success
assert_in_heading do
assert_select "h1", "Register a new application"
end
assert_in_body do
assert_select "form[action='/user/#{ERB::Util.u(user.display_name)}/oauth_clients']" do
[:name, :url, :callback_url, :support_url].each do |inp|
assert_select "input[name=?]", "client_application[#{inp}]"
end
ClientApplication.all_permissions.each do |perm|
assert_select "input[name=?]", "client_application[#{perm}]"
end
end
end
post "/user/#{ERB::Util.u(user.display_name)}/oauth_clients",
:params => { "client_application[name]" => "My New App",
"client_application[url]" => "http://my.new.app.org/",
"client_application[callback_url]" => "http://my.new.app.org/callback",
"client_application[support_url]" => "http://my.new.app.org/support" }
assert_response :redirect
follow_redirect!
assert_response :success
assert_template "oauth_clients/show"
assert_equal "Registered the information successfully", flash[:notice]
# now go back to the account page and check its listed under this user
get "/user/#{ERB::Util.u(user.display_name)}/oauth_clients"
assert_response :success
assert_template "oauth_clients/index"
assert_in_body { assert_select "li>a", "My New App" }
end
##
# fake client workflow.
# this acts like a 3rd party client trying to access the site.
def test_3rd_party_token
# apparently the oauth gem doesn't really support being used inside integration
# tests, as its too tied into the HTTP headers and stuff that it signs.
end
private
##
# utility method to make the HTML screening easier to read.
def assert_in_heading(&block)
assert_select("div.content-heading", &block)
end
##
# utility method to make the HTML screening easier to read.
def assert_in_body(&block)
assert_select("div#content", &block)
end
end

421
test/integration/oauth_test.rb
View file

@ -1,421 +0,0 @@
require "test_helper"
class OAuthTest < ActionDispatch::IntegrationTest
include OAuth::Helper
def test_oauth10_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
user = create(:user)
session_for(user)
oauth10_without_callback(client)
oauth10_with_callback(client, "http://another.web.app.example.org/callback")
oauth10_refused(client)
end
def test_oauth10_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
user = create(:user)
session_for(user)
oauth10_without_callback(client)
oauth10_refused(client)
end
def test_oauth10a_web_app
client = create(:client_application, :callback_url => "http://some.web.app.example.org/callback", :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
user = create(:user)
session_for(user)
oauth10a_without_callback(client)
oauth10a_with_callback(client, "http://another.web.app.example.org/callback")
oauth10a_refused(client)
end
def test_oauth10a_desktop_app
client = create(:client_application, :allow_read_prefs => true, :allow_write_api => true, :allow_read_gpx => true)
user = create(:user)
session_for(user)
oauth10a_without_callback(client)
oauth10a_refused(client)
end
private
def oauth10_without_callback(client)
token = get_request_token(client)
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize",
:params => { :oauth_token => token.token,
:allow_read_prefs => "1", :allow_write_prefs => "1" }
if client.callback_url
assert_redirected_to "#{client.callback_url}?oauth_token=#{token.token}"
else
assert_response :success
assert_template :authorize_success
end
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_read_prefs]
signed_get "/oauth/access_token", :oauth => { :token => token }
assert_response :success
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_not_nil token.invalidated_at
token = parse_token(response)
assert_instance_of AccessToken, token
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_read_prefs]
post logout_path
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :success
signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
assert_response :forbidden
token.user.suspend!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :forbidden
token.user.hide!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :forbidden
token.user.unhide!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :success
session_for(token.user)
post "/oauth/revoke", :params => { :token => token.token }
assert_redirected_to oauth_clients_url(token.user.display_name)
token = OauthToken.find_by(:token => token.token)
assert_not_nil token.invalidated_at
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :unauthorized
end
def oauth10_refused(client)
token = get_request_token(client)
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "You have denied application #{client.name} access to your account."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "The authorization token is not valid."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
post "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "The authorization token is not valid."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
end
def oauth10_with_callback(client, callback_url)
token = get_request_token(client)
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize",
:params => { :oauth_token => token.token, :oauth_callback => callback_url,
:allow_write_api => "1", :allow_read_gpx => "1" }
assert_redirected_to "#{callback_url}?oauth_token=#{token.token}"
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_write_api, :allow_read_gpx]
signed_get "/oauth/access_token", :oauth => { :token => token }
assert_response :success
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_not_nil token.invalidated_at
token = parse_token(response)
assert_instance_of AccessToken, token
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_write_api, :allow_read_gpx]
post logout_path
trace = create(:trace, :user => token.user)
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :success
signed_get "/api/0.6/user/details", :oauth => { :token => token }
assert_response :forbidden
token.user.suspend!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :forbidden
token.user.hide!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :forbidden
token.user.unhide!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :success
session_for(token.user)
post "/oauth/revoke", :params => { :token => token.token }
assert_redirected_to oauth_clients_url(token.user.display_name)
token = OauthToken.find_by(:token => token.token)
assert_not_nil token.invalidated_at
signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
assert_response :unauthorized
end
def oauth10a_without_callback(client)
token = get_request_token(client, :oauth_callback => "oob")
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize",
:params => { :oauth_token => token.token,
:allow_read_prefs => "1", :allow_write_prefs => "1" }
if client.callback_url
assert_response :redirect
verifier = parse_verifier(response)
assert_redirected_to "http://some.web.app.example.org/callback?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
else
assert_response :success
assert_template :authorize_success
m = response.body.match("<p>The verification code is ([A-Za-z0-9]+).</p>")
assert_not_nil m
verifier = m[1]
end
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_read_prefs]
signed_get "/oauth/access_token", :oauth => { :token => token }
assert_response :unauthorized
signed_get "/oauth/access_token", :oauth => { :token => token, :oauth_verifier => verifier }
assert_response :success
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_not_nil token.invalidated_at
token = parse_token(response)
assert_instance_of AccessToken, token
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_read_prefs]
post logout_path
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :success
trace = create(:trace, :user => token.user)
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :forbidden
token.user.suspend!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :forbidden
token.user.hide!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :forbidden
token.user.unhide!
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :success
session_for(token.user)
post "/oauth/revoke", :params => { :token => token.token }
assert_redirected_to oauth_clients_url(token.user.display_name)
token = OauthToken.find_by(:token => token.token)
assert_not_nil token.invalidated_at
signed_get "/api/0.6/user/preferences", :oauth => { :token => token }
assert_response :unauthorized
end
def oauth10a_with_callback(client, callback_url)
token = get_request_token(client, :oauth_callback => callback_url)
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize",
:params => { :oauth_token => token.token,
:allow_write_api => "1", :allow_read_gpx => "1" }
assert_response :redirect
verifier = parse_verifier(response)
assert_redirected_to "#{callback_url}?oauth_token=#{token.token}&oauth_verifier=#{verifier}"
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_write_api, :allow_read_gpx]
signed_get "/oauth/access_token", :oauth => { :token => token }
assert_response :unauthorized
signed_get "/oauth/access_token", :oauth => { :token => token, :oauth_verifier => verifier }
assert_response :success
token.reload
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_not_nil token.invalidated_at
token = parse_token(response)
assert_instance_of AccessToken, token
assert_not_nil token.created_at
assert_not_nil token.authorized_at
assert_nil token.invalidated_at
assert_allowed token, [:allow_write_api, :allow_read_gpx]
post logout_path
trace = create(:trace, :user => token.user)
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :success
signed_get "/api/0.6/user/details", :oauth => { :token => token }
assert_response :forbidden
token.user.suspend!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :forbidden
token.user.hide!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :forbidden
token.user.unhide!
signed_get "/api/0.6/gpx/#{trace.id}", :oauth => { :token => token }
assert_response :success
session_for(token.user)
post "/oauth/revoke", :params => { :token => token.token }
assert_redirected_to oauth_clients_url(token.user.display_name)
token = OauthToken.find_by(:token => token.token)
assert_not_nil token.invalidated_at
signed_get "/api/0.6/gpx/2", :oauth => { :token => token }
assert_response :unauthorized
end
def oauth10a_refused(client)
token = get_request_token(client, :oauth_callback => "oob")
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize
post "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "You have denied application #{client.name} access to your account."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
get "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "The authorization token is not valid."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
post "/oauth/authorize", :params => { :oauth_token => token.token }
assert_response :success
assert_template :authorize_failure
assert_select "p", "The authorization token is not valid."
token.reload
assert_nil token.authorized_at
assert_not_nil token.invalidated_at
end
def get_request_token(client, options = {})
signed_get "/oauth/request_token", :oauth => options.merge(:consumer => client)
assert_response :success
token = parse_token(response)
assert_instance_of RequestToken, token
assert_not_nil token.created_at
assert_nil token.authorized_at
assert_nil token.invalidated_at
assert_equal_allowing_nil options[:oauth_callback], token.callback_url
assert_allowed token, client.permissions
token
end
def parse_token(response)
params = CGI.parse(response.body)
token = OauthToken.find_by(:token => params["oauth_token"].first)
assert_equal token.secret, params["oauth_token_secret"].first
token
end
def parse_verifier(response)
params = CGI.parse(URI.parse(response.location).query)
assert_not_nil params["oauth_verifier"]
assert_predicate params["oauth_verifier"].first, :present?
params["oauth_verifier"].first
end
def assert_allowed(token, allowed)
ClientApplication.all_permissions.each do |p|
assert_equal allowed.include?(p), token.attributes[p.to_s]
end
end
end

54
test/models/client_application_test.rb
View file

@ -1,54 +0,0 @@
require "test_helper"
class ClientApplicationTest < ActiveSupport::TestCase
def test_url_valid
ok = ["http://example.com/test", "https://example.com/test"]
bad = ["", "ftp://example.com/test", "myapp://somewhere", "http://example.com\nhttp://example.net"]
ok.each do |url|
app = build(:client_application)
app.url = url
assert_predicate app, :valid?, "#{url} is invalid, when it should be"
end
bad.each do |url|
app = build(:client_application)
app.url = url
assert_not_predicate app, :valid?, "#{url} is valid when it shouldn't be"
end
end
def test_support_url_valid
ok = ["", "http://example.com/test", "https://example.com/test"]
bad = ["ftp://example.com/test", "myapp://somewhere", "gibberish", "http://example.com\nhttp://example.net"]
ok.each do |url|
app = build(:client_application)
app.support_url = url
assert_predicate app, :valid?, "#{url} is invalid, when it should be"
end
bad.each do |url|
app = build(:client_application)
app.support_url = url
assert_not_predicate app, :valid?, "#{url} is valid when it shouldn't be"
end
end
def test_callback_url_valid
ok = ["", "http://example.com/test", "https://example.com/test", "ftp://example.com/test", "myapp://somewhere"]
bad = ["gibberish", "http://example.com\nhttp://example.net"]
ok.each do |url|
app = build(:client_application)
app.callback_url = url
assert_predicate app, :valid?, "#{url} is invalid, when it should be"
end
bad.each do |url|
app = build(:client_application)
app.callback_url = url
assert_not_predicate app, :valid?, "#{url} is valid when it shouldn't be"
end
end
end

29
test/models/oauth_nonce_test.rb
View file

@ -1,29 +0,0 @@
require "test_helper"
class OauthNonceTest < ActiveSupport::TestCase
##
# the nonce has only one property, that it is a unique pair of
# string and timestamp.
def test_nonce_uniqueness
string = "0123456789ABCDEF"
timestamp = Time.now.to_i
nonce1 = OauthNonce.remember(string, timestamp)
assert_not_equal false, nonce1, "First nonce should be unique. Check your test database is empty."
nonce2 = OauthNonce.remember(string, timestamp)
assert_not nonce2, "Shouldn't be able to remember the same nonce twice."
end
##
# nonces that are not current should be rejected
def test_nonce_not_current
string = "0123456789ABCDEF"
nonce1 = OauthNonce.remember(string, Time.now.to_i - 86430)
assert_not nonce1, "Nonces over a day in the past should be rejected"
nonce2 = OauthNonce.remember(string, Time.now.to_i - 86370)
assert_not_equal false, nonce2, "Nonces under a day in the past should be rejected"
end
end

23
test/models/oauth_token_test.rb
View file

@ -1,23 +0,0 @@
require "test_helper"
class OauthTokenTest < ActiveSupport::TestCase
##
# check that after calling invalidate! on a token, it is invalid.
def test_token_invalidation
tok = OauthToken.new
assert_not_predicate tok, :invalidated?, "Token should be created valid."
tok.invalidate!
assert_predicate tok, :invalidated?, "Token should now be invalid."
end
##
# check that an authorized token is authorised and can be invalidated
def test_token_authorisation
tok = RequestToken.create(:client_application => create(:client_application))
assert_not_predicate tok, :authorized?, "Token should be created unauthorised."
tok.authorize!(create(:user))
assert_predicate tok, :authorized?, "Token should now be authorised."
tok.invalidate!
assert_not_predicate tok, :authorized?, "Token should now be invalid."
end
end

10
test/models/request_token_test.rb
View file

@ -1,10 +0,0 @@
require "test_helper"
class RequestTokenTest < ActiveSupport::TestCase
def test_oob
assert_predicate RequestToken.new, :oob?
assert_predicate RequestToken.new(:callback_url => "oob"), :oob?
assert_predicate RequestToken.new(:callback_url => "OOB"), :oob?
assert_not_predicate RequestToken.new(:callback_url => "http://test.host/"), :oob?
end
end

12
test/models/user_test.rb
View file

@ -304,18 +304,6 @@ class UserTest < ActiveSupport::TestCase
assert_not_predicate user, :active?
end
def test_soft_destroy_revokes_oauth1_tokens
user = create(:user)
access_token = create(:access_token, :user => user)
assert_equal 1, user.oauth_tokens.authorized.count
user.soft_destroy
assert_equal 0, user.oauth_tokens.authorized.count
access_token.reload
assert_predicate access_token, :invalidated?
end
def test_soft_destroy_revokes_oauth2_tokens
user = create(:user)
oauth_access_token = create(:oauth_access_token, :resource_owner_id => user.id)

37
test/test_helper.rb
View file

@ -145,43 +145,6 @@ module ActiveSupport
{ "Authorization" => "Bearer #{token}" }
end
##
# make an OAuth signed request
def signed_request(method, uri, options = {})
uri = URI.parse(uri)
uri.scheme ||= "http"
uri.host ||= "www.example.com"
oauth = options.delete(:oauth)
params = options.fetch(:params, {}).transform_keys(&:to_s)
oauth[:consumer] ||= oauth[:token].client_application
helper = OAuth::Client::Helper.new(nil, oauth)
request = OAuth::RequestProxy.proxy(
"method" => method.to_s.upcase,
"uri" => uri,
"parameters" => params.merge(helper.oauth_parameters)
)
request.sign!(oauth)
method(method).call(request.signed_uri, **options)
end
##
# make an OAuth signed GET request
def signed_get(uri, options = {})
signed_request(:get, uri, options)
end
##
# make an OAuth signed POST request
def signed_post(uri, options = {})
signed_request(:post, uri, options)
end
##
# return request header for HTTP Accept
def accept_format_header(format)