Skip to content

Basic Setup scripts #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 7 commits into
base: master
Choose a base branch
from
Open

Basic Setup scripts #60

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
514e21f
Setup helpers for running testing db via docker ;Test to verify that …
robotarmy Aug 6, 2019
121637a
confirming pre-authorize needs no scope
robotarmy Aug 6, 2019
bacbffb
assume scope is excluded from valid_request
robotarmy Aug 6, 2019
43056ec
gitignore
robotarmy Aug 7, 2019
de0e73c
credo
robotarmy Aug 7, 2019
2201d57
remove dev script and put it into contributing instructions
robotarmy Aug 9, 2019
761b52a
put postgres script in dev folder
robotarmy Aug 9, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ erl_crash.dump
/tmp
.DS_Store
/.elixir_ls
.tool-versions
/priv/pg_data
43 changes: 43 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@

# install deps

mix deps.get
mix deps.compile



# setup postgresql

Running postgresql via Docker can make setting up tests simple.

However because postgresql is run inside the docker host, any connections to it invoke
the access control file "pg_hba.conf"

A simple way to set docker postgresql up for tests is to use the below script
and then stop the script, modifiy the pg_hba.conf and then restart the script.

This is fine for development but no production machine should trust any user incoming.

1) start postgres via script (will download and run image)
```
dev/postgres.zsh
```
2) stop the script (CTRL-C)
3) change last line of priv/pg_data/pg_hba.conf to "host all all all trust"
4) restart postgres via script
```
dev/postgres.zsh
```

# running tests


```
mix clean && mix test
```


UUID test needs clean compilation.
```
mix clean && UUID=1 mix tes
```
15 changes: 15 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -293,6 +293,21 @@ You'll need to create the migration file and schema modules with the argument `-
mix ex_oauth2_provider.install --binary-id
```

## Development

Starting postgrest for test
( one will need to modify the pg_hba.conf after booting postges for the first time)
( notes are in the script below )
```bash
./postgres.zsh
```

Testing binary_id
```bash
mix clean && UUID=1 mix test
```


## Acknowledgement

This library was made thanks to [doorkeeper](https://github.com/doorkeeper-gem/doorkeeper), [guardian](https://github.com/ueberauth/guardian) and [authable](https://github.com/mustafaturan/authable), that gave the conceptual building blocks.
Expand Down
8 changes: 8 additions & 0 deletions dev/postgres.zsh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
#!/usr/bin/env zsh
SCRIPT_DIR=$0:a:h
DATA_DIR=$SCRIPT_DIR/../priv/pg_data
PG_NAME=postgres-oauth2-provider
mkdir -p $DATA_DIR
docker stop $PG_NAME
docker run --rm --name $PG_NAME -e POSTGRES_USER=$USER -e POSTGRES_PASSWORD=secret -p 5432:5432 -v $DATA_DIR:/var/lib/postgresql/data postgres

20 changes: 17 additions & 3 deletions test/ex_oauth2_provider/oauth2/authorization/strategy/code_test.exs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@ defmodule ExOauth2Provider.Authorization.CodeTest do
alias Dummy.{OauthAccessGrants.OauthAccessGrant, Repo}

@client_id "Jf5rM8hQBc"
@valid_request %{"client_id" => @client_id, "response_type" => "code", "scope" => "app:read app:write"}
@valid_request %{"client_id" => @client_id, "response_type" => "code"}
Copy link
Owner

@danschultzer danschultzer Aug 7, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we keep this as it is, and instead just do Map.delete(@valid_request, "scope") in the "with no scope" test? The default setup for most OAuth2 apps is to have scopes, so that's why it's a default in these tests.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@danschultzer : since scopes are an optional part of OAUTH i wanted to have some tests that did sanity check and make sure it would function.
I see no problem with keeping it. I could rename it to @valid_request_with_scope and make one for no scope.

@invalid_request %{error: :invalid_request,
error_description: "The request is missing a required parameter, includes an unsupported parameter value, or is otherwise malformed."
}
Expand Down Expand Up @@ -83,6 +83,12 @@ defmodule ExOauth2Provider.Authorization.CodeTest do
%{resource_owner: resource_owner, application: application}
end

test "with no scope", %{resource_owner: resource_owner, application: application} do
Copy link
Owner

@danschultzer danschultzer Aug 7, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is tested with an application that doesn't have any scope, but relies on the server scope. Is this as intended? It may make more sense to put it outside this describe block.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes hmm - I think that is fair. I really appreciate your thoughts
I think in general that part of the trouble OAUTH2 creates for itself is not having strong and clear best options to follow. IE (PKCE + authorization code will cover 95% of use cases , but instead it has password grant (only secure for specific cases) , credential grant, implicit grant (depricated) )

Maybe the right question we need to be asking is : Is a token with no scope legitimate if the application specifies a scope?

request = Map.delete(@valid_request, "scope")

assert Authorization.preauthorize(resource_owner, request, otp_app: :ex_oauth2_provider) == {:ok, application, []}
end

test "with limited server scope", %{resource_owner: resource_owner, application: application} do
request = Map.merge(@valid_request, %{"scope" => "read"})

Expand Down Expand Up @@ -134,12 +140,20 @@ defmodule ExOauth2Provider.Authorization.CodeTest do
%{resource_owner: resource_owner, application: application}
end

test "generates grant with no scope passed", %{resource_owner: resource_owner} do
Copy link
Owner

@danschultzer danschultzer Aug 7, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as above, this is a specific test environment, and it may make more sense to put it outside this describe block unless you need to test this in a no scope application environment (remember, the server scopes are still there).

request = Map.delete(@valid_request, "scope")
assert {:native_redirect, %{code: code}} = Authorization.authorize(resource_owner, request, otp_app: :ex_oauth2_provider)

access_grant = Repo.get_by(OauthAccessGrant, token: code)
assert access_grant.resource_owner_id == resource_owner.id
end

test "error when invalid server scope", %{resource_owner: resource_owner} do
request = Map.merge(@valid_request, %{"scope" => "public profile"})
assert Authorization.authorize(resource_owner, request, otp_app: :ex_oauth2_provider) == {:error, @invalid_scope, :unprocessable_entity}
end

test "generates grant", %{resource_owner: resource_owner} do
test "generates grant with public scope", %{resource_owner: resource_owner} do
Copy link
Owner

@danschultzer danschultzer Aug 7, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't call this public scope, since the scope's actual name has no meaning in these tests. I just ensures that the server scope works.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah - I though the intent was that it was a non-sensical scope.

request = Map.merge(@valid_request, %{"scope" => "public"})
assert {:native_redirect, %{code: code}} = Authorization.authorize(resource_owner, request, otp_app: :ex_oauth2_provider)

Expand All @@ -160,7 +174,7 @@ defmodule ExOauth2Provider.Authorization.CodeTest do

assert access_grant.resource_owner_id == resource_owner.id
assert access_grant.expires_in == Config.authorization_code_expires_in(otp_app: :ex_oauth2_provider)
assert access_grant.scopes == @valid_request["scope"]
assert access_grant.scopes == ""
Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be tested with scope.

end

test "#authorize/3 generates grant with redirect uri", %{resource_owner: resource_owner, application: application} do
Expand Down