Author: johnh
Date: Thu Nov 12 23:14:39 2009
New Revision: 835631
URL: http://svn.apache.org/viewvc?rev=835631&view=rev
Log:
Represent security-token as a feature. This feature serves as
the definitive signal indicating when a gadget requires a security token.
At present, this determination is made via a number of heuristics. The
implementation in this patch codifies these rules in a central location:
* Gadget includes feature opensocial-*
* Gadget includes feature osapi
* Gadget has <OAuth> tag
Still unaccounted-for: signed fetch via gadgets.io.makeRequest.
The security-token feature in turn has two dependencies, for separate reasons:
1. "auth-refresh" At present, in order to support security token refreshing, a
container must know (via similar heuristics to above) to append
&libs=auth-refresh to a gadget render, which forces inclusion of the
auth-refresh gadgets.rpc handler. With this change, the JS is included
automatically when a security token is needed.
2. "locked-domain" Without this change, locked domain is enforced only when
actively opted-in by the gadget (the code performs a transitive closure of
dependencies to discern locked-domain qualification, but no features actually
have this dependency in Shindig). This leads to a scenario in which a gadget may
be rendered on an insecure domain.
In order to prevent a large number of gadgets from suddenly rendering on
locked-domain without the rendering party's explicit knowledge, the patch
includes a provision forcing opt-in to transitive locked-domain support. Note,
this causes non-Shindig features with locked-domain dependencies to no longer
render on locked-domain.
Added:
incubator/shindig/trunk/features/src/main/javascript/features/security-token/
incubator/shindig/trunk/features/src/main/javascript/features/security-token/feature.xml
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/features.txt
incubator/shindig/trunk/features/src/main/javascript/features/locked-domain/feature.xml
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-current/feature.xml
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-jsonrpc/feature.xml
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-templates/feature.xml
incubator/shindig/trunk/features/src/main/javascript/features/osapi/feature.xml
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/Feature.java
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/ModulePrefs.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ModulePrefsTest.java
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/features.txt
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/features.txt?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
--- incubator/shindig/trunk/features/src/main/javascript/features/features.txt
(original)
+++ incubator/shindig/trunk/features/src/main/javascript/features/features.txt
Thu Nov 12 23:14:39 2009
@@ -52,6 +52,7 @@
features/osapi/feature.xml
features/pubsub/feature.xml
features/rpc/feature.xml
+features/security-token/feature.xml
features/setprefs/feature.xml
features/settitle/feature.xml
features/skins/feature.xml
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/locked-domain/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/locked-domain/feature.xml?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/locked-domain/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/locked-domain/feature.xml
Thu Nov 12 23:14:39 2009
@@ -17,9 +17,5 @@
specific language governing permissions and limitations under the License.
-->
<feature>
-<!--
-Required configuration:
--->
-
<name>locked-domain</name>
</feature>
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-current/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/opensocial-current/feature.xml?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-current/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-current/feature.xml
Thu Nov 12 23:14:39 2009
@@ -21,6 +21,7 @@
<name>opensocial</name>
<dependency>core.config</dependency>
<dependency>opensocial-jsonrpc</dependency>
+ <dependency>security-token</dependency>
<!-- <dependency>caja</dependency> -->
<!-- Must include the "caja" feature to display samplecontainer -->
<!-- gadgets when "use caja" is checked -->
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-jsonrpc/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/opensocial-jsonrpc/feature.xml?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-jsonrpc/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-jsonrpc/feature.xml
Thu Nov 12 23:14:39 2009
@@ -26,6 +26,7 @@
<dependency>core.util</dependency>
<dependency>opensocial-base</dependency>
<dependency>rpc</dependency>
+ <dependency>security-token</dependency>
<gadget>
<script src="jsonrpccontainer.js"></script>
</gadget>
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-templates/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/opensocial-templates/feature.xml?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-templates/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/opensocial-templates/feature.xml
Thu Nov 12 23:14:39 2009
@@ -32,6 +32,7 @@
<feature>
<name>opensocial-templates</name>
<dependency>opensocial-data-context</dependency>
+ <dependency>security-token</dependency>
<dependency>xmlutil</dependency>
<gadget>
<script src="jsTemplate/util.js"></script>
Modified:
incubator/shindig/trunk/features/src/main/javascript/features/osapi/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/osapi/feature.xml?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/osapi/feature.xml
(original)
+++
incubator/shindig/trunk/features/src/main/javascript/features/osapi/feature.xml
Thu Nov 12 23:14:39 2009
@@ -26,6 +26,7 @@
<dependency>core.log</dependency>
<dependency>core.util</dependency>
<dependency>rpc</dependency>
+ <dependency>security-token</dependency>
<gadget>
<script src="osapi.js"></script>
<script src="batch.js"></script>
Added:
incubator/shindig/trunk/features/src/main/javascript/features/security-token/feature.xml
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/features/src/main/javascript/features/security-token/feature.xml?rev=835631&view=auto
==============================================================================
---
incubator/shindig/trunk/features/src/main/javascript/features/security-token/feature.xml
(added)
+++
incubator/shindig/trunk/features/src/main/javascript/features/security-token/feature.xml
Thu Nov 12 23:14:39 2009
@@ -0,0 +1,47 @@
+<?xml version="1.0"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements. See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership. The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License. You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+-->
+<feature>
+ <!--
+ security-token is implemented in server code.
+
+ It serves as a placeholder that signals when a gadget requires a security
+ token for proper operation. It does not indicate where the token is needed
+ (fragment or query string).
+
+ This feature is referenced and used in a few ways:
+ a. Other features that require a security token, such as opensocial,
+ will depend on it. The transitive closure of the dependency tree thus
+ indicates such requests require a security token.
+ b. As noted in (a), metadata requests may be formed for a gadget which
+ request whether or not a security token is needed for rendering the
+ gadget. This makes it possible to intelligently choose when to mint
+ and include a security token during rendering.
+ c. As a corollary to (a) and (b), this feature depends on locked-domain,
+ again to provide a clear mechanism for containers to render gadgets
+ on the locked-domain when rendered in an IFRAME. This ensures token
security.
+ d. Another corollary to (a) and (b), a dep on auth-refresh ensures it too
+ is pulled in when necessary. This obviates the need for containers to
+ manually append &libs=auth-refresh to support this.
+ e. GadgetSpec processing code automatically includes this feature when
+ OAuth tags are included in the gadget, signaling the token's need.
+ -->
+ <name>security-token</name>
+ <dependency>locked-domain</dependency>
+ <dependency>auth-refresh</dependency>
+</feature>
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/Gadget.java
Thu Nov 12 23:14:39 2009
@@ -98,8 +98,7 @@
public synchronized List<String> getAllFeatures() {
if (allGadgetFeatures == null) {
if (featureRegistry != null) {
- allGadgetFeatures = featureRegistry.getFeatures(
-
Lists.newArrayList(this.spec.getModulePrefs().getFeatures().keySet()));
+ allGadgetFeatures =
featureRegistry.getFeatures(Lists.newArrayList(directFeatureDeps));
} else {
throw new IllegalStateException(
"setGadgetFeatureRegistry must be called before
Gadget.getAllFeatures()");
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/HashLockedDomainService.java
Thu Nov 12 23:14:39 2009
@@ -44,6 +44,7 @@
public class HashLockedDomainService implements LockedDomainService {
private static final Logger LOG =
Logger.getLogger(HashLockedDomainService.class.getName());
private final boolean enabled;
+ private boolean lockSecurityTokens = false;
private final Map<String, String> lockedSuffixes;
private final Map<String, Boolean> required;
@@ -75,6 +76,24 @@
}
}
}
+
+ /**
+ * Allows a renderer to render all gadgets that require a security token on
a locked
+ * domain. This is recommended security practice, as it secures the token
from other
+ * gadgets, but because the "security-token" dependency on "locked-domain" is
+ * both implicit (added by GadgetSpec code for OAuth elements) and/or
transitive
+ * (included by opensocial and opensocial-templates features), turning this
behavior
+ * by default may take some by surprise. As such, we provide this flag. If
false
+ * (by default), locked-domain will apply only when the gadget's
Requires/Optional
+ * sections include it. Otherwise, the transitive dependency tree will be
traversed
+ * to make this decision.
+ * @param lockSecurityTokens If true, locks domains for all gadgets
requiring security-token.
+ */
+ @Inject(optional = true)
+ public void setLockSecurityTokens(
+ @Named("shindig.locked-domain.lock-security-tokens") Boolean
lockSecurityTokens) {
+ this.lockSecurityTokens = lockSecurityTokens;
+ }
public boolean isEnabled() {
return enabled;
@@ -122,7 +141,10 @@
}
private boolean gadgetWantsLockedDomain(Gadget gadget) {
- return gadget.getAllFeatures().contains("locked-domain");
+ if (lockSecurityTokens) {
+ return gadget.getAllFeatures().contains("locked-domain");
+ }
+ return
gadget.getSpec().getModulePrefs().getFeatures().keySet().contains("locked-domain");
}
private boolean hostRequiresLockedDomain(String host) {
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/Feature.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/Feature.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/Feature.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/Feature.java
Thu Nov 12 23:14:39 2009
@@ -32,13 +32,14 @@
* No substitutions on any fields.
*/
public class Feature {
- public static final Feature CORE_FEATURE = new Feature();
+ public static final Feature CORE_FEATURE = new Feature("core");
+ public static final Feature SECURITY_TOKEN_FEATURE = new
Feature("security-token");
// Instantiable only by CORE_FEATURE.
- private Feature() {
+ private Feature(String name) {
this.params = ImmutableMultimap.of();
this.required = true;
- this.name = "core";
+ this.name = name;
}
/**
Modified:
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/ModulePrefs.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/ModulePrefs.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/ModulePrefs.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/main/java/org/apache/shindig/gadgets/spec/ModulePrefs.java
Thu Nov 12 23:14:39 2009
@@ -16,6 +16,8 @@
* specific language governing permissions and limitations under the License.
*/
package org.apache.shindig.gadgets.spec;
+
+import org.apache.commons.lang.mutable.MutableBoolean;
import org.apache.shindig.common.uri.Uri;
import org.apache.shindig.gadgets.variables.Substitutions;
@@ -84,10 +86,11 @@
categories = ImmutableList.of(getAttribute(ATTR_CATEGORY, ""),
getAttribute(ATTR_CATEGORY2, ""));
// Eventually use a list of classes
+ MutableBoolean oauthMarker = new MutableBoolean(false);
Set<ElementVisitor> visitors = ImmutableSet.of(
- new FeatureVisitor(),
+ new FeatureVisitor(oauthMarker),
new PreloadVisitor(),
- new OAuthVisitor(),
+ new OAuthVisitor(oauthMarker),
new IconVisitor(),
new LocaleVisitor(),
new LinkVisitor(),
@@ -621,6 +624,11 @@
*/
private class OAuthVisitor implements ElementVisitor {
private OAuthSpec oauthSpec = null;
+ private final MutableBoolean oauthMarker;
+
+ private OAuthVisitor(MutableBoolean oauthMarker) {
+ this.oauthMarker = oauthMarker;
+ }
public boolean visit(String tag, Element element) throws
SpecParserException {
if (!"OAuth".equals(tag)) return false;
@@ -629,6 +637,7 @@
throw new SpecParserException("ModulePrefs/OAuth may only occur
once.");
}
oauthSpec = new OAuthSpec(element, base);
+ oauthMarker.setValue(true);
return true;
}
@@ -643,9 +652,14 @@
*/
private static class FeatureVisitor implements ElementVisitor {
private final Map<String, Feature> features = Maps.newHashMap();
+ private final MutableBoolean oauthMarker;
private boolean coreIncluded = false;
private static final Set<String> tags = ImmutableSet.of("Require",
"Optional");
+
+ private FeatureVisitor(MutableBoolean oauthMarker) {
+ this.oauthMarker = oauthMarker;
+ }
public boolean visit (String tag, Element element) throws
SpecParserException {
if (!tags.contains(tag)) return false;
@@ -660,6 +674,10 @@
// No library was explicitly included from core - add it as an
implicit dependency.
features.put(Feature.CORE_FEATURE.getName(), Feature.CORE_FEATURE);
}
+ if (oauthMarker.booleanValue()) {
+ // <OAuth> tag found: security token needed.
+ features.put(Feature.SECURITY_TOKEN_FEATURE.getName(),
Feature.SECURITY_TOKEN_FEATURE);
+ }
moduleprefs.features = ImmutableMap.copyOf(features);
}
}
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/HashLockedDomainServiceTest.java
Thu Nov 12 23:14:39 2009
@@ -39,22 +39,28 @@
private HashLockedDomainService lockedDomainService;
private Gadget wantsLocked = null;
private Gadget notLocked = null;
+ private Gadget wantsSecurityToken = null;
+ private Gadget wantsBoth = null;
private final ContainerConfig requiredConfig = mock(ContainerConfig.class);
private final ContainerConfig enabledConfig = mock(ContainerConfig.class);
@SuppressWarnings("unchecked")
- private Gadget makeGadget(boolean wantsLocked, String url) {
- String gadgetXml;
+ private Gadget makeGadget(boolean wantsLocked, boolean wantsSecurityToken,
String url) {
+
List<String> gadgetFeatures = Lists.newArrayList();
- if (wantsLocked) {
- gadgetXml =
- "<Module><ModulePrefs title=''>" +
- " <Require feature='locked-domain'/>" +
- "</ModulePrefs><Content/></Module>";
+ String requires = "";
+ if (wantsLocked || wantsSecurityToken) {
gadgetFeatures.add("locked-domain");
- } else {
- gadgetXml = "<Module><ModulePrefs title=''/><Content/></Module>";
+ if (wantsLocked) {
+ requires += " <Require feature='locked-domain'/>";
+ }
+ if (wantsSecurityToken) {
+ requires += " <Require feature='security-token'/>";
+ gadgetFeatures.add("security-token");
+ }
}
+
+ String gadgetXml = "<Module><ModulePrefs title=''>" + requires +
"</ModulePrefs><Content/></Module>";
GadgetSpec spec = null;
try {
@@ -82,8 +88,11 @@
LOCKED_DOMAIN_SUFFIX_KEY)).andReturn("-a.example.com:8080").anyTimes();
expect(enabledConfig.getContainers())
.andReturn(Arrays.asList(ContainerConfig.DEFAULT_CONTAINER)).anyTimes();
- wantsLocked = makeGadget(true, "http://somehost.com/somegadget.xml";);
- notLocked = makeGadget(false, "not-locked");
+ wantsLocked = makeGadget(true, false,
"http://somehost.com/somegadget.xml";);
+ notLocked = makeGadget(false, false, "not-locked");
+ wantsSecurityToken = makeGadget(false, true,
"http://somehost.com/securitytoken.xml";);
+ wantsBoth =
+ makeGadget(true, true, "http://somehost.com/tokenandlocked.xml";);
}
@@ -95,12 +104,16 @@
assertTrue(lockedDomainService.isSafeForOpenProxy("embed.com"));
assertTrue(lockedDomainService.gadgetCanRender("embed.com", wantsLocked,
"default"));
assertTrue(lockedDomainService.gadgetCanRender("embed.com", notLocked,
"default"));
+ assertTrue(lockedDomainService.gadgetCanRender("embed.com",
wantsSecurityToken, "default"));
+ assertTrue(lockedDomainService.gadgetCanRender("embed.com", wantsBoth,
"default"));
lockedDomainService = new HashLockedDomainService(enabledConfig, false);
assertTrue(lockedDomainService.isSafeForOpenProxy("anywhere.com"));
assertTrue(lockedDomainService.isSafeForOpenProxy("embed.com"));
assertTrue(lockedDomainService.gadgetCanRender("embed.com", wantsLocked,
"default"));
assertTrue(lockedDomainService.gadgetCanRender("embed.com", notLocked,
"default"));
+ assertTrue(lockedDomainService.gadgetCanRender("embed.com",
wantsSecurityToken, "default"));
+ assertTrue(lockedDomainService.gadgetCanRender("embed.com", wantsBoth,
"default"));
}
public void testEnabledForGadget() {
@@ -113,8 +126,29 @@
assertFalse(lockedDomainService.gadgetCanRender("www.example.com",
wantsLocked, "default"));
assertTrue(lockedDomainService.gadgetCanRender(
"8uhr00296d2o3sfhqilj387krjmgjv3v-a.example.com:8080", wantsLocked,
"default"));
+ assertFalse(lockedDomainService.gadgetCanRender(
+ "8uhr00296d2o3sfhqilj387krjmgjv3v-a.example.com:8080",
wantsSecurityToken, "default"));
+ assertTrue(lockedDomainService.gadgetCanRender(
+ "h2nlf2a2dqou2lul3n50jb4v7e8t34kc-a.example.com:8080", wantsBoth,
"default"));
+
String target = lockedDomainService.getLockedDomainForGadget(wantsLocked,
"default");
assertEquals("8uhr00296d2o3sfhqilj387krjmgjv3v-a.example.com:8080",
target);
+
+ target = lockedDomainService.getLockedDomainForGadget(wantsBoth,
"default");
+ assertEquals("h2nlf2a2dqou2lul3n50jb4v7e8t34kc-a.example.com:8080",
target);
+
+ lockedDomainService.setLockSecurityTokens(true);
+ assertTrue(lockedDomainService.gadgetCanRender(
+ "lrrq12l8s5flpqcjoj1h1872lp9p93nk-a.example.com:8080",
wantsSecurityToken, "default"));
+ target = lockedDomainService.getLockedDomainForGadget(wantsSecurityToken,
"default");
+ assertEquals("lrrq12l8s5flpqcjoj1h1872lp9p93nk-a.example.com:8080",
target);
+
+ // Direct includes work as before.
+ target = lockedDomainService.getLockedDomainForGadget(wantsLocked,
"default");
+ assertEquals("8uhr00296d2o3sfhqilj387krjmgjv3v-a.example.com:8080",
target);
+
+ target = lockedDomainService.getLockedDomainForGadget(wantsBoth,
"default");
+ assertEquals("h2nlf2a2dqou2lul3n50jb4v7e8t34kc-a.example.com:8080",
target);
}
public void testNotEnabledForGadget() {
Modified:
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ModulePrefsTest.java
URL:
http://svn.apache.org/viewvc/incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ModulePrefsTest.java?rev=835631&r1=835630&r2=835631&view=diff
==============================================================================
---
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ModulePrefsTest.java
(original)
+++
incubator/shindig/trunk/java/gadgets/src/test/java/org/apache/shindig/gadgets/spec/ModulePrefsTest.java
Thu Nov 12 23:14:39 2009
@@ -225,6 +225,43 @@
String xml = "<ModulePrefs/>";
new ModulePrefs(XmlUtil.parse(xml), SPEC_URL);
}
+
+ @Test
+ public void coreInjectedAutomatically() throws Exception {
+ String xml = "<ModulePrefs title=''><Require
feature='foo'/></ModulePrefs>";
+ ModulePrefs prefs = new ModulePrefs(XmlUtil.parse(xml), SPEC_URL);
+ assertEquals(2, prefs.getFeatures().size());
+ assertTrue(prefs.getFeatures().containsKey("foo"));
+ assertTrue(prefs.getFeatures().containsKey("core"));
+ }
+
+ @Test
+ public void coreNotInjectedOnSplitCoreInclusion() throws Exception {
+ String xml = "<ModulePrefs title=''><Require
feature='core.config'/></ModulePrefs>";
+ ModulePrefs prefs = new ModulePrefs(XmlUtil.parse(xml), SPEC_URL);
+ assertEquals(1, prefs.getFeatures().size());
+ assertTrue(prefs.getFeatures().containsKey("core.config"));
+ }
+
+ @Test
+ public void securityTokenInjectedOnOAuthTag() throws Exception {
+ String xml =
+ "<ModulePrefs title=''>" +
+ " <OAuth>" +
+ " <Service name='serviceOne'>" +
+ " <Request url='http://www.example.com/request'" +
+ " method='GET' param_location='auth-header' />" +
+ " <Authorization url='http://www.example.com/authorize'/>" +
+ " <Access url='http://www.example.com/access' method='GET'" +
+ " param_location='auth-header' />" +
+ " </Service>" +
+ " </OAuth>" +
+ "</ModulePrefs>";
+ ModulePrefs prefs = new ModulePrefs(XmlUtil.parse(xml), SPEC_URL);
+ assertEquals(2, prefs.getFeatures().size());
+ assertTrue(prefs.getFeatures().containsKey("core"));
+ assertTrue(prefs.getFeatures().containsKey("security-token"));
+ }
@Test
public void toStringIsSane() throws Exception {
