trabajo-afectivo/spec/lib/external_credential/microsoft365_spec.rb

# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/

require 'rails_helper'

RSpec.describe ExternalCredential::Microsoft365 do

  let(:token_url) { 'https://login.microsoftonline.com/common/oauth2/v2.0/token' }
  let(:token_url_with_tenant) { 'https://login.microsoftonline.com/tenant/oauth2/v2.0/token' }
  let(:authorize_url) { "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?access_type=offline&client_id=#{client_id}&prompt=consent&redirect_uri=http%3A%2F%2Fzammad.example.com%2Fapi%2Fv1%2Fexternal_credentials%2Fmicrosoft365%2Fcallback&response_type=code&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send+offline_access+openid+profile+email" }
  let(:authorize_url_with_tenant) { "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?access_type=offline&client_id=#{client_id}&prompt=consent&redirect_uri=http%3A%2F%2Fzammad.example.com%2Fapi%2Fv1%2Fexternal_credentials%2Fmicrosoft365%2Fcallback&response_type=code&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send+offline_access+openid+profile+email" }

  let(:id_token) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiIyMTk4NTFhYS0wMDAwLTRhNDctMTExMS0zMmQwNzAyZTAxMjM0IiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzM2YTlhYjU1LWZpZmEtMjAyMC04YTc4LTkwcnM0NTRkYmNmZDJkL3YyLjAiLCJpYXQiOjEzMDE1NTE4MzUsIm5iZiI6MTMwMTU1MTgzNSwiZXhwIjoxNjAxNTU5NzQ0LCJuYW1lIjoiRXhhbXBsZSBVc2VyIiwib2lkIjoiMTExYWIyMTQtMTJzNy00M2NnLThiMTItM2ozM2UydDBjYXUyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdEBleGFtcGxlLmNvbSIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSIsInJoIjoiMC40MjM0LWZmZnNmZGdkaGRLZUpEU1hiejlMYXBSbUNHZGdmZ2RmZ0kwZHkwSEF1QlhaSEFNYy4iLCJzdWIiOiJYY0VlcmVyQkVnX0EzNWJlc2ZkczNMTElXNjU1NFQtUy0ycGRnZ2R1Z3c1NDNXT2xJIiwidGlkIjoiMzZhOWFiNTUtZmlmYS0yMDIwLThhNzgtOTByczQ1NGRiY2ZkMmQiLCJ1dGkiOiJEU0dGZ3Nhc2RkZmdqdGpyMzV3cWVlIiwidmVyIjoiMi4wIn0=.l0nglq4rIlkR29DFK3PQFQTjE-VeHdgLmcnXwGvT8Z-QBaQjeTAcoMrVpr0WdL6SRYiyn2YuqPnxey6N0IQdlmvTMBv0X_dng_y4CiQ8ABdZrQK0VSRWZViboJgW5iBvJYFcMmVoilHChueCzTBnS1Wp2KhirS2ymUkPHS6AB98K0tzOEYciR2eJsJ2JOdo-82oOW4w6tbbqMvzT3DzsxqPQRGe2hUbNqo6gcwJLqq4t0bNf5XiYThw1sv4IivERmqW_pfybXEseKyZGd4NnJ6WwwOgTz5tkoLwls_YeDZVcp_Fpw9XR7J0UlyPqLtoUEjVihdyrJjAbdtHFKdOjrw' }
  let(:access_token) { '000.0000lvC3gAbjs8CYoKitfqM5LBS5N13374MCg6pNpZ28mxO2HuZvg0000_rsW00aACmFEto1BJeGDuu0000vmV6Esqv78iec-FbEe842ZevQtOOemQyQXjhMs62K1E6g3ehDLPRp6j4vtpSKSb6I-3MuDPfdzdqI23hM0' }
  let(:refresh_token) { '1//00000VO1ES0hFCgYIARAAGAkSNwF-L9IraWQNMj5ZTqhB00006DssAYcpEyFks5OuvZ1337wrqX0D7tE5o71FIPzcWEMM5000004' }
  let(:request_token) { nil } # not used but required by ExternalCredential API

  let(:scope_payload) { 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile email' }
  let(:scope_stub) { scope_payload }

  let(:client_id) { '123' }
  let(:client_secret) { '345' }
  let(:client_tenant) { 'tenant' }
  let(:authorization_code) { '567' }

  let(:email_address) { 'test@example.com' }
  let(:provider) { 'microsoft365' }
  let(:token_ttl) { 3599 }

  let!(:token_response_payload) do
    {
      'access_token'  => access_token,
      'expires_in'    => token_ttl,
      'refresh_token' => refresh_token,
      'scope'         => scope_stub,
      'token_type'    => 'Bearer',
      'id_token'      => id_token,
      'type'          => 'XOAUTH2',
    }
  end

  describe '.link_account' do
    let!(:authorization_payload) do
      {
        code:       authorization_code,
        scope:      scope_payload,
        authuser:   '4',
        hd:         'example.com',
        prompt:     'consent',
        controller: 'external_credentials',
        action:     'callback',
        provider:   provider
      }
    end

    before do
      # we check the TTL of tokens and therefore need freeze the time
      freeze_time
    end

    context 'success' do

      let(:request_payload) do
        {
          'client_secret' => client_secret,
          'code'          => authorization_code,
          'grant_type'    => 'authorization_code',
          'client_id'     => client_id,
          'redirect_uri'  => ExternalCredential.callback_url(provider),
        }
      end

      before do
        stub_request(:post, token_url)
          .with(body: hash_including(request_payload))
          .to_return(status: 200, body: token_response_payload.to_json, headers: {})

        create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })
      end

      it 'creates a Channel instance' do

        channel = described_class.link_account(request_token, authorization_payload)

        expect(channel.options).to include(
          'inbound'  => include(
            'options' => include(
              'auth_type' => 'XOAUTH2',
              'host'      => 'outlook.office365.com',
              'ssl'       => 'ssl',
              'user'      => email_address,
            )
          ),
          'outbound' => include(
            'options' => include(
              'authentication' => 'xoauth2',
              'host'           => 'smtp.office365.com',
              'port'           => 587,
              'user'           => email_address,
            )
          ),
          'auth'     => include(
            'access_token'  => access_token,
            'expires_in'    => token_ttl,
            'refresh_token' => refresh_token,
            'scope'         => scope_stub,
            'token_type'    => 'Bearer',
            'id_token'      => id_token,
            'created_at'    => Time.zone.now,
            'type'          => 'XOAUTH2',
            'client_id'     => client_id,
            'client_secret' => client_secret,
          ),
        )
      end
    end

    context 'API errors' do

      before do
        stub_request(:post, token_url).to_return(status: response_status, body: response_payload&.to_json, headers: {})

        create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })
      end

      shared_examples 'failed attempt' do
        it 'raises an exception' do
          expect do
            described_class.link_account(request_token, authorization_payload)
          end.to raise_error(RuntimeError, exception_message)
        end
      end

      context '404 invalid_client' do
        let(:response_status) { 404 }
        let(:response_payload) do
          {
            error:             'invalid_client',
            error_description: 'The OAuth client was not found.'
          }
        end
        let(:exception_message) { 'Request failed! ERROR: invalid_client (The OAuth client was not found.)' }

        include_examples 'failed attempt'
      end

      context '500 Internal Server Error' do
        let(:response_status) { 500 }
        let(:response_payload) { nil }
        let(:exception_message) { 'Request failed! (code: 500)' }

        include_examples 'failed attempt'
      end
    end
  end

  describe '.refresh_token' do
    let!(:authorization_payload) do
      {
        code:       authorization_code,
        scope:      scope_payload,
        authuser:   '4',
        hd:         'example.com',
        prompt:     'consent',
        controller: 'external_credentials',
        action:     'callback',
        provider:   provider
      }
    end
    let!(:channel) do
      stub_request(:post, token_url).to_return(status: 200, body: token_response_payload.to_json, headers: {})

      create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })
      channel = described_class.link_account(request_token, authorization_payload)

      # remove stubs and allow new stubbing for tested requests
      WebMock.reset!

      channel
    end

    before do
      # we check the TTL of tokens and therefore need freeze the time
      freeze_time
    end

    context 'success' do

      let!(:expired_at) { channel.options['auth']['created_at'] }

      before do
        stub_request(:post, token_url).to_return(status: 200, body: response_payload.to_json, headers: {})
      end

      context 'access_token still valid' do
        let(:response_payload) do
          {
            'access_token' => access_token,
            'expires_in'   => token_ttl,
            'scope'        => scope_stub,
            'token_type'   => 'Bearer',
            'type'         => 'XOAUTH2',
          }
        end

        it 'does not refresh' do
          expect do
            channel.refresh_xoauth2!
          end.not_to change { channel.options['auth']['created_at'] }
        end
      end

      context 'access_token expired' do
        let(:refreshed_access_token) { 'some_new_token' }

        let(:response_payload) do
          {
            'access_token' => refreshed_access_token,
            'expires_in'   => token_ttl,
            'scope'        => scope_stub,
            'token_type'   => 'Bearer',
            'type'         => 'XOAUTH2',
          }
        end

        before do
          travel 1.hour
        end

        it 'refreshes token' do
          expect do
            channel.refresh_xoauth2!
          end.to change { channel.options['auth'] }.to include(
            'created_at'   => Time.zone.now,
            'access_token' => refreshed_access_token,
          )
        end
      end
    end

    context 'API errors' do

      before do
        stub_request(:post, token_url).to_return(status: response_status, body: response_payload&.to_json, headers: {})

        # invalidate existing token
        travel 1.hour
      end

      shared_examples 'failed attempt' do
        it 'raises an exception' do
          expect do
            channel.refresh_xoauth2!
          end.to raise_error(RuntimeError, exception_message)
        end
      end

      context '400 invalid_client' do
        let(:response_status) { 400 }
        let(:response_payload) do
          {
            error:             'invalid_client',
            error_description: 'The OAuth client was not found.'
          }
        end
        let(:exception_message) { %r{The OAuth client was not found} }

        include_examples 'failed attempt'
      end

      context '500 Internal Server Error' do
        let(:response_status) { 500 }
        let(:response_payload) { nil }
        let(:exception_message) { %r{code: 500} }

        include_examples 'failed attempt'
      end
    end
  end

  describe '.request_account_to_link' do
    it 'generates authorize_url from credentials' do
      microsoft365 = create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })
      request      = described_class.request_account_to_link(microsoft365.credentials)

      expect(request[:authorize_url]).to eq(authorize_url)
    end

    context 'errors' do

      shared_examples 'failed attempt' do
        it 'raises an exception' do
          expect do
            described_class.request_account_to_link(credentials, app_required)
          end.to raise_error(Exceptions::UnprocessableEntity, exception_message)
        end
      end

      context 'missing credentials' do
        let(:credentials) { nil }
        let(:app_required) { true }
        let(:exception_message) { 'No Microsoft365 app configured!' }

        include_examples 'failed attempt'
      end

      context 'missing client_id' do
        let(:credentials) do
          {
            client_secret: client_secret
          }
        end
        let(:app_required) { false }
        let(:exception_message) { 'No client_id param!' }

        include_examples 'failed attempt'
      end

      context 'missing client_secret' do
        let(:credentials) do
          {
            client_id: client_id
          }
        end
        let(:app_required) { false }
        let(:exception_message) { 'No client_secret param!' }

        include_examples 'failed attempt'
      end
    end
  end

  describe '.generate_authorize_url' do
    it 'generates valid URL' do
      url = described_class.generate_authorize_url(client_id: client_id)
      expect(url).to eq(authorize_url)
    end

    it 'generates valid URL with tenant' do
      url = described_class.generate_authorize_url(client_id: client_id, client_tenant: 'tenant')
      expect(url).to eq(authorize_url_with_tenant)
    end
  end

  describe '.user_info' do
    it 'extracts user information from id_token' do
      info = described_class.user_info(id_token)
      expect(info[:email]).to eq(email_address)
    end
  end
end
Maintenance: Update copyright header. 2022-01-01 13:38:12 +00:00			`# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/`
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`require 'rails_helper'`

Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`RSpec.describe ExternalCredential::Microsoft365 do`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`let(:token_url) { 'https://login.microsoftonline.com/common/oauth2/v2.0/token' }`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`let(:token_url_with_tenant) { 'https://login.microsoftonline.com/tenant/oauth2/v2.0/token' }`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`let(:authorize_url) { "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?access_type=offline&client_id=#{client_id}&prompt=consent&redirect_uri=http%3A%2F%2Fzammad.example.com%2Fapi%2Fv1%2Fexternal_credentials%2Fmicrosoft365%2Fcallback&response_type=code&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send+offline_access+openid+profile+email" }`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`let(:authorize_url_with_tenant) { "https://login.microsoftonline.com/tenant/oauth2/v2.0/authorize?access_type=offline&client_id=#{client_id}&prompt=consent&redirect_uri=http%3A%2F%2Fzammad.example.com%2Fapi%2Fv1%2Fexternal_credentials%2Fmicrosoft365%2Fcallback&response_type=code&scope=https%3A%2F%2Foutlook.office.com%2FIMAP.AccessAsUser.All+https%3A%2F%2Foutlook.office.com%2FSMTP.Send+offline_access+openid+profile+email" }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			let(:id_token) { 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImtnMkxZczJUMENUaklmajRydDZKSXluZW4zOCJ9.eyJhdWQiOiIyMTk4NTFhYS0wMDAwLTRhNDctMTExMS0zMmQwNzAyZTAxMjM0IiwiaXNzIjoiaHR0cHM6Ly9sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tLzM2YTlhYjU1LWZpZmEtMjAyMC04YTc4LTkwcnM0NTRkYmNmZDJkL3YyLjAiLCJpYXQiOjEzMDE1NTE4MzUsIm5iZiI6MTMwMTU1MTgzNSwiZXhwIjoxNjAxNTU5NzQ0LCJuYW1lIjoiRXhhbXBsZSBVc2VyIiwib2lkIjoiMTExYWIyMTQtMTJzNy00M2NnLThiMTItM2ozM2UydDBjYXUyIiwicHJlZmVycmVkX3VzZXJuYW1lIjoidGVzdEBleGFtcGxlLmNvbSIsImVtYWlsIjoidGVzdEBleGFtcGxlLmNvbSIsInJoIjoiMC40MjM0LWZmZnNmZGdkaGRLZUpEU1hiejlMYXBSbUNHZGdmZ2RmZ0kwZHkwSEF1QlhaSEFNYy4iLCJzdWIiOiJYY0VlcmVyQkVnX0EzNWJlc2ZkczNMTElXNjU1NFQtUy0ycGRnZ2R1Z3c1NDNXT2xJIiwidGlkIjoiMzZhOWFiNTUtZmlmYS0yMDIwLThhNzgtOTByczQ1NGRiY2ZkMmQiLCJ1dGkiOiJEU0dGZ3Nhc2RkZmdqdGpyMzV3cWVlIiwidmVyIjoiMi4wIn0=.l0nglq4rIlkR29DFK3PQFQTjE-VeHdgLmcnXwGvT8Z-QBaQjeTAcoMrVpr0WdL6SRYiyn2YuqPnxey6N0IQdlmvTMBv0X_dng_y4CiQ8ABdZrQK0VSRWZViboJgW5iBvJYFcMmVoilHChueCzTBnS1Wp2KhirS2ymUkPHS6AB98K0tzOEYciR2eJsJ2JOdo-82oOW4w6tbbqMvzT3DzsxqPQRGe2hUbNqo6gcwJLqq4t0bNf5XiYThw1sv4IivERmqW_pfybXEseKyZGd4NnJ6WwwOgTz5tkoLwls_YeDZVcp_Fpw9XR7J0UlyPqLtoUEjVihdyrJjAbdtHFKdOjrw' }
			`let(:access_token) { '000.0000lvC3gAbjs8CYoKitfqM5LBS5N13374MCg6pNpZ28mxO2HuZvg0000_rsW00aACmFEto1BJeGDuu0000vmV6Esqv78iec-FbEe842ZevQtOOemQyQXjhMs62K1E6g3ehDLPRp6j4vtpSKSb6I-3MuDPfdzdqI23hM0' }`
			`let(:refresh_token) { '1//00000VO1ES0hFCgYIARAAGAkSNwF-L9IraWQNMj5ZTqhB00006DssAYcpEyFks5OuvZ1337wrqX0D7tE5o71FIPzcWEMM5000004' }`
			`let(:request_token) { nil } # not used but required by ExternalCredential API`

			`let(:scope_payload) { 'https://outlook.office.com/IMAP.AccessAsUser.All https://outlook.office.com/SMTP.Send offline_access openid profile email' }`
			`let(:scope_stub) { scope_payload }`

			`let(:client_id) { '123' }`
			`let(:client_secret) { '345' }`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`let(:client_tenant) { 'tenant' }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`let(:authorization_code) { '567' }`

			`let(:email_address) { 'test@example.com' }`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`let(:provider) { 'microsoft365' }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`let(:token_ttl) { 3599 }`

			`let!(:token_response_payload) do`
			`{`
			`'access_token' => access_token,`
			`'expires_in' => token_ttl,`
			`'refresh_token' => refresh_token,`
			`'scope' => scope_stub,`
			`'token_type' => 'Bearer',`
			`'id_token' => id_token,`
			`'type' => 'XOAUTH2',`
			`}`
			`end`

			`describe '.link_account' do`
			`let!(:authorization_payload) do`
			`{`
			`code: authorization_code,`
			`scope: scope_payload,`
			`authuser: '4',`
			`hd: 'example.com',`
			`prompt: 'consent',`
			`controller: 'external_credentials',`
			`action: 'callback',`
			`provider: provider`
			`}`
			`end`

			`before do`
			`# we check the TTL of tokens and therefore need freeze the time`
			`freeze_time`
			`end`

			`context 'success' do`

			`let(:request_payload) do`
			`{`
			`'client_secret' => client_secret,`
			`'code' => authorization_code,`
			`'grant_type' => 'authorization_code',`
			`'client_id' => client_id,`
			`'redirect_uri' => ExternalCredential.callback_url(provider),`
			`}`
			`end`

			`before do`
			`stub_request(:post, token_url)`
			`.with(body: hash_including(request_payload))`
			`.to_return(status: 200, body: token_response_payload.to_json, headers: {})`

Maintenance: Activated rubocop Layout/SpaceInsideParens. 2021-07-16 13:38:01 +00:00			`create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

			`it 'creates a Channel instance' do`

			`channel = described_class.link_account(request_token, authorization_payload)`

Fixes #4064 - Freshdesk import currently doesn't handle the ticket type field. 2022-04-25 10:55:32 +00:00			`expect(channel.options).to include(`
			`'inbound' => include(`
			`'options' => include(`
			`'auth_type' => 'XOAUTH2',`
			`'host' => 'outlook.office365.com',`
			`'ssl' => 'ssl',`
			`'user' => email_address,`
			`)`
			`),`
			`'outbound' => include(`
			`'options' => include(`
			`'authentication' => 'xoauth2',`
			`'host' => 'smtp.office365.com',`
			`'port' => 587,`
			`'user' => email_address,`
			`)`
			`),`
			`'auth' => include(`
			`'access_token' => access_token,`
			`'expires_in' => token_ttl,`
			`'refresh_token' => refresh_token,`
			`'scope' => scope_stub,`
			`'token_type' => 'Bearer',`
			`'id_token' => id_token,`
			`'created_at' => Time.zone.now,`
			`'type' => 'XOAUTH2',`
			`'client_id' => client_id,`
			`'client_secret' => client_secret,`
			`),`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`)`
			`end`
			`end`

			`context 'API errors' do`

			`before do`
			`stub_request(:post, token_url).to_return(status: response_status, body: response_payload&.to_json, headers: {})`

Maintenance: Activated rubocop Layout/SpaceInsideParens. 2021-07-16 13:38:01 +00:00			`create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

			`shared_examples 'failed attempt' do`
			`it 'raises an exception' do`
			`expect do`
			`described_class.link_account(request_token, authorization_payload)`
			`end.to raise_error(RuntimeError, exception_message)`
			`end`
			`end`

			`context '404 invalid_client' do`
			`let(:response_status) { 404 }`
			`let(:response_payload) do`
			`{`
Maintenance: Updated rubocop(-* gems) to latest version (1.9.1). 2021-02-01 12:42:44 +00:00			`error: 'invalid_client',`
			`error_description: 'The OAuth client was not found.'`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`}`
			`end`
			`let(:exception_message) { 'Request failed! ERROR: invalid_client (The OAuth client was not found.)' }`

			`include_examples 'failed attempt'`
			`end`

			`context '500 Internal Server Error' do`
			`let(:response_status) { 500 }`
			`let(:response_payload) { nil }`
			`let(:exception_message) { 'Request failed! (code: 500)' }`

			`include_examples 'failed attempt'`
			`end`
			`end`
			`end`

			`describe '.refresh_token' do`
			`let!(:authorization_payload) do`
			`{`
			`code: authorization_code,`
			`scope: scope_payload,`
			`authuser: '4',`
			`hd: 'example.com',`
			`prompt: 'consent',`
			`controller: 'external_credentials',`
			`action: 'callback',`
			`provider: provider`
			`}`
			`end`
			`let!(:channel) do`
			`stub_request(:post, token_url).to_return(status: 200, body: token_response_payload.to_json, headers: {})`

Maintenance: Activated rubocop Layout/SpaceInsideParens. 2021-07-16 13:38:01 +00:00			`create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`channel = described_class.link_account(request_token, authorization_payload)`

			`# remove stubs and allow new stubbing for tested requests`
			`WebMock.reset!`

			`channel`
			`end`

			`before do`
			`# we check the TTL of tokens and therefore need freeze the time`
			`freeze_time`
			`end`

			`context 'success' do`

			`let!(:expired_at) { channel.options['auth']['created_at'] }`

			`before do`
			`stub_request(:post, token_url).to_return(status: 200, body: response_payload.to_json, headers: {})`
			`end`

			`context 'access_token still valid' do`
			`let(:response_payload) do`
			`{`
			`'access_token' => access_token,`
			`'expires_in' => token_ttl,`
			`'scope' => scope_stub,`
			`'token_type' => 'Bearer',`
			`'type' => 'XOAUTH2',`
			`}`
			`end`

			`it 'does not refresh' do`
			`expect do`
Maintenance: Fixed typo (refresh_xoaut2 -> refresh_xoauth2). 2020-11-20 10:47:11 +00:00			`channel.refresh_xoauth2!`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end.not_to change { channel.options['auth']['created_at'] }`
			`end`
			`end`

			`context 'access_token expired' do`
			`let(:refreshed_access_token) { 'some_new_token' }`

			`let(:response_payload) do`
			`{`
			`'access_token' => refreshed_access_token,`
			`'expires_in' => token_ttl,`
			`'scope' => scope_stub,`
			`'token_type' => 'Bearer',`
			`'type' => 'XOAUTH2',`
			`}`
			`end`

			`before do`
			`travel 1.hour`
			`end`

			`it 'refreshes token' do`
			`expect do`
Maintenance: Fixed typo (refresh_xoaut2 -> refresh_xoauth2). 2020-11-20 10:47:11 +00:00			`channel.refresh_xoauth2!`
Fixes #4064 - Freshdesk import currently doesn't handle the ticket type field. 2022-04-25 10:55:32 +00:00			`end.to change { channel.options['auth'] }.to include(`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`'created_at' => Time.zone.now,`
			`'access_token' => refreshed_access_token,`
			`)`
			`end`
			`end`
			`end`

			`context 'API errors' do`

			`before do`
			`stub_request(:post, token_url).to_return(status: response_status, body: response_payload&.to_json, headers: {})`

			`# invalidate existing token`
			`travel 1.hour`
			`end`

			`shared_examples 'failed attempt' do`
			`it 'raises an exception' do`
			`expect do`
Maintenance: Fixed typo (refresh_xoaut2 -> refresh_xoauth2). 2020-11-20 10:47:11 +00:00			`channel.refresh_xoauth2!`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end.to raise_error(RuntimeError, exception_message)`
			`end`
			`end`

			`context '400 invalid_client' do`
			`let(:response_status) { 400 }`
			`let(:response_payload) do`
			`{`
Maintenance: Updated rubocop(-* gems) to latest version (1.9.1). 2021-02-01 12:42:44 +00:00			`error: 'invalid_client',`
			`error_description: 'The OAuth client was not found.'`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`}`
			`end`
Maintenance: Rubocop enforces %r{} regular expression style 2021-05-12 11:37:44 +00:00			`let(:exception_message) { %r{The OAuth client was not found} }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`include_examples 'failed attempt'`
			`end`

			`context '500 Internal Server Error' do`
			`let(:response_status) { 500 }`
			`let(:response_payload) { nil }`
Maintenance: Rubocop enforces %r{} regular expression style 2021-05-12 11:37:44 +00:00			`let(:exception_message) { %r{code: 500} }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`include_examples 'failed attempt'`
			`end`
			`end`
			`end`

			`describe '.request_account_to_link' do`
			`it 'generates authorize_url from credentials' do`
Maintenance: Activated rubocop Layout/SpaceInsideParens. 2021-07-16 13:38:01 +00:00			`microsoft365 = create(:external_credential, name: provider, credentials: { client_id: client_id, client_secret: client_secret })`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`request = described_class.request_account_to_link(microsoft365.credentials)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`expect(request[:authorize_url]).to eq(authorize_url)`
			`end`

			`context 'errors' do`

			`shared_examples 'failed attempt' do`
			`it 'raises an exception' do`
			`expect do`
			`described_class.request_account_to_link(credentials, app_required)`
			`end.to raise_error(Exceptions::UnprocessableEntity, exception_message)`
			`end`
			`end`

			`context 'missing credentials' do`
			`let(:credentials) { nil }`
			`let(:app_required) { true }`
Follow up - db3f553140ef506f8d31815ec08651187a3a6e4f - Fixes #3215 - Renamed Office365 to Microsoft365. 2020-10-27 14:05:10 +00:00			`let(:exception_message) { 'No Microsoft365 app configured!' }`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00
			`include_examples 'failed attempt'`
			`end`

			`context 'missing client_id' do`
			`let(:credentials) do`
			`{`
			`client_secret: client_secret`
			`}`
			`end`
			`let(:app_required) { false }`
			`let(:exception_message) { 'No client_id param!' }`

			`include_examples 'failed attempt'`
			`end`

			`context 'missing client_secret' do`
			`let(:credentials) do`
			`{`
			`client_id: client_id`
			`}`
			`end`
			`let(:app_required) { false }`
			`let(:exception_message) { 'No client_secret param!' }`

			`include_examples 'failed attempt'`
			`end`
			`end`
			`end`

			`describe '.generate_authorize_url' do`
			`it 'generates valid URL' do`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00			`url = described_class.generate_authorize_url(client_id: client_id)`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`expect(url).to eq(authorize_url)`
			`end`
Fixes #3515 - Allow single tenant only application in microsoft 2021-03-08 13:13:15 +00:00
			`it 'generates valid URL with tenant' do`
			`url = described_class.generate_authorize_url(client_id: client_id, client_tenant: 'tenant')`
			`expect(url).to eq(authorize_url_with_tenant)`
			`end`
Fixes #3215 - Outlook/Office365/Exchange Online MFA for IMAP & SMTP. 2020-10-02 12:46:19 +00:00			`end`

			`describe '.user_info' do`
			`it 'extracts user information from id_token' do`
			`info = described_class.user_info(id_token)`
			`expect(info[:email]).to eq(email_address)`
			`end`
			`end`
			`end`