🐛 Fixed issues in option parsing by implementing Command#parse_options

 - Use Shellwords for proper tokenization
 - Verified options file loading and CLI flag precedence
 - Added specs for oauth.opts usage
 - Added specs for all commands

Author: pboling

.rubocop_gradual.lock

@@ -2,44 +2,18 @@
   "lib/oauth/tty/cli.rb:904168046": [
     [6, 7, 77, "Style/ClassMethodsDefinitions: Use `class << self` to define a class method.", 2883780555]
   ],
-  "lib/oauth/tty/command.rb:3092098200": [
-    [126, 23, 4, "Security/Open: The use of `Kernel#open` is a serious security risk.", 2087926481]
+  "lib/oauth/tty/command.rb:587864942": [
+    [146, 23, 4, "Security/Open: The use of `Kernel#open` is a serious security risk.", 2087926481]
   ],
-  "oauth-tty.gemspec:3319279878": [
+  "oauth-tty.gemspec:2020207654": [
     [129, 3, 40, "Gemspec/DependencyVersion: Dependency version specification is required.", 2300588954],
     [131, 3, 44, "Gemspec/DependencyVersion: Dependency version specification is required.", 1905290578],
     [132, 3, 46, "Gemspec/DependencyVersion: Dependency version specification is required.", 4289565910]
   ],
   "spec/oauth/backwards_compatibility_spec.rb:4041711732": [
     [3, 16, 25, "RSpec/DescribeClass: The first argument to describe should be the class or module being tested.", 3956042931]
   ],
-  "spec/oauth/tty/authorize_command_spec.rb:3270431476": [
-    [3, 1, 53, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth/tty/commands/authorize_command*_spec.rb`.", 2667806271],
-    [14, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
-    [15, 39, 21, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 3390344648],
-    [16, 38, 20, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 1228090493],
-    [19, 7, 64, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [20].", 1559313276],
-    [20, 7, 69, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [19].", 3030878101],
-    [22, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
-    [23, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
-    [25, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
-    [26, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
-    [32, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
-    [52, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
-    [54, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
-    [55, 7, 44, "RSpec/LeakyConstantDeclaration: Stub constant instead of declaring explicitly.", 2395720961],
-    [57, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
-    [68, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
-    [69, 39, 21, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 3390344648],
-    [70, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
-    [71, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
-    [73, 7, 45, "RSpec/LeakyConstantDeclaration: Stub constant instead of declaring explicitly.", 1997245299],
-    [75, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
-    [76, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
-    [77, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262]
-  ],
   "spec/oauth/tty/cli_spec.rb:361981118": [
-    [3, 1, 30, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth/tty/cli*_spec.rb`.", 2849860169],
     [109, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
     [110, 38, 20, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 1228090493],
     [111, 34, 10, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 4294324198],
@@ -65,25 +39,40 @@
     [212, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
     [213, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262]
   ],
-  "spec/oauth/tty/command_spec.rb:513689811": [
-    [3, 1, 34, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth/tty/command*_spec.rb`.", 667110152],
+  "spec/oauth/tty/command_spec.rb:2516268945": [
     [9, 3, 275, "RSpec/LeakyConstantDeclaration: Stub class constant instead of declaring explicitly.", 2810654211]
   ],
-  "spec/oauth/tty/sign_command_spec.rb:622094174": [
-    [3, 1, 48, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth/tty/commands/sign_command*_spec.rb`.", 3251857167],
-    [21, 7, 27, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 340848961],
-    [69, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
-    [70, 35, 21, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 3390344648],
-    [71, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
-    [72, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
-    [73, 7, 67, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [74, 75].", 42619244],
-    [74, 7, 87, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [73, 75].", 1827647110],
-    [75, 7, 89, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [73, 74].", 1585010367],
-    [75, 81, 13, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 4026407386],
-    [77, 7, 27, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 340848961]
+  "spec/oauth/tty/commands/authorize_command_spec.rb:3270431476": [
+    [14, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
+    [15, 39, 21, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 3390344648],
+    [16, 38, 20, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 1228090493],
+    [19, 7, 64, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [20].", 1559313276],
+    [20, 7, 69, "RSpec/ReceiveMessages: Use `receive_messages` instead of multiple stubs on lines [19].", 3030878101],
+    [22, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
+    [23, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
+    [25, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
+    [26, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
+    [32, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
+    [52, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
+    [54, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
+    [55, 7, 44, "RSpec/LeakyConstantDeclaration: Stub constant instead of declaring explicitly.", 2395720961],
+    [57, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
+    [68, 34, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
+    [69, 39, 21, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 3390344648],
+    [70, 7, 23, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4174421602],
+    [71, 7, 16, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 3492346277],
+    [73, 7, 45, "RSpec/LeakyConstantDeclaration: Stub constant instead of declaring explicitly.", 1997245299],
+    [75, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
+    [76, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262],
+    [77, 7, 21, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 2407753262]
+  ],
+  "spec/oauth/tty/commands/query_command_spec.rb:1247725853": [
+    [20, 32, 17, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 285748316],
+    [23, 36, 20, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 1228090493],
+    [26, 37, 19, "RSpec/VerifiedDoubleReference: Use a constant class reference for verified doubles. String references are not verifying unless the class is loaded.", 511534081],
+    [55, 5, 20, "RSpec/StubbedMock: Prefer `allow` over `expect` when configuring a response.", 4235470523]
   ],
   "spec/oauth/tty_spec.rb:1891755344": [
-    [3, 1, 25, "RSpec/EmptyExampleGroup: Empty example group detected.", 208109039],
-    [3, 1, 25, "RSpec/SpecFilePathFormat: Spec path should end with `o_auth/tty*_spec.rb`.", 208109039]
+    [3, 1, 25, "RSpec/EmptyExampleGroup: Empty example group detected.", 208109039]
   ]
 }

.rubocop_rspec.yml

@@ -18,7 +18,7 @@ RSpec/InstanceVariable:
 
 RSpec/NestedGroups:
   Enabled: false
-  
+
 RSpec/ExpectInHook:
   Enabled: false
 
@@ -28,3 +28,7 @@ RSpec/DescribeClass:
 
 RSpec/MultipleMemoizedHelpers:
   Enabled: false
+
+RSpec/SpecFilePathFormat:
+  CustomTransform:
+    "OAuth": "oauth"

CHANGELOG.md

@@ -27,6 +27,8 @@ Please file a bug if you notice a violation of semantic versioning.
 - (test) many new tests (@pboling)
 - (docs) CITATION.cff
 - support window increased, down to Ruby 2.3 (@pboling)
+- (test) added specs for oauth.opts usage (@pboling)
+- (test) added specs for all commands (@pboling)
 
 ### Changed
 
@@ -42,6 +44,10 @@ Please file a bug if you notice a violation of semantic versioning.
 
 ### Fixed
 
+- Fixed issues in option parsing by implementing Command#parse_options (@pboling)
+  - Use Shellwords for proper tokenization
+  - Verified options file loading and CLI flag precedence
+
 ### Security
 
 ## [1.0.5] - 2022-09-20

README.md

@@ -21,7 +21,21 @@
 
 ## 🌻 Synopsis
 
+OAuth 1.0a is an industry-standard protocol for authorization.
+It is an update to the original OAuth 1.0 protocol, and is used by many popular services.
 
+This is a RubyGem for implementing OAuth 1.0 or 1.0a _clients_ and _servers_ in Ruby applications.
+See the sibling `oauth2` gem for OAuth 2.0, 2.1, & OIDC clients in Ruby.
+
+All dependencies of this gem are signed, so it can be installed with a `HighSecurity` profile.
+
+* [OAuth 1.0 Spec][oauth1-spec]
+* [oauth gem][sibling-gem] for OAuth 1.0 / 1.0a client and server implementations in Ruby.
+* [oauth2 sibling gem][sibling2-gem] for OAuth 2.0 / 2.1, & OIDC client implementations in Ruby.
+
+[oauth1-spec]: http://oauth.net/core/1.0/
+[sibling-gem]: https://gitlab.com/ruby-oauth/oauth
+[sibling2-gem]: https://gitlab.com/ruby-oauth/oauth2
 
 ## 💡 Info you can shake a stick at
 
@@ -138,12 +152,141 @@ NOTE: Be prepared to track down certs for signed gems and add them the same way
 
 ## ⚙️ Configuration
 
+The oauth-tty gem is a thin CLI over the oauth gem. You supply your consumer credentials, token credentials (when applicable), a target URI, and optional parameters, and the tool signs requests or helps you complete an OAuth 1.0/1.0a 3-legged flow.
+
+What you can configure
+- Locations for OAuth parameters:
+  - --header (default): send OAuth params in Authorization header
+  - --body: send OAuth params in the request body
+  - --query-string: send OAuth params on the query string
+- HTTP method: --method GET|POST|PUT|DELETE|… (default: POST)
+- Signature method: --signature-method HMAC-SHA1|RSA-SHA1|PLAINTEXT (default: HMAC-SHA1)
+- OAuth version: --version 1.0 (default: 1.0) or --no-version to omit
+- Nonce/timestamp: auto-generated by default; can be overridden via --nonce and --timestamp
+- Verbose output: --verbose prints the full signing breakdown, headers, and signature base string
+- XMPP mode: --xmpp emits OAuth as an XMPP stanza instead of HTTP artifacts
+
+Required inputs (by command)
+- sign, query: --consumer-key, --consumer-secret, --token, --secret, and --uri
+- authorize: --consumer-key, --consumer-secret, the OAuth endpoints below, and --uri (service resource you’re authorizing for)
+
+Authorization endpoints (for oauth authorize)
+- --request-token-url URL
+- --authorize-url URL
+- --access-token-url URL
+- Optional: --callback-url URL (for 1.0a), --scope SCOPE (provider-specific)
+
+Providing options
+- CLI flags (preferred for quick usage)
+- Options file: use -O or --options to read additional arguments from a file. The file is tokenized by whitespace; put the same flags you’d pass on the command line, spread across lines as needed.
+
+Example options file (oauth.opts)
+```text
+--consumer-key ck_123
+--consumer-secret cs_456
+--token at_789
+--secret ats_abc
+--method GET
+--uri https://api.example.com/v1/profile
+--parameters foo:bar
+--parameters "status=active"
+--header
+```
+Run with: oauth sign -O oauth.opts
 
+Defaults at a glance
+- scheme: header
+- method: POST
+- signature method: HMAC-SHA1
+- oauth_version: 1.0 (omit with --no-version)
+- nonce, timestamp: auto-generated each run
+
+Tips
+- For parameters you can use either key:value or already-escaped pairs like key=value. Repeat --parameters to add multiple pairs.
+- When using --body, only methods that support bodies should be used (e.g., POST/PUT/PATCH).
+- Some providers require exact parameter ordering and inclusion; use --verbose to see normalized parameters and the signature base string.
 
 ## 🔧 Basic Usage
 
 In a shell run `oauth` to start the console.
 
+Quick help and version
+```console
+oauth --help
+oauth --version  # or oauth -v
+```
+
+Sign a request (minimal)
+Print just the OAuth signature value for a GET request:
+```console
+oauth sign \
+  --consumer-key ck \
+  --consumer-secret cs \
+  --token at \
+  --secret ats \
+  --method GET \
+  --uri "https://api.example.com/v1/resource?limit=10"
+```
+
+Sign a request (verbose, header output)
+```console
+oauth sign \
+  --consumer-key ck \
+  --consumer-secret cs \
+  --token at \
+  --secret ats \
+  --method POST \
+  --uri https://api.example.com/v1/resource \
+  --parameters "status=active" \
+  --header \
+  --verbose
+```
+This prints OAuth parameters, normalized parameters, signature base string, Authorization header, and both raw and escaped signatures.
+
+Query a protected resource
+Performs the signed HTTP request and prints the HTTP status and body.
+```console
+oauth query \
+  --consumer-key ck \
+  --consumer-secret cs \
+  --token at \
+  --secret ats \
+  --method GET \
+  --uri https://api.example.com/v1/profile \
+  --parameters "fields=id,name"
+```
+Notes:
+- The CLI will append any --parameters to the request URI’s query string and sign the request.
+- Use --body or --header/--query-string to influence where OAuth params go; query also constructs OAuth via the consumer internally.
+
+Start an OAuth 1.0a authorization flow
+Guides you to obtain an access token and token secret from a provider.
+```console
+oauth authorize \
+  --consumer-key ck \
+  --consumer-secret cs \
+  --request-token-url https://provider.example.com/oauth/request_token \
+  --authorize-url     https://provider.example.com/oauth/authorize \
+  --access-token-url  https://provider.example.com/oauth/access_token \
+  --callback-url https://yourapp.example.com/oauth/callback
+```
+What happens:
+- You’ll be shown an authorization URL to open in a browser.
+- After approving, the provider shows a verifier (PIN). Paste it back into the prompt.
+- The tool prints the access token and secret under “Response:”. Save those and use them with sign/query.
+
+Using an options file
+```console
+oauth sign -O oauth.opts
+```
+You can still add/override flags after -O; later flags win.
+
+For more examples
+- Run any command without args to see its specific help.
+- Browse the specs under spec/oauth/tty for additional scenarios and edge cases.
+
+In a shell run `oauth` to start the console.
+
 For now, please see the tests for other usage.
 
 ## 🦷 FLOSS Funding

lib/oauth/tty/command.rb

@@ -88,6 +88,25 @@ def option_parser
         end
       end
 
+      # Parse an array of CLI-like arguments into an options hash without mutating current state
+      # This is used by the -O/--options FILE feature to load args from a file and merge them
+      def parse_options(arguments)
+        original_options = @options
+        begin
+          temp_options = {}
+          @options = temp_options
+          _option_parser_defaults
+          OptionParser.new do |opts|
+            _option_parser_common(opts)
+            _option_parser_sign_and_query(opts)
+            _option_parser_authorization(opts)
+          end.parse!(arguments)
+          temp_options
+        ensure
+          @options = original_options
+        end
+      end
+
       def _option_parser_defaults
         options[:oauth_nonce] = OAuth::Helper.generate_key
         options[:oauth_signature_method] = "HMAC-SHA1"
@@ -123,7 +142,8 @@ def _option_parser_common(opts)
         end
 
         opts.on("-O", "--options FILE", "Read options from a file") do |v|
-          arguments = open(v).readlines.map { |l| l.chomp.split }.flatten
+          require "shellwords"
+          arguments = open(v).readlines.flat_map { |l| Shellwords.shellsplit(l.chomp) }
           options2 = parse_options(arguments)
           options.merge!(options2)
         end

spec/oauth/tty/command_spec.rb

@@ -186,4 +186,9 @@ def build_cmd(args = [])
       expect(stderr.read).to eq("err!\n")
     end
   end
+
+  it "has no required options by default" do
+    command = described_class.new(stdout, stdin, stderr, [])
+    expect(command.required_options).to eq([])
+  end
 end