adal 1.0.0

data/lib/adal/cached_token_response.rb

@@ -0,0 +1,190 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Proxy object for a token response with metadata.
+  class CachedTokenResponse
+    attr_reader :authority
+    attr_reader :client_id
+    attr_reader :token_response
+
+    ##
+    # Constructs a new CachedTokenResponse.
+    #
+    # @param ClientCredential|ClientAssertion|ClientAssertionCertificate
+    #   The credentials of the calling client application.
+    # @param Authority authority
+    #   The ADAL::Authority object that the response was retrieved from.
+    # @param SuccessResponse token_response
+    #   The token response to be cached.
+    def initialize(client, authority, token_response)
+      unless token_response.instance_of? SuccessResponse
+        fail ArgumentError, 'Only SuccessResponses can be cached.'
+      end
+      @authority = authority
+      if client.respond_to? :client_id
+        @client = client
+        @client_id = client.client_id
+      else
+        @client = ClientCredential.new(client)
+        @client_id = client
+      end
+      @token_response = token_response
+    end
+
+    ##
+    # Converts the fields in this object and its proxied SuccessResponse into
+    # a JSON string.
+    #
+    # @param JSON::Ext::Generator::State
+    #   We don't care about the state, but JSON::unparse requires this.
+    # @return String
+    def to_json(_ = nil)
+      JSON.unparse(authority: [authority.host, authority.tenant],
+                   client_id: client_id,
+                   token_response: token_response)
+    end
+
+    ##
+    # Reconstructs an object from JSON that was serialized with
+    # CachedTokenResponse#to_json.
+    #
+    # @param JSON raw_json
+    # @return CachedTokenResponse
+    def self.from_json(json)
+      json = JSON.parse(json) if json.instance_of? String
+      CachedTokenResponse.new(json['client_id'],
+                              Authority.new(*json['authority']),
+                              SuccessResponse.new(json['token_response']))
+    end
+
+    ##
+    # Determines if self can be used to refresh other.
+    #
+    # @param CachedTokenResponse other
+    # @return Boolean
+    def can_refresh?(other)
+      mrrt? && (authority == other.authority) &&
+        (user_info == other.user_info) && (client_id == other.client_id)
+    end
+
+    ##
+    # If the access token is within the expiration buffer of expiring, an
+    # attempt will be made to retrieve a new token with the refresh token.
+    #
+    # @param Fixnum expiration_buffer_sec
+    #   The number of seconds to use as leeway in determining if the token is
+    #   expired. A positive buffer will refresh the token early while a negative
+    #   buffer will refresh it late. Used to counter clock skew and network
+    #   latency.
+    # @return Boolean
+    #   True if the token is still valid (even if it was refreshed). False if
+    #   the token is expired an unable to be refreshed.
+    def validate(expiration_buffer_sec = 0)
+      return true if (Time.now + expiration_buffer_sec).to_i < expires_on
+      unless refresh_token
+        logger.verbose('Cached token is almost expired but no refresh token ' \
+                       'is available.')
+        return false
+      end
+      logger.verbose('Cached token is almost expired, attempting to refresh ' \
+                     ' with refresh token.')
+      refresh_response = refresh
+      if refresh_response.instance_of? SuccessResponse
+        logger.verbose('Successfully refreshed token in cache.')
+        @token_response = refresh_response
+        true
+      else
+        logger.warn('Failed to refresh token in cache with refresh token.')
+        false
+      end
+    end
+
+    ##
+    # Attempts to refresh the access token for a given resource. Note that you
+    # can call this method with a different resource even if the token is not
+    # an MRRT, but it will fail
+    #
+    # @param String resource
+    #   The resource that the new access token is beign requested for. Defaults
+    #   to using the same resource as the original token.
+    # @return TokenResponse
+    def refresh(new_resource = resource)
+      token_response = TokenRequest
+                       .new(authority, @client)
+                       .get_with_refresh_token(refresh_token, new_resource)
+      if token_response.instance_of? SuccessResponse
+        token_response.parse_id_token(id_token)
+      end
+      token_response
+    end
+
+    ##
+    # Changes the refresh token of the underlying token response.
+    #
+    # @param String token
+    def refresh_token=(token)
+      token_response.instance_variable_set(:@refresh_token, token)
+      logger.verbose("Updated the refresh token for #{token_response}.")
+    end
+
+    ##
+    # Is the token a Multi Resource Refresh Token?
+    #
+    # @return Boolean
+    def mrrt?
+      token_response.refresh_token && token_response.resource
+    end
+
+    ## Since the token cache may be implemented by the user of this library,
+    ## all means of checking equality must be consistent.
+
+    def ==(other)
+      [:authority, :client_id, :token_response].all? do |field|
+        (other.respond_to? field) && (send(field) == other.send(field))
+      end
+    end
+
+    def eql?(other)
+      self == other
+    end
+
+    def hash
+      [authority, client_id, token_response].hash
+    end
+
+    private
+
+    # CachedTokenResponse is just a proxy for TokenResponse.
+    def method_missing(method, *args, &block)
+      if token_response.respond_to?(method)
+        token_response.send(method, *args, &block)
+      else
+        super(method)
+      end
+    end
+
+    def respond_to_missing?(method, include_private = false)
+      token_response.respond_to?(method, include_private) || super
+    end
+  end
+end

data/lib/adal/client_assertion.rb

@@ -0,0 +1,63 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './request_parameters'
+require_relative './token_request'
+require_relative './util'
+
+module ADAL
+  # A client credential that consists of the client id and a JWT bearer
+  # assertion. The type is 'urn:ietf:params:oauth:token-type:jwt'.
+  class ClientAssertion
+    include TokenRequest::GrantType
+    include RequestParameters
+    include Util
+
+    attr_reader :assertion
+    attr_reader :assertion_type
+    attr_reader :client_id
+
+    ##
+    # Creates a new ClientAssertion.
+    #
+    # @param [String] client_id
+    #   The client id of the calling application.
+    # @param [String] assertion
+    #   The JWT used as a credential.
+    def initialize(client_id, assertion, assertion_type = JWT_BEARER)
+      fail_if_arguments_nil(client_id, assertion, assertion_type)
+      @assertion = assertion
+      @assertion_type = assertion_type
+      @client_id = client_id
+    end
+
+    ##
+    # The relavent parameters from this credential for OAuth.
+    #
+    # @return Hash
+    def request_params
+      { CLIENT_ID => @client_id,
+        CLIENT_ASSERTION_TYPE => @assertion_type,
+        CLIENT_ASSERTION => @assertion }
+    end
+  end
+end

data/lib/adal/client_assertion_certificate.rb

@@ -0,0 +1,89 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require 'openssl'
+
+module ADAL
+  # An assertion made by a client with an X509 certificate. This requires both
+  # the public and private keys. Technically it only requires the thumbprint
+  # of the public key, however OpenSSL's object model does not include
+  # thumbprints.
+  class ClientAssertionCertificate
+    include RequestParameters
+
+    MIN_KEY_SIZE_BITS = 2014
+
+    attr_reader :certificate
+    attr_reader :client_id
+
+    ##
+    # Creates a new ClientAssertionCertificate.
+    #
+    # @param Authority authority
+    #   The authority object that will recognize this certificate.
+    # @param [String] client_id
+    #   The client id of the calling application.
+    # @param [OpenSSL::PKCS12] pkcs12_file
+    #   The PKCS12 file containing the certificate and private key.
+    def initialize(authority, client_id, pkcs12_file)
+      unless pkcs12_file.is_a? OpenSSL::PKCS12
+        fail ArgumentError, 'Only PKCS12 file format is supported.'
+      end
+      @authority = authority
+      @certificate = pkcs12_file.certificate
+      @client_id = client_id.to_s
+      @private_key = pkcs12_file.key
+      validate_certificate_and_key(@certificate, @private_key)
+    end
+
+    # The relevant parameters from this credential for OAuth.
+    def request_params
+      jwt_assertion = SelfSignedJwtFactory
+                      .new(@client_id, @authority.token_endpoint)
+                      .create_and_sign_jwt(@certificate, @private_key)
+      ClientAssertion.new(client_id, jwt_assertion).request_params
+    end
+
+    private
+
+    # @param [OpenSSL::X509::Certificate] certificate
+    # @return [Fixnum] The number of bits in the public key.
+    def public_key_size_bits(certificate)
+      certificate.public_key.n.num_bytes * 8
+    end
+
+    ##
+    # In general, Ruby code is very loose about types. However, since we are
+    # dealing with sensitive information here, we will be a little bit stricter
+    # on type safety.
+    def validate_certificate_and_key(certificate, private_key)
+      if !certificate.is_a? OpenSSL::X509::Certificate
+        fail ArgumentError, 'certificate must be an OpenSSL::X509::Certificate.'
+      elsif !private_key.is_a? OpenSSL::PKey::RSA
+        fail ArgumentError, 'private_key must be an OpenSSL::PKey::RSA.'
+      elsif public_key_size_bits(certificate) < MIN_KEY_SIZE_BITS
+        fail ArgumentError, 'certificate must contain a public key of at ' \
+          "least #{MIN_KEY_SIZE_BITS} bits."
+      end
+    end
+  end
+end

data/lib/adal/client_credential.rb

@@ -0,0 +1,46 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+require_relative './request_parameters'
+require_relative './util'
+
+module ADAL
+  # A wrapper object for a client id and secret.
+  class ClientCredential
+    include RequestParameters
+    include Util
+
+    attr_reader :client_id
+    attr_reader :client_secret
+
+    def initialize(client_id, client_secret = nil)
+      fail_if_arguments_nil(client_id)
+      @client_id = client_id
+      @client_secret = client_secret
+    end
+
+    # The relavent parameters from this credential for OAuth.
+    def request_params
+      { CLIENT_ID => @client_id, CLIENT_SECRET => @client_secret }
+    end
+  end
+end

data/lib/adal/core_ext.rb

@@ -0,0 +1,26 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+# All of the refinements used in ADAL. They are all in the namespace
+# ADAL::CoreExt and will only be applied to files that start with ADAL::CoreExt
+# before opening any module or class.
+require_relative './core_ext/hash'

data/lib/adal/core_ext/hash.rb

@@ -0,0 +1,34 @@
+#-------------------------------------------------------------------------------
+# Copyright (c) 2015 Micorosft Corporation
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+# THE SOFTWARE.
+#-------------------------------------------------------------------------------
+
+module ADAL
+  # Adds helper methods to Hash. These are standard in Rails and are
+  # commonplace in the Ruby community.
+  module CoreExt
+    # Same as #merge, but values in other_hash are prioritized over self.
+    refine Hash do
+      def reverse_merge(other_hash)
+        other_hash.merge(self)
+      end
+    end
+  end
+end