aspera-cli 4.5.0 → 4.8.0

data/lib/aspera/oauth.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'aspera/open_application'
 require 'aspera/web_auth'
 require 'aspera/id_generator'
@@ -11,203 +13,278 @@ module Aspera
   # call get_authorization() to get a token.
   # bearer tokens are kept in memory and also in a file cache for later re-use
   # if a token is expired (api returns 4xx), call again get_authorization({refresh: true})
+  # https://tools.ietf.org/html/rfc6749
   class Oauth
-    # used for code exchange
-    DEFAULT_PATH_AUTHORIZE='authorize'
-    # to generate token
-    DEFAULT_PATH_TOKEN='token'
-    # field with token in result
-    DEFAULT_TOKEN_FIELD='access_token'
-    private
+    DEFAULT_CREATE_PARAMS = {
+      path_token:  'token', # default endpoint for /token to generate token
+      token_field: 'access_token', # field with token in result of call to path_token
+      web:         {path_authorize: 'authorize'} # default endpoint for /authorize, used for code exchange
+    }.freeze
+
+    # OAuth methods supported by default
+    STD_AUTH_TYPES = %i[web jwt].freeze
+
     # remove 5 minutes to account for time offset (TODO: configurable?)
-    JWT_NOTBEFORE_OFFSET_SEC=300
+    JWT_NOTBEFORE_OFFSET_SEC = 300
     # one hour validity (TODO: configurable?)
-    JWT_EXPIRY_OFFSET_SEC=3600
+    JWT_EXPIRY_OFFSET_SEC = 3600
     # tokens older than 30 minutes will be discarded from cache
-    TOKEN_CACHE_EXPIRY_SEC=1800
-    # a prefix for persistency of tokens (garbage collect)
-    PERSIST_CATEGORY_TOKEN='token'
-    ONE_HOUR_AS_DAY_FRACTION=Rational(1,24)
+    TOKEN_CACHE_EXPIRY_SEC = 1800
+    # tokens valid for less than this duration will be regenerated
+    TOKEN_EXPIRATION_GUARD_SEC = 120
+    # a prefix for persistency of tokens (simplify garbage collect)
+    PERSIST_CATEGORY_TOKEN = 'token'
 
-    private_constant :JWT_NOTBEFORE_OFFSET_SEC,:JWT_EXPIRY_OFFSET_SEC,:PERSIST_CATEGORY_TOKEN,:TOKEN_CACHE_EXPIRY_SEC,:ONE_HOUR_AS_DAY_FRACTION
-    class << self
-      # OAuth methods supported
-      def auth_types
-        [ :body_userpass, :header_userpass, :web, :jwt, :url_token, :ibm_apikey ]
-      end
+    private_constant :JWT_NOTBEFORE_OFFSET_SEC,:JWT_EXPIRY_OFFSET_SEC,:TOKEN_CACHE_EXPIRY_SEC,:PERSIST_CATEGORY_TOKEN,:TOKEN_EXPIRATION_GUARD_SEC
 
+    # persistency manager
+    @persist = nil
+    # token creation methods
+    @create_handlers = {}
+    # token unique identifiers from oauth parameters
+    @id_handlers = {}
+
+    class << self
       def persist_mgr=(manager)
-        @persist=manager
+        @persist = manager
+        # cleanup expired tokens
+        @persist.garbage_collect(PERSIST_CATEGORY_TOKEN,TOKEN_CACHE_EXPIRY_SEC)
       end
 
       def persist_mgr
         if @persist.nil?
-          Log.log.warn('Not using persistency (use Aspera::Oauth.persist_mgr=Aspera::PersistencyFolder.new)')
+          Log.log.debug('Not using persistency') # (use Aspera::Oauth.persist_mgr=Aspera::PersistencyFolder.new)
           # create NULL persistency class
-          @persist=Class.new do
-            def get(x);nil;end;def delete(x);nil;end;def put(x,y);nil;end;def garbage_collect(x,y);nil;end
+          @persist = Class.new do
+            def get(_x);nil;end;def delete(_x);nil;end;def put(_x,_y);nil;end;def garbage_collect(_x,_y);nil;end
           end.new
         end
         return @persist
       end
 
+      # delete all existing tokens
       def flush_tokens
         persist_mgr.garbage_collect(PERSIST_CATEGORY_TOKEN,nil)
       end
 
+      # register a bearer token decoder, mainly to inspect expiry date
       def register_decoder(method)
-        @decoders||=[]
+        @decoders ||= []
         @decoders.push(method)
       end
 
+      # decode token using all registered decoders
       def decode_token(token)
-        Log.log.debug(">>>> #{token} : #{@decoders.length}")
         @decoders.each do |decoder|
-          result=decoder.call(token) rescue nil
+          result = decoder.call(token) rescue nil
           return result unless result.nil?
         end
         return nil
       end
-    end
 
-    # seems to be quite standard token encoding (RFC?)
-    self.register_decoder lambda { |token| parts=token.split('.'); raise "not aoc token" unless parts.length.eql?(3); JSON.parse(Base64.decode64(parts[1]))}
+      # register a token creation method
+      # @param id creation type from field :crtype in constructor
+      # @param lambda_create called to create token
+      # @param id_create called to generate unique id for token, for cache
+      def register_token_creator(id, lambda_create, id_create)
+        raise 'ERROR: requites Symbol and 2 lambdas' unless id.is_a?(Symbol) && lambda_create.is_a?(Proc) && id_create.is_a?(Proc)
+        @create_handlers[id] = lambda_create
+        @id_handlers[id] = id_create
+      end
 
-    # for supported parameters, look in the code for @params
-    # parameters are provided all with oauth_ prefix :
-    # :base_url
-    # :client_id
-    # :client_secret
-    # :redirect_uri
-    # :jwt_audience
-    # :jwt_private_key_obj
-    # :jwt_subject
-    # :path_authorize (default: DEFAULT_PATH_AUTHORIZE)
-    # :path_token (default: DEFAULT_PATH_TOKEN)
-    # :scope (optional)
-    # :grant (one of returned by self.auth_types)
-    # :url_token
-    # :user_name
-    # :user_pass
-    # :token_type
-    def initialize(auth_params)
-      Log.log.debug("auth=#{auth_params}")
-      @params=auth_params.clone
-      # default values
-      # name of field to take as token from result of call to /token
-      @params[:token_field]||=DEFAULT_TOKEN_FIELD
-      # default endpoint for /token
-      @params[:path_token]||=DEFAULT_PATH_TOKEN
-      # default endpoint for /authorize
-      @params[:path_authorize]||=DEFAULT_PATH_AUTHORIZE
-      rest_params={base_url: @params[:base_url]}
-      if @params.has_key?(:client_id)
-        rest_params.merge!({auth: {
-          type:     :basic,
-          username: @params[:client_id],
-          password: @params[:client_secret]
-          }})
+      # @return one of the registered creators for the given create type
+      def token_creator(id)
+        raise "token creator type unknown: #{id}/#{id.class}" unless @create_handlers.has_key?(id)
+        @create_handlers[id]
       end
-      @token_auth_api=Rest.new(rest_params)
-      if @params.has_key?(:redirect_uri)
-        uri=URI.parse(@params[:redirect_uri])
-        raise "redirect_uri scheme must be http" unless uri.scheme.start_with?('http')
-        raise "redirect_uri must have a port" if uri.port.nil?
-        # we could check that host is localhost or local address
+
+      # list of identifiers foundn in creation parameters that can be used to uniquely identify the token
+      def id_creator(id)
+        raise "id creator type unknown: #{id}/#{id.class}" unless @id_handlers.has_key?(id)
+        @id_handlers[id]
       end
-      # cleanup expired tokens
-      self.class.persist_mgr.garbage_collect(PERSIST_CATEGORY_TOKEN,TOKEN_CACHE_EXPIRY_SEC)
-    end
+    end # self
 
-    # open the login page, wait for code and check_code, then return code
-    def goto_page_and_get_code(login_page_url,check_code)
+    # JSON Web Signature (JWS) compact serialization: https://datatracker.ietf.org/doc/html/rfc7515
+    register_decoder lambda { |token| parts = token.split('.'); raise 'not aoc token' unless parts.length.eql?(3); JSON.parse(Base64.decode64(parts[1]))}
+
+    # generic token creation, parameters are provided in :generic
+    register_token_creator :generic,lambda { |oauth|
+      return oauth.create_token(oauth.sparams)
+    },lambda { |oauth|
+      return [
+        oauth.sparams[:grant_type]&.split(':')&.last,
+        oauth.sparams[:apikey],
+        oauth.sparams[:response_type]
+      ]
+    }
+
+    # Authentication using Web browser
+    register_token_creator :web,lambda { |oauth|
+      verification_code = SecureRandom.uuid # used to check later
+      login_page_url = Rest.build_uri("#{oauth.api[:base_url]}/#{oauth.sparams[:path_authorize]}",
+        oauth.optional_scope_client_id.merge(response_type: 'code', redirect_uri: oauth.sparams[:redirect_uri], state: verification_code))
+      # here, we need a human to authorize on a web page
       Log.log.info("login_page_url=#{login_page_url}".bg_red.gray)
       # start a web server to receive request code
-      webserver=WebAuth.new(@params[:redirect_uri])
+      webserver = WebAuth.new(oauth.sparams[:redirect_uri])
       # start browser on login page
       OpenApplication.instance.uri(login_page_url)
       # wait for code in request
-      request_params=webserver.get_request
-      Log.log.error("state does not match") if !check_code.eql?(request_params['state'])
-      code=request_params['code']
-      return code
-    end
+      received_params = webserver.received_request
+      raise 'state does not match' unless verification_code.eql?(received_params['state'])
+      # exchange code for token
+      return oauth.create_token(oauth.optional_scope_client_id(add_secret: true).merge(
+        grant_type:   'authorization_code',
+        code:         received_params['code'],
+        redirect_uri: oauth.sparams[:redirect_uri]))
+    },lambda { |_oauth|
+      return []
+    }
 
-    def create_token(rest_params)
-      return @token_auth_api.call({
-        operation: 'POST',
-        subpath:   @params[:path_token],
-        headers:   {'Accept'=>'application/json'}}.merge(rest_params))
-    end
+    # Authentication using private key
+    register_token_creator :jwt,lambda { |oauth|
+      # https://tools.ietf.org/html/rfc7523
+      # https://tools.ietf.org/html/rfc7519
+      require 'jwt'
+      seconds_since_epoch = Time.new.to_i
+      Log.log.info("seconds=#{seconds_since_epoch}")
+      raise 'missing JWT payload' unless oauth.sparams[:payload].is_a?(Hash)
+      jwt_payload = {
+        exp: seconds_since_epoch + JWT_EXPIRY_OFFSET_SEC, # expiration time
+        nbf: seconds_since_epoch - JWT_NOTBEFORE_OFFSET_SEC, # not before
+        iat: seconds_since_epoch, # issued at
+        jti: SecureRandom.uuid # JWT id
+      }.merge(oauth.sparams[:payload])
+      Log.log.debug("JWT jwt_payload=[#{jwt_payload}]")
+      rsa_private = oauth.sparams[:private_key_obj] # type: OpenSSL::PKey::RSA
+      Log.log.debug("private=[#{rsa_private}]")
+      assertion = JWT.encode(jwt_payload, rsa_private, 'RS256', oauth.sparams[:headers] || {})
+      Log.log.debug("assertion=[#{assertion}]")
+      return oauth.create_token(oauth.optional_scope_client_id.merge(grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer', assertion: assertion))
+    },lambda { |oauth|
+      return [oauth.sparams.dig(:payload,:sub)]
+    }
+
+    attr_reader :gparams, :sparams, :api
+
+    private
 
-    # @return unique identifier of token
-    def token_cache_id(api_scope)
-      oauth_uri=URI.parse(@params[:base_url])
-      parts=[PERSIST_CATEGORY_TOKEN,api_scope,oauth_uri.host,oauth_uri.path]
-      # add some of the parameters that uniquely define the token
-      [:grant,:jwt_subject,:user_name,:url_token,:api_key].inject(parts){|p,i|p.push(@params[i])}
-      return IdGenerator.from_list(parts)
+    # [M]=mandatory [D]=has default value [0]=accept nil
+    # :base_url            [M]  URL of authentication API
+    # :auth
+    # :crtype              [M]  :generic, :web, :jwt, custom
+    # :client_id           [0]
+    # :client_secret       [0]
+    # :scope               [0]
+    # :path_token          [D]  API end point to create a token
+    # :token_field         [D]  field in result that contains the token
+    # :jwt:private_key_obj [M] for type :jwt
+    # :jwt:payload         [M] for type :jwt
+    # :jwt:headers         [0] for type :jwt
+    # :web:redirect_uri    [M] for type :web
+    # :web:path_authorize  [D] for type :web
+    # :generic             [M] for type :generic
+    def initialize(a_params)
+      Log.log.debug("auth=#{a_params}")
+      # replace default values
+      @gparams = DEFAULT_CREATE_PARAMS.deep_merge(a_params)
+      # check that type is known
+      self.class.token_creator(@gparams[:crtype])
+      # specific parameters for the creation type
+      @sparams=@gparams[@gparams[:crtype]]
+      if @gparams[:crtype].eql?(:web) && @sparams.has_key?(:redirect_uri)
+        uri = URI.parse(@sparams[:redirect_uri])
+        raise 'redirect_uri scheme must be http or https' unless %w[http https].include?(uri.scheme)
+        raise 'redirect_uri must have a port' if uri.port.nil?
+        # TODO: we could check that host is localhost or local address
+      end
+      rest_params = {
+        base_url:     @gparams[:base_url],
+        redirect_max: 2
+      }
+      rest_params[:auth] = a_params[:auth] if a_params.has_key?(:auth)
+      @api = Rest.new(rest_params)
+      # if needed use from api
+      @gparams.delete(:base_url)
+      @gparams.delete(:auth)
+      @gparams.delete(@gparams[:crtype])
+      Log.dump(:gparams,@gparams)
+      Log.dump(:sparams,@sparams)
     end
 
     public
 
-    # used to change parameter, such as scope
-    attr_reader :params
+    # helper method to create token as per RFC
+    def create_token(www_params)
+      return @api.call({
+        operation:       'POST',
+        subpath:         @gparams[:path_token],
+        headers:         {'Accept' => 'application/json'},
+        www_body_params: www_params})
+    end
 
-    # @param options : :scope and :refresh
-    def get_authorization(options={})
-      # api scope can be overriden to get auth for other scope
-      api_scope=options[:scope] || @params[:scope]
-      # as it is optional in many place: create struct
-      p_scope={}
-      p_scope[:scope] = api_scope unless api_scope.nil?
-      p_client_id_and_scope=p_scope.clone
-      p_client_id_and_scope[:client_id] = @params[:client_id] if @params.has_key?(:client_id)
-      use_refresh_token=options[:refresh]
+    # @return Hash with optional general parameters
+    def optional_scope_client_id(add_secret: false)
+      call_params={}
+      call_params[:scope] = @gparams[:scope] unless @gparams[:scope].nil?
+      call_params[:client_id] = @gparams[:client_id] unless @gparams[:client_id].nil?
+      call_params[:client_secret] = @gparams[:client_secret] if add_secret && !@gparams[:client_id].nil?
+      return call_params
+    end
 
-      # generate token identifier to use with cache
-      token_id=token_cache_id(api_scope)
+    # Oauth v2 token generation
+    # @param use_refresh_token set to true to force refresh or re-generation (if previous failed)
+    def get_authorization(use_refresh_token: false, use_cache: true)
+      # generate token unique identifier for persistency (memory/disk cache)
+      token_id = IdGenerator.from_list([
+        PERSIST_CATEGORY_TOKEN,
+        @api.params[:base_url],
+        @gparams[:crtype],
+        self.class.id_creator(@gparams[:crtype]).call(self), # array, so we flatten later
+        @gparams[:scope],
+        @api.params.dig(%i[auth username])
+      ].flatten)
 
       # get token_data from cache (or nil), token_data is what is returned by /token
-      token_data=self.class.persist_mgr.get(token_id)
-      token_data=JSON.parse(token_data) unless token_data.nil?
-      # Optional optimization: check if node token is expired, then force refresh
-      # in case the transfer agent cannot refresh himself
-      # else, anyway, faspmanager is equipped with refresh code
-      if !token_data.nil?
-        # TODO: use @params[:token_field] ?
-        decoded_node_token = self.class.decode_token(token_data['access_token'])
-        Log.dump('decoded_node_token',decoded_node_token) unless decoded_node_token.nil?
-        if decoded_node_token.is_a?(Hash) and decoded_node_token['expires_at'].is_a?(String)
-          expires_at=DateTime.parse(decoded_node_token['expires_at'])
-          # Time.at(decoded_node_token['exp'])
-          # does it seem expired, with one hour of security
-          use_refresh_token=true if DateTime.now > (expires_at-ONE_HOUR_AS_DAY_FRACTION)
+      token_data = self.class.persist_mgr.get(token_id) if use_cache
+      token_data = JSON.parse(token_data) unless token_data.nil?
+      # Optional optimization: check if node token is expired  basd on decoded content then force refresh if close enough
+      # might help in case the transfer agent cannot refresh himself
+      # `direct` agent is equipped with refresh code
+      if !use_refresh_token && !token_data.nil?
+        decoded_token = self.class.decode_token(token_data[@gparams[:token_field]])
+        Log.dump('decoded_token',decoded_token) unless decoded_token.nil?
+        if decoded_token.is_a?(Hash)
+          expires_at_sec =
+            if    decoded_token['expires_at'].is_a?(String) then DateTime.parse(decoded_token['expires_at']).to_time
+            elsif decoded_token['exp'].is_a?(Integer)       then Time.at(decoded_token['exp'])
+            end
+          # force refresh if we see a token too close from expiration
+          use_refresh_token = true if expires_at_sec.is_a?(Time) && (expires_at_sec - Time.now) < TOKEN_EXPIRATION_GUARD_SEC
+          Log.log.debug("Expiration: #{expires_at_sec} / #{use_refresh_token}")
         end
       end
 
       # an API was already called, but failed, we need to regenerate or refresh
       if use_refresh_token
-        if token_data.is_a?(Hash) and token_data.has_key?('refresh_token')
+        if token_data.is_a?(Hash) && token_data.has_key?('refresh_token')
           # save possible refresh token, before deleting the cache
-          refresh_token=token_data['refresh_token']
+          refresh_token = token_data['refresh_token']
         end
-        # delete caches
+        # delete cache
         self.class.persist_mgr.delete(token_id)
-        token_data=nil
+        token_data = nil
         # lets try the existing refresh token
         if !refresh_token.nil?
           Log.log.info("refresh=[#{refresh_token}]".bg_green)
           # try to refresh
-          # note: admin token has no refresh, and lives by default 1800secs
-          # Note: scope is mandatory in Files, and we can either provide basic auth, or client_Secret in data
-          resp=create_token(www_body_params: p_client_id_and_scope.merge({
-            grant_type:    'refresh_token',
-            refresh_token: refresh_token}))
-          if resp[:http].code.start_with?('2') then
+          # note: AoC admin token has no refresh, and lives by default 1800secs
+          resp = create_token(optional_scope_client_id.merge(grant_type: 'refresh_token',refresh_token: refresh_token))
+          if resp[:http].code.start_with?('2')
             # save only if success
-            json_data=resp[:http].body
-            token_data=JSON.parse(json_data)
+            json_data = resp[:http].body
+            token_data = JSON.parse(json_data)
             self.class.persist_mgr.put(token_id,json_data)
           else
             Log.log.debug("refresh failed: #{resp[:http].body}".bg_red)
@@ -215,124 +292,16 @@ module Aspera
         end
       end
 
-      # no cache
-      if token_data.nil? then
-        resp=nil
-        case @params[:grant]
-        when :web
-          # AoC Web based Auth
-          check_code=SecureRandom.uuid
-          auth_params=p_client_id_and_scope.merge({
-            response_type: 'code',
-            redirect_uri:  @params[:redirect_uri],
-            state:         check_code
-          })
-          auth_params[:client_secret]=@params[:client_secret] if @params.has_key?(:client_secret)
-          login_page_url=Rest.build_uri("#{@params[:base_url]}/#{@params[:path_authorize]}",auth_params)
-          # here, we need a human to authorize on a web page
-          code=goto_page_and_get_code(login_page_url,check_code)
-          # exchange code for token
-          resp=create_token(www_body_params: p_client_id_and_scope.merge({
-            grant_type:   'authorization_code',
-            code:         code,
-            redirect_uri: @params[:redirect_uri]
-          }))
-        when :jwt
-          # https://tools.ietf.org/html/rfc7519
-          # https://tools.ietf.org/html/rfc7523
-          require 'jwt'
-          seconds_since_epoch=Time.new.to_i
-          Log.log.info("seconds=#{seconds_since_epoch}")
-
-          payload = {
-            iss: @params[:client_id],    # issuer
-            sub: @params[:jwt_subject],  # subject
-            aud: @params[:jwt_audience], # audience
-            nbf: seconds_since_epoch-JWT_NOTBEFORE_OFFSET_SEC, # not before
-            exp: seconds_since_epoch+JWT_EXPIRY_OFFSET_SEC # expiration
-          }
-          # Hum.. compliant ? TODO: remove when Faspex5 API is clarified
-          if @params.has_key?(:f5_username)
-            payload[:jti] = SecureRandom.uuid # JWT id
-            payload[:iat] = seconds_since_epoch # issued at
-            payload.delete(:nbf) # not used in f5
-            p_scope[:redirect_uri]="https://127.0.0.1:5000/token" # used ?
-            p_scope[:state]=SecureRandom.uuid
-            p_scope[:client_id]=@params[:client_id]
-            @token_auth_api.params[:auth]={type: :basic,username: @params[:f5_username], password: @params[:f5_password]}
-          end
-
-          # non standard, only for global ids
-          payload.merge!(@params[:jwt_add]) if @params.has_key?(:jwt_add)
-          Log.log.debug("JWT payload=[#{payload}]")
-
-          rsa_private=@params[:jwt_private_key_obj]  # type: OpenSSL::PKey::RSA
-          Log.log.debug("private=[#{rsa_private}]")
-
-          assertion = JWT.encode(payload, rsa_private, 'RS256', @params[:jwt_headers]||{})
-          Log.log.debug("assertion=[#{assertion}]")
-
-          resp=create_token(www_body_params: p_scope.merge({
-            grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-            assertion:  assertion
-          }))
-        when :url_token
-          # AoC Public Link
-          params={url_token: @params[:url_token]}
-          params[:password]=@params[:password] if @params.has_key?(:password)
-          resp=create_token({
-            json_params: params,
-            url_params:  p_scope.merge({grant_type: 'url_token'})
-          })
-        when :ibm_apikey
-          # ATS
-          resp=create_token(www_body_params: {
-            grant_type:    'urn:ibm:params:oauth:grant-type:apikey',
-            response_type: 'cloud_iam',
-            apikey:        @params[:api_key]
-          })
-        when :delegated_refresh
-          # COS
-          resp=create_token(www_body_params: {
-            grant_type:          'urn:ibm:params:oauth:grant-type:apikey',
-            response_type:       'delegated_refresh_token',
-            apikey:              @params[:api_key],
-            receiver_client_ids: 'aspera_ats'
-          })
-        when :header_userpass
-          # used in Faspex apiv4 and shares2
-          resp=create_token(
-          json_params: p_client_id_and_scope.merge({grant_type: 'password'}), #:www_body_params also works
-          auth:        {
-            type:     :basic,
-            username: @params[:user_name],
-            password: @params[:user_pass]}
-          )
-        when :body_userpass
-          # legacy, not used
-          resp=create_token(www_body_params: p_client_id_and_scope.merge({
-            grant_type: 'password',
-            username:   @params[:user_name],
-            password:   @params[:user_pass]
-          }))
-        when :body_data
-          # used in Faspex apiv5
-          resp=create_token({
-            auth:        {type: :none},
-            json_params: @params[:userpass_body],
-          })
-        else
-          raise "auth grant type unknown: #{@params[:grant]}"
-        end
-        # TODO: test return code ?
-        json_data=resp[:http].body
-        token_data=JSON.parse(json_data)
+      # no cache, nor refresh: generate a token
+      if token_data.nil?
+        resp = self.class.token_creator(@gparams[:crtype]).call(self)
+        json_data = resp[:http].body
+        token_data = JSON.parse(json_data)
         self.class.persist_mgr.put(token_id,json_data)
       end # if ! in_cache
-      raise "API error: No such field in answer: #{@params[:token_field]}" unless token_data.has_key?(@params[:token_field])
+      raise "API error: No such field in answer: #{@gparams[:token_field]}" unless token_data.has_key?(@gparams[:token_field])
       # ok we shall have a token here
-      return 'Bearer '+token_data[@params[:token_field]]
+      return 'Bearer ' + token_data[@gparams[:token_field]]
     end
-
   end # OAuth
 end # Aspera

data/lib/aspera/open_application.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'aspera/log'
 require 'aspera/environment'
 require 'rbconfig'
@@ -10,12 +12,12 @@ module Aspera
   class OpenApplication
     include Singleton
     # User Interfaces
-    def self.user_interfaces; [ :text, :graphical ]; end
+    def self.user_interfaces; %i[text graphical]; end
 
     def self.default_gui_mode
       return :graphical if [Aspera::Environment::OS_WINDOWS,Aspera::Environment::OS_X].include?(Aspera::Environment.os)
       # unix family
-      return :graphical if ENV.has_key?("DISPLAY") and !ENV["DISPLAY"].empty?
+      return :graphical if ENV.has_key?('DISPLAY') && !ENV['DISPLAY'].empty?
       return :text
     end
 
@@ -25,9 +27,9 @@ module Aspera
       when Aspera::Environment::OS_X
         return system('open',uri.to_s)
       when Aspera::Environment::OS_WINDOWS
-        return system('start explorer "'+uri.to_s+'"')
+        return system('start explorer "' + uri.to_s + '"')
       when Aspera::Environment::OS_LINUX
-        return system("xdg-open '#{uri.to_s}'")
+        return system("xdg-open '#{uri}'")
       else
         raise "no graphical open method for #{Aspera::Environment.os}"
       end
@@ -36,7 +38,7 @@ module Aspera
     attr_accessor :url_method
 
     def initialize
-      @url_method=self.class.default_gui_mode
+      @url_method = self.class.default_gui_mode
     end
 
     # this is non blocking
@@ -47,9 +49,9 @@ module Aspera
       when :text
         case the_url.to_s
         when /^http/
-          puts "USER ACTION: please enter this url in a browser:\n"+the_url.to_s.red()+"\n"
+          puts "USER ACTION: please enter this url in a browser:\n" + the_url.to_s.red + "\n"
         else
-          puts "USER ACTION: open this:\n"+the_url.to_s.red()+"\n"
+          puts "USER ACTION: open this:\n" + the_url.to_s.red + "\n"
         end
       else
         raise StandardError,"unsupported url open method: #{@url_method}"

data/lib/aspera/persistency_action_once.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'json'
 require 'aspera/log'
 
@@ -13,20 +15,20 @@ module Aspera
     # @param :merge    Optional  merge data from file to current data
     def initialize(options)
       Log.log.debug("persistency: #{options}")
-      raise "options shall be Hash" unless options.is_a?(Hash)
-      raise "mandatory :manager" if options[:manager].nil?
-      raise "mandatory :data" if options[:data].nil?
-      raise "mandatory :id (String)" unless options[:id].is_a?(String)
-      raise "mandatory 1 element in :id" unless options[:id].length >= 1
-      @manager=options[:manager]
-      @persisted_object=options[:data]
-      @object_id=options[:id]
+      raise 'options shall be Hash' unless options.is_a?(Hash)
+      raise 'mandatory :manager' if options[:manager].nil?
+      raise 'mandatory :data' if options[:data].nil?
+      raise 'mandatory :id (String)' unless options[:id].is_a?(String)
+      raise 'mandatory 1 element in :id' unless options[:id].length >= 1
+      @manager = options[:manager]
+      @persisted_object = options[:data]
+      @object_id = options[:id]
       # by default , at save time, file is deleted if data is nil
-      @delete_condition=options[:delete] || lambda{|d|d.empty?}
-      @persist_format=options[:format] || lambda {|h| JSON.generate(h)}
-      persist_parse=options[:parse] || lambda {|t| JSON.parse(t)}
-      persist_merge=options[:merge] || lambda {|current,file| current.concat(file).uniq rescue current}
-      value=@manager.get(@object_id)
+      @delete_condition = options[:delete] || lambda{|d|d.empty?}
+      @persist_format = options[:format] || lambda {|h| JSON.generate(h)}
+      persist_parse = options[:parse] || lambda {|t| JSON.parse(t)}
+      persist_merge = options[:merge] || lambda {|current,file| current.concat(file).uniq rescue current}
+      value = @manager.get(@object_id)
       persist_merge.call(@persisted_object,persist_parse.call(value)) unless value.nil?
     end
 
@@ -41,6 +43,5 @@ module Aspera
     def data
       return @persisted_object
     end
-
   end
 end