authlete 0.0.4 → 0.0.5

data/lib/authlete.rb

@@ -23,11 +23,9 @@ require 'authlete/version'
 # A library for {Authlete Web APIs}[https://www.authlete.com/authlete_web_apis.html].
 #
 module Authlete
-  # The host of Authlete Web APIs for evaluation.
-  HOST_EVALUATION = 'https://evaluation-dot-authlete.appspot.com'
-
   autoload :AuthenticationServer, 'authlete/authentication-server'
   autoload :Client, 'authlete/client'
+  autoload :Host, 'authlete/host'
   autoload :Utility, 'authlete/utility'
 
   module Request

data/lib/authlete/client.rb

@@ -16,6 +16,7 @@
 
 
 require 'json'
+require 'rack'
 require 'rest-client'
 
 
@@ -57,14 +58,14 @@ module Authlete
       @service_owner_api_key    = extract_value(config, :service_owner_api_key)
       @service_owner_api_secret = extract_value(config, :service_owner_api_secret)
       @service_api_key          = extract_value(config, :service_api_key)
-      @service_api_secret       = extract_value(config, :service_api_secret]
+      @service_api_secret       = extract_value(config, :service_api_secret)
     end
 
     private
 
     def call_api(method, path, content_type, payload, user, password)
       response = RestClient::Request.new(
-        :method   => :method,
+        :method   => method,
         :url      => @host + path,
         :headers  => { :content_type => content_type },
         :payload  => payload,
@@ -87,6 +88,24 @@ module Authlete
       call_api_json(path, body, @service_api_key, @service_api_secret)
     end
 
+    def build_error_message(path, exception)
+      begin
+        # Use "resultMessage" if the response can be parsed as JSON.
+        JSON.parse(exception.response.to_str)['resultMessage']
+      rescue
+        # Build a generic error message.
+        "Authlete's #{path} API failed."
+      end
+    end
+
+    def emit_rack_error_message(request, message)
+      begin
+        # Logging if possible.
+        request.env['rack.errors'].write("ERROR: #{message}\n")
+      rescue => e
+      end
+    end
+
     public
 
     # Call Authlete's {/auth/introspection}
@@ -116,5 +135,61 @@ module Authlete
 
       Authlete::Response::IntrospectionResponse.new(hash)
     end
+
+    # Ensure that the request contains a valid access token.
+    #
+    # This method extracts an access token from the given request based on the
+    # rules described in RFC 6750 and introspects the access token by calling
+    # Authlete's /auth/introspection API.
+    #
+    # The first argument <tt>request</tt> is a Rack request.
+    #
+    # The second argument <tt>scopes</tt> is an array of scope names required
+    # to access the target protected resource. This argument is optional.
+    #
+    # The third argument <tt>subject</tt> is a string which representing a
+    # subject which has to be associated with the access token. This argument
+    # is optional.
+    #
+    # This method returns an instance of
+    # <tt>Authlete::Response::IntrospectionResponse</tt>. If its <tt>action</tt>
+    # method returns 'OK', it means that the access token exists, has not
+    # expired, covers the requested scopes (if specified), and is associated
+    # with the requested subject (if specified). Otherwise, it means that the
+    # request does not contain any access token or that the access token does
+    # not satisfy the conditions to access the target protected resource.
+    def protect_resource(request, scopes = nil, subject = nil)
+      # Extract an access token from the request.
+      access_token = extract_access_token(request)
+
+      # If the request does not contain any access token.
+      if access_token.nil?
+        # The request does not contain a valid access token.
+        return Authlete::Response::IntrospectionResponse.new(
+          :action          => 'BAD_REQUEST',
+          :responseContent => 'Bearer error="invalid_token",error_description="The request does not contain a valid access token."'
+        )
+      end
+
+      begin
+        # Call Authlete's /auth/introspection API to introspect the access token.
+        result = introspection(access_token, scopes, subject)
+      rescue => e
+        # Error message.
+        message = build_error_message('/auth/introspection', e)
+
+        # Emit a Rack error message.
+        emit_rack_error_message(request, message)
+
+        # Failed to introspect the access token.
+        return Authlete::Response::IntrospectionResponse.new(
+          :action          => 'INTERNAL_SERVER_ERROR',
+          :responseContent => "Bearer error=\"server_error\",error_description=\"#{message}\""
+        )
+      end
+
+      # Return the response from Authlete's /auth/introspection API.
+      result
+    end
   end
 end

data/lib/authlete/host.rb

@@ -0,0 +1,23 @@
+# :nodoc:
+#
+# Copyright (C) 2014 Authlete, Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+module Autlete
+  module Host
+    # The host of Authlete Web APIs for evaluation.
+    EVALUATION = 'https://evaluation-dot-authlete.appspot.com'
+  end
+end

data/lib/authlete/response/authentication-callback-response.rb

@@ -42,21 +42,11 @@ module Authlete
 
       # Generate an array which is usable as a Rack response from this instance.
       def to_rack_response
-        [
-          200,
-          {
-            'Content-Type'  => 'application/json;charset=UTF-8',
-            'Cache-Control' => 'no-store',
-            'Pragma'        => 'no-cache'
-          },
-          [
-            JSON.generate(
-              :authenticated => @authenticated,
-              :subject       => @subject,
-              :claims        => @claims
-            )
-          ]
-        ]
+        to_rack_response_json(200, JSON.generate(
+          :authenticated => @authenticated,
+          :subject       => @subject,
+          :claims        => @claims
+        ))
       end
     end
   end

data/lib/authlete/response/introspection-response.rb

@@ -23,7 +23,9 @@ module Authlete
     # {/auth/introspection}[https://www.authlete.com/authlete_web_apis_introspection.html#auth_introspection]
     # API.
     #
-    class IntrospectionResponse < Athlete::Response::BaseResponse
+    class IntrospectionResponse < Authlete::Response::BaseResponse
+      include Authlete::Utility
+
       # The next action which the caller of the API should take next.
       attr_accessor :action
 
@@ -81,6 +83,50 @@ module Authlete
       alias_method :usable?,      :usable
       alias_method :sufficient?,  :sufficient
       alias_method :refreshable?, :refreshable
+
+      # Generate an array which is usable as a Rack response from this instance.
+      # When <tt>action</tt> method returns other value than 'OK', the array
+      # returned from this method satisfies RFC 6750.
+      def to_rack_response
+        # 'action' denotes the next action.
+        case @action
+        when 'INTERNAL_SERVER_ERROR'
+          # 500 Internal Server Error
+          #   The API request from this implementation was wrong
+          #   or an error occurred in Authlete.
+          return to_rack_response_www_authenticate(500, @response_content)
+
+        when 'BAD_REQUEST'
+          # 400 Bad Request
+          #   The request from the client application does not
+          #   contain an access token.
+          return to_rack_response_www_authenticate(400, @response_content)
+
+        when 'UNAUTHORIZED'
+          # 401 Unauthorized
+          #   The presented access token does not exist or has expired.
+          return to_rack_response_www_authenticate(401, @response_content)
+
+        when 'FORBIDDEN'
+          # 403 Forbidden
+          #   The access token does not cover the required scopes
+          #   or the subject associated with the access token is
+          #   different.
+          return to_rack_response_www_authenticate(403, @response_content)
+
+        when 'OK'
+          # The access token is valid (= exists and has not expired).
+          # Basically, the caller won't use the array returned from here.
+          # Instead, it will return the protected resource to the client
+          # application which has presented the valid access token.
+          return [ 200, nil, nil ]
+
+        else
+          # This should not happen.
+          return to_rack_response_www_authenticate(500,
+            'Bearer error="server_error",error_description="Unknown action"')
+        end
+      end
     end
   end
 end

data/lib/authlete/utility.rb

@@ -15,6 +15,9 @@
 # limitations under the License.
 
 
+require 'base64'
+
+
 module Authlete
   module Utility
     def extract_value(hash, key)
@@ -30,5 +33,42 @@ module Authlete
 
       return (value == true || value == 'true')
     end
+
+    # Extract an access token (RFC 6750)
+    def extract_access_token(request)
+      header = request.env['HTTP_AUTHORIZATION']
+
+      if /^Bearer[ ]+(.+)/i =~ header
+        return Base64.decode64($1)
+      end
+
+      return request['access_token']
+    end
+
+    def to_rack_response_json(status_code, content)
+      [
+        status_code,
+        {
+          'Content-Type'  => 'application/json;charset=UTF-8',
+          'Cache-Control' => 'no-store',
+          'Pragma'        => 'no-cache'
+        },
+        [
+          content
+        ]
+      ]
+    end
+
+    def to_rack_response_www_authenticate(status_code, content)
+      [
+        status_code,
+        {
+          'WWW-Authenticate' => content,
+          'Cache-Control'    => 'no-store',
+          'Pragma'           => 'no-cache'
+        },
+        nil
+      ]
+    end
   end
 end

data/lib/authlete/version.rb

@@ -1,3 +1,3 @@
 module Authlete
-  VERSION = "0.0.4"
+  VERSION = "0.0.5"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: authlete
 version: !ruby/object:Gem::Version
-  version: 0.0.4
+  version: 0.0.5
   prerelease: 
 platform: ruby
 authors:
@@ -76,6 +76,7 @@ files:
 - lib/authlete.rb
 - lib/authlete/authentication-server.rb
 - lib/authlete/client.rb
+- lib/authlete/host.rb
 - lib/authlete/request/authentication-callback-request.rb
 - lib/authlete/response/authentication-callback-response.rb
 - lib/authlete/response/base-response.rb