cf-uaa-lib 1.3.0

data/lib/uaa/token_coder.rb

@@ -0,0 +1,124 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require "openssl"
+require "uaa/util"
+
+module CF::UAA
+
+# This class is for OAuth Resource Servers.
+# Resource Servers get tokens and need to validate and decode them,
+# but they do not obtain them from the Authorization Server. This
+# class it for Resource Servers which accept Bearer JWT tokens.  An
+# instance of this class can be used to decode and verify the contents
+# of a bearer token.  The Authorization Server will have signed the
+# token and shared a secret key so that the Resource Server can verify
+# the signature.  The Authorization Server may also have given the
+# Resource Server an id, in which case it must verify a matching value
+# is in the access token.
+class TokenCoder
+
+  def self.init_digest(algo) # :nodoc:
+    OpenSSL::Digest::Digest.new(algo.sub('HS', 'sha').sub('RS', 'sha'))
+  end
+
+  # takes a token_body (the middle section of the jwt) and returns a signed token
+  def self.encode(token_body, skey, pkey = nil, algo = 'HS256')
+    segments = [Util.json_encode64("typ" => "JWT", "alg" => algo)]
+    segments << Util.json_encode64(token_body)
+    if ["HS256", "HS384", "HS512"].include?(algo)
+      sig = OpenSSL::HMAC.digest(init_digest(algo), skey, segments.join('.'))
+    elsif ["RS256", "RS384", "RS512"].include?(algo)
+      sig = pkey.sign(init_digest(algo), segments.join('.'))
+    elsif algo == "none"
+      sig = ""
+    else
+      raise ArgumentError, "unsupported signing method"
+    end
+    segments << Util.encode64(sig)
+    segments.join('.')
+  end
+
+  def self.decode(token, skey = nil, pkey = nil, verify = true)
+    pkey = OpenSSL::PKey::RSA.new(pkey) unless pkey.nil? || pkey.is_a?(OpenSSL::PKey::PKey)
+    segments = token.split('.')
+    raise DecodeError, "Not enough or too many segments" unless [2,3].include? segments.length
+    header_segment, payload_segment, crypto_segment = segments
+    signing_input = [header_segment, payload_segment].join('.')
+    header = Util.json_decode64(header_segment)
+    payload = Util.json_decode64(payload_segment)
+    return payload if !verify || (algo = header["alg"]) == "none"
+    signature = Util.decode64(crypto_segment)
+    if ["HS256", "HS384", "HS512"].include?(algo)
+      raise DecodeError, "Signature verification failed" unless
+          signature == OpenSSL::HMAC.digest(init_digest(algo), skey, signing_input)
+    elsif ["RS256", "RS384", "RS512"].include?(algo)
+      raise DecodeError, "Signature verification failed" unless
+          pkey.verify(init_digest(algo), signature, signing_input)
+    else
+      raise DecodeError, "Algorithm not supported"
+    end
+    payload
+  end
+
+  # Create a new token en/decoder for a service that is associated with
+  # the the audience_ids, the symmetrical token validation key, and the
+  # public and/or private keys. Parameters:
+  # * audience_ids - an array or space separated strings and should
+  #   indicate values which indicate the token is intended for this service
+  #   instance. It will be compared with tokens as they are decoded to
+  #   ensure that the token was intended for this audience.
+  # * skey - is used to sign and validate tokens using symetrical key
+  #   algoruthms
+  # * pkey - pkey may be a string or File which includes public and
+  #   optionally private key data in PEM or DER formats. The private key
+  #   is used to sign tokens and the public key is used to validate tokens.
+  def initialize(audience_ids, skey, pkey = nil)
+    @audience_ids, @skey, @pkey = Util.arglist(audience_ids), skey, pkey
+    @pkey = OpenSSL::PKey::RSA.new(pkey) unless pkey.nil? || pkey.is_a?(OpenSSL::PKey::PKey)
+  end
+
+  # Encode a JWT token. Takes a hash of values to use as the token body.
+  # Returns a signed token in JWT format (header, body, signature).
+  # Algorithm may be HS256, HS384, HS512, RS256, RS384, RS512, or none --
+  # assuming the TokenCoder instance is configured with the appropriate
+  # key -- i.e. pkey must include a private key for the RS algorithms.
+  def encode(token_body = {}, algorithm = 'HS256')
+    token_body['aud'] = @audience_ids unless token_body['aud']
+    token_body['exp'] = Time.now.to_i + 7 * 24 * 60 * 60 unless token_body['exp']
+    self.class.encode(token_body, @skey, @pkey, algorithm)
+  end
+
+  # Returns hash of values decoded from the token contents. If the
+  # token contains resource ids and they do not contain the id of the
+  # caller there will be an AuthError. If the token has expired there
+  # will also be an AuthError.
+  def decode(auth_header)
+    unless auth_header && (tkn = auth_header.split).length == 2 && tkn[0] =~ /^bearer$/i
+      raise DecodeError, "invalid authentication header: #{auth_header}"
+    end
+    reply = self.class.decode(tkn[1], @skey, @pkey)
+    auds = Util.arglist(reply["aud"])
+    if @audience_ids && (!auds || (auds & @audience_ids).empty?)
+      raise AuthError, "invalid audience: #{auds.join(' ')}"
+    end
+    exp = reply["exp"]
+    unless exp.is_a?(Integer) && exp > Time.now.to_i
+      raise AuthError, "token expired"
+    end
+    reply
+  end
+
+end
+
+end

data/lib/uaa/token_issuer.rb

@@ -0,0 +1,173 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+# Web or Native Clients (in the OAuth2 sense) would use this class to get tokens
+# that they can use to get access to resources
+
+# Client Apps that want to get access on behalf of their users to
+# resource servers need to get tokens via authcode and implicit flows,
+# request scopes, etc., but they don't need to process tokens. This
+# class is for these use cases.
+
+require 'securerandom'
+require 'uaa/http'
+
+module CF::UAA
+
+# The Token class holds access and refresh tokens as well as token meta-data
+# such as token type and expiration time. The info hash MUST include 
+# access_token, token_type and scope (if granted scope differs from requested 
+# scope). It should include expires_in. It may include refresh_token, scope, 
+# and other values from the auth server.
+class Token
+  attr_reader :info
+  def initialize(info); @info = info end
+  def auth_header; "#{info['token_type']} #{info['access_token']}" end
+end
+
+class TokenIssuer
+
+  include Http
+
+  def initialize(target, client_id, client_secret = nil, token_target = nil)
+    @target, @client_id, @client_secret = target, client_id, client_secret
+    @token_target = token_target || target
+  end
+
+  # login prompts for use by app to collect credentials for implicit grant
+  def prompts
+    reply = json_get @target, '/login'
+    return reply['prompts'] if reply && reply['prompts']
+    raise BadResponse, "No prompts in response from target #{@target}"
+  end
+
+  # gets an access token in a single call to the UAA with the client
+  # credentials used for authentication. The credentials arg should
+  # be an object such as a hash that can be converted to a json
+  # representation of the credential name/value pairs
+  # as specified by the information retrieved by #prompts
+  def implicit_grant_with_creds(credentials, scope = nil)
+    # this manufactured redirect_uri is a convention here, not part of OAuth2
+    redir_uri = "https://uaa.cloudfoundry.com/redirect/#{@client_id}"
+    uri = authorize_path_args("token", redir_uri, scope, state = SecureRandom.uuid)
+
+    # the accept header is only here so the uaa will issue error replies in json to aid debugging
+    headers = {'content-type' => 'application/x-www-form-urlencoded', 'accept' => 'application/json' }
+    body = URI.encode_www_form(credentials.merge('source' => 'credentials'))
+    status, body, headers = request(@target, :post, uri, body, headers)
+    raise BadResponse, "status #{status}" unless status == 302
+    req_uri, reply_uri = URI.parse(redir_uri), URI.parse(headers['location'])
+    fragment, reply_uri.fragment = reply_uri.fragment, nil
+    raise BadResponse, "bad location header" unless req_uri == reply_uri
+    parse_implicit_params(fragment, state)
+  rescue URI::Error => e
+    raise BadResponse, "bad location header in reply: #{e.message}"
+  end
+
+  # constructs a uri that the client is to return to the browser to direct
+  # the user to the authorization server to get an authcode. The redirect_uri
+  # is embedded in the returned uri so the authorization server can redirect
+  # the user back to the client app.
+  def implicit_uri(redirect_uri, scope = nil)
+    @target + authorize_path_args("token", redirect_uri, scope)
+  end
+
+  def implicit_grant(implicit_uri, callback_query)
+    in_params = Util.decode_form_to_hash(URI.parse(implicit_uri).query)
+    unless in_params['state'] && in_params['redirect_uri']
+      raise ArgumentError, "redirect must happen before implicit grant"
+    end
+    parse_implicit_params callback_query, in_params['state']
+  end
+
+  def autologin_uri(redirect_uri, credentials, scope = nil)
+    headers = {'content_type' => 'application/x-www-form-urlencoded', 'accept' => 'application/json',
+        'authorization' => Http.basic_auth(@client_id, @client_secret) }
+    body = URI.encode_www_form(credentials)
+    reply = json_parse_reply(*request(@target, :post, "/autologin", body, headers))
+    raise BadResponse, "no autologin code in reply" unless reply['code']
+    @target + authorize_path_args('code', redirect_uri, scope, SecureRandom.uuid, code: reply[:code])
+  end
+
+  # constructs a uri that the client is to return to the browser to direct
+  # the user to the authorization server to get an authcode. The redirect_uri
+  # is embedded in the returned uri so the authorization server can redirect
+  # the user back to the client app.
+  def authcode_uri(redirect_uri, scope = nil)
+    @target + authorize_path_args('code', redirect_uri, scope)
+  end
+
+  def authcode_grant(authcode_uri, callback_query)
+    ac_params = Util.decode_form_to_hash(URI.parse(authcode_uri).query)
+    unless ac_params['state'] && ac_params['redirect_uri']
+      raise ArgumentError, "authcode redirect must happen before authcode grant"
+    end
+    begin
+      params = Util.decode_form_to_hash(callback_query)
+      authcode = params['code']
+      raise BadResponse unless params['state'] == ac_params['state'] && authcode
+    rescue URI::InvalidURIError, ArgumentError, BadResponse
+      raise BadResponse, "received invalid response from target #{@target}"
+    end
+    request_token('grant_type' => 'authorization_code', 'code' => authcode, 'redirect_uri' => ac_params['redirect_uri'])
+  end
+
+  def owner_password_grant(username, password, scope = nil)
+    request_token('grant_type' => 'password', 'username' => username, 'password' => password, 'scope' => scope)
+  end
+
+  def client_credentials_grant(scope = nil)
+    request_token('grant_type' => 'client_credentials', 'scope' => scope)
+  end
+
+  def refresh_token_grant(refresh_token, scope = nil)
+    request_token('grant_type' => 'refresh_token', 'refresh_token' => refresh_token, 'scope' => scope)
+  end
+
+  private
+
+  def parse_implicit_params(encoded_params, state)
+    params = Util.decode_form_to_hash(encoded_params)
+    raise BadResponse, "mismatched state" unless state && params.delete('state') == state
+    raise TargetError.new(params), "error response from #{@target}" if params['error']
+    raise BadResponse, "no type and token" unless params['token_type'] && params['access_token']
+    exp = params['expires_in'].to_i
+    params['expires_in'] = exp if exp.to_s == params['expires_in']
+    Token.new params
+  rescue URI::InvalidURIError, ArgumentError
+    raise BadResponse, "received invalid response from target #{@target}"
+  end
+
+  # returns a CF::UAA::Token object which includes the access token and metadata.
+  def request_token(params)
+    if scope = Util.arglist(params.delete('scope'))
+      params['scope'] = Util.strlist(scope)
+    end
+    headers = {'content-type' => 'application/x-www-form-urlencoded', 'accept' => 'application/json',
+        'authorization' => Http.basic_auth(@client_id, @client_secret) }
+    body = URI.encode_www_form(params)
+    reply = json_parse_reply(*request(@token_target, :post, '/oauth/token', body, headers))
+    raise BadResponse unless reply['token_type'] && reply['access_token']
+    Token.new reply
+  end
+
+  def authorize_path_args(response_type, redirect_uri, scope, state = SecureRandom.uuid, args = {})
+    params = args.merge('client_id' => @client_id, 'response_type' => response_type, 'redirect_uri' => redirect_uri, 'state' => state)
+    params['scope'] = scope = Util.strlist(scope) if scope = Util.arglist(scope)
+    params['nonce'], params['response_type'] = state, "#{response_type} id_token" if scope && scope.include?('openid')
+    "/oauth/authorize?#{URI.encode_www_form(params)}"
+  end
+
+end
+
+end

data/lib/uaa/util.rb

@@ -0,0 +1,159 @@
+#--
+# Cloud Foundry 2012.02.03 Beta
+# Copyright (c) [2009-2012] VMware, Inc. All Rights Reserved.
+#
+# This product is licensed to you under the Apache License, Version 2.0 (the "License").
+# You may not use this product except in compliance with the License.
+#
+# This product includes a number of subcomponents with
+# separate copyright notices and license terms. Your use of these
+# subcomponents is subject to the terms and conditions of the
+# subcomponent's license, as noted in the LICENSE file.
+#++
+
+require 'multi_json'
+require "base64"
+require 'logger'
+require 'uri'
+
+# :nodoc:
+module CF
+  # Namespace for Cloudfoundry UAA 
+  module UAA end
+end
+
+class Logger # :nodoc:
+  Severity::TRACE = Severity::DEBUG - 1
+  def trace(progname, &blk); add(Logger::Severity::TRACE, nil, progname, &blk) end
+  def trace? ; @level <= Logger::Severity::TRACE end
+end
+
+module CF::UAA
+
+# all CF::UAA exceptions are derived from UAAError
+class UAAError < RuntimeError; end
+
+# Authentication error
+class AuthError < UAAError; end
+
+# error for decoding tokens, base64 encoding, or json
+class DecodeError < UAAError; end
+
+# low level helper functions useful to the UAA client APIs
+class Util
+
+  # http headers and various protocol tags tend to contain '-' characters,
+  # are intended to be case-insensitive, and often end up as keys in ruby
+  # hashes. The :undash style converts to lowercase for at least
+  # consistent case if not exactly case insensitive, and with '_' instead
+  # of '-' for ruby convention. :todash reverses :undash (except for case).
+  # :uncamel and :tocamel provide similar translations for camel-case keys.
+  # returns new key
+  def self.hash_key(k, style)
+    case style
+    when :undash then k.to_s.downcase.tr('-', '_').to_sym
+    when :todash then k.to_s.downcase.tr('_', '-')
+    when :uncamel then k.to_s.downcase.gsub(/([A-Z])([^A-Z]*)/,'_\1\2').to_sym
+    when :tocamel then k.to_s.gsub(/(_[a-z])([^_]*)/) { $1[1].upcase + $2 }
+    when :tosym then k.to_sym
+    when :tostr then k.to_s
+    when :down then k.to_s.downcase
+    when :none then k
+    else raise ArgumentError, "unknown hash key style: #{style}"
+    end
+  end
+
+  # modifies obj in place changing any hash keys to style (see hash_key). 
+  # Recursively modifies subordinate hashes. Returns modified obj
+  def self.hash_keys!(obj, style = :none)
+    return obj if style == :none
+    return obj.each {|o| hash_keys!(o, style)} if obj.is_a? Array
+    return obj unless obj.is_a? Hash
+    newkeys, nk = {}, nil
+    obj.delete_if { |k, v| 
+      hash_keys!(v, style)
+      newkeys[nk] = v unless (nk = hash_key(k, style)) == k
+      nk != k
+    }
+    obj.merge!(newkeys)
+  end
+ 
+  # makes a new copy of obj with hash keys to style (see hash_key). 
+  # Recursively modifies subordinate hashes. Returns modified obj
+  def self.hash_keys(obj, style = :none)
+    return obj.collect {|o| hash_keys(o, style)} if obj.is_a? Array
+    return obj unless obj.is_a? Hash
+    obj.each_with_object({}) {|(k, v), h| 
+      h[hash_key(k, style)] = hash_keys(v, style) 
+    }
+  end
+
+  # Takes an x-www-form-urlencoded string and returns a hash of key value pairs.
+  # Useful for OAuth parameters. It raises an ArgumentError if a key occurs
+  # more than once, which is a restriction of OAuth query strings.
+  # OAuth parameters are case sensitive, scim parameters are case-insensitive
+  # See ietf rfc 6749 section 3.1.
+  def self.decode_form_to_hash(url_encoded_pairs, style = :none)
+    URI.decode_www_form(url_encoded_pairs).each_with_object({}) do |p, o|
+      k = hash_key(p[0], style)
+      raise ArgumentError, "duplicate keys in form parameters" if o[k]
+      o[k] = p[1]
+    end
+  rescue Exception => e
+    raise ArgumentError, e.message
+  end
+
+  def self.json(obj) MultiJson.dump(obj) end
+  def self.json_encode64(obj = {}) encode64(json(obj)) end
+  def self.json_decode64(str) json_parse(decode64(str)) end
+  def self.encode64(obj) Base64::urlsafe_encode64(obj).gsub(/=*$/, '') end
+  def self.decode64(str)
+    return unless str
+    pad = str.length % 4
+    str << '=' * (4 - pad) if pad > 0
+    Base64::urlsafe_decode64(str)
+  rescue ArgumentError
+    raise DecodeError, "invalid base64 encoding"
+  end
+
+  def self.json_parse(str, style = :none)
+    hash_keys!(MultiJson.load(str), style) if str && !str.empty?
+  rescue MultiJson::DecodeError
+    raise DecodeError, "json decoding error"
+  end
+
+  def self.truncate(obj, limit = 50)
+    return obj.to_s if limit == 0
+    limit = limit < 5 ? 1 : limit - 4
+    str = obj.to_s[0..limit]
+    str.length > limit ? str + '...': str
+  end
+
+  # many parameters in these classes can be given as arrays, or as a list of
+  # arguments separated by spaces or commas. This method handles the possible
+  # inputs and returns an array of arguments.
+  def self.arglist(arg, default_arg = nil)
+    arg = default_arg unless arg
+    return arg if arg.nil? || arg.respond_to?(:join)
+    raise ArgumentError, "arg must be Array or space|comma delimited strings" unless arg.respond_to?(:split)
+    arg.split(/[\s\,]+/).reject { |e| e.empty? }
+  end
+
+  # reverse of arglist, puts arrays of strings into a single, space-delimited string
+  def self.strlist(arg, delim = ' ')
+    arg.respond_to?(:join) ? arg.join(delim) : arg.to_s if arg
+  end
+
+  def self.default_logger(level = nil, sink = nil)
+    if sink || !@default_logger
+      @default_logger = Logger.new(sink || $stdout)
+      level = :info unless level
+      @default_logger.formatter = Proc.new { |severity, time, pname, msg| puts msg }
+    end
+    @default_logger.level = Logger::Severity.const_get(level.upcase) if level
+    @default_logger
+  end
+
+end
+
+end