danski-ooh-auth 0.1.2

data/lib/ooh-auth/merbtasks.rb

@@ -0,0 +1,103 @@
+namespace :slices do
+  namespace :ooh_auth do
+  
+    desc "Install OohAuth"
+    task :install => [:preflight, :setup_directories, :copy_assets, :migrate]
+    
+    desc "Test for any dependencies"
+    task :preflight do # see slicetasks.rb
+    end
+  
+    desc "Setup directories"
+    task :setup_directories do
+      puts "Creating directories for host application"
+      OohAuth.mirrored_components.each do |type|
+        if File.directory?(OohAuth.dir_for(type))
+          if !File.directory?(dst_path = OohAuth.app_dir_for(type))
+            relative_path = dst_path.relative_path_from(Merb.root)
+            puts "- creating directory :#{type} #{File.basename(Merb.root) / relative_path}"
+            mkdir_p(dst_path)
+          end
+        end
+      end
+    end
+    
+    desc "Copy stub files to host application"
+    task :stubs do
+      puts "Copying stubs for OohAuth - resolves any collisions"
+      copied, preserved = OohAuth.mirror_stubs!
+      puts "- no files to copy" if copied.empty? && preserved.empty?
+      copied.each { |f| puts "- copied #{f}" }
+      preserved.each { |f| puts "! preserved override as #{f}" }
+    end
+    
+    desc "Copy stub files and views to host application"
+    task :patch => [ "stubs", "freeze:views" ]
+  
+    desc "Copy public assets to host application"
+    task :copy_assets do
+      puts "Copying assets for OohAuth - resolves any collisions"
+      copied, preserved = OohAuth.mirror_public!
+      puts "- no files to copy" if copied.empty? && preserved.empty?
+      copied.each { |f| puts "- copied #{f}" }
+      preserved.each { |f| puts "! preserved override as #{f}" }
+    end
+    
+    desc "Migrate the database"
+    task :migrate do # see slicetasks.rb
+    end
+    
+    desc "Freeze OohAuth into your app (only ooh-auth/app)" 
+    task :freeze => [ "freeze:app" ]
+
+    namespace :freeze do
+      
+      desc "Freezes OohAuth by installing the gem into application/gems"
+      task :gem do
+        ENV["GEM"] ||= "ooh-auth"
+        Rake::Task['slices:install_as_gem'].invoke
+      end
+      
+      desc "Freezes OohAuth by copying all files from ooh-auth/app to your application"
+      task :app do
+        puts "Copying all ooh-auth/app files to your application - resolves any collisions"
+        copied, preserved = OohAuth.mirror_app!
+        puts "- no files to copy" if copied.empty? && preserved.empty?
+        copied.each { |f| puts "- copied #{f}" }
+        preserved.each { |f| puts "! preserved override as #{f}" }
+      end
+      
+      desc "Freeze all views into your application for easy modification" 
+      task :views do
+        puts "Copying all view templates to your application - resolves any collisions"
+        copied, preserved = OohAuth.mirror_files_for :view
+        puts "- no files to copy" if copied.empty? && preserved.empty?
+        copied.each { |f| puts "- copied #{f}" }
+        preserved.each { |f| puts "! preserved override as #{f}" }
+      end
+      
+      desc "Freeze all models into your application for easy modification" 
+      task :models do
+        puts "Copying all models to your application - resolves any collisions"
+        copied, preserved = OohAuth.mirror_files_for :model
+        puts "- no files to copy" if copied.empty? && preserved.empty?
+        copied.each { |f| puts "- copied #{f}" }
+        preserved.each { |f| puts "! preserved override as #{f}" }
+      end
+      
+      desc "Freezes OohAuth as a gem and copies over ooh-auth/app"
+      task :app_with_gem => [:gem, :app]
+      
+      desc "Freezes OohAuth by unpacking all files into your application"
+      task :unpack do
+        puts "Unpacking OohAuth files to your application - resolves any collisions"
+        copied, preserved = OohAuth.unpack_slice!
+        puts "- no files to copy" if copied.empty? && preserved.empty?
+        copied.each { |f| puts "- copied #{f}" }
+        preserved.each { |f| puts "! preserved override as #{f}" }
+      end
+      
+    end
+    
+  end
+end

data/lib/ooh-auth/request_verification_mixin.rb

@@ -0,0 +1,160 @@
+=begin
+OohAuth::Request::VerificationMixin is a mixin module for Merb's internal Request class.
+
+It provides
+=end
+
+require 'hmac-sha1'
+require 'hmac-md5'
+
+module OohAuth
+  module Request
+    module VerificationMixin
+      
+      # Returns TRUE if the request contains api-flavour parameters. At least an api_token and an api_signature must be present
+      def oauth_request?
+        (consumer_key)? true : false
+      end
+      
+          # Returns the authenticating client referenced by the consumer key in the given request, or nil if
+          # no consumer key was given or if the given consumer key was invalid.
+          def authenticating_client
+            #return false unless signed?
+            @authenticating_client ||= OohAuth::AuthenticatingClient.first(:api_key=>consumer_key)
+          end
+      
+          # Returns the stored token referenced by the oauth_token header or parameter, or nil if none was found.
+          def authentication_token
+            @authentication_token ||= OohAuth::Token.first(:token_key=>token)
+          end
+      
+      # Attempts to verify the request's signature using the strategy covered in signing.markdown.
+      # Takes one argument, which is the authenticating client you wish to check the signature against.
+      # Returns a true on success, false on fail.
+      def signed?
+        # Fail immediately if the request is not signed at all
+        return false unless oauth_request? and authenticating_client
+        # mash and compare with given signature
+        self.signature == build_signature
+      end
+      
+          # Creates a signature for this request, returning the final hash required for insertion in a signed URL.
+          def build_signature
+            sig = case signature_method
+                  when "HMAC-SHA1"
+                    Base64.encode64(HMAC::SHA1.digest(signature_secret, signature_base_string)).chomp.gsub(/\n/,'')
+                  when "HMAC-MD5"
+                    Base64.encode64(HMAC::MD5.digest(signature_secret, signature_base_string)).chomp.gsub(/\n/,'')
+                  else
+                    false
+                  end
+            Merb::Parse.escape(sig)
+          end
+      
+          # Creates a plaintext version of the signature base string ready to be run through any#
+          # of the support OAuth signature methods.
+          # See http://oauth.net/core/1.0#signing_process for more information.
+          def signature_base_string
+            "#{method.to_s.upcase}&#{full_uri}&#{normalise_signature_params}"
+          end
+      
+          # Returns the signature secret, which is expected to be the HMAC encryption key for signed requests.
+          # If the request refers to a token, the token will be retrieved
+          def signature_secret
+            "#{authenticating_client.secret}&#{authentication_token ? authentication_token.secret : nil}" rescue raise Merb::ControllerExceptions::NotAcceptable
+          end
+      
+      # Scrubs route parameters from the known params, returning a hash of known GET and POST parameters.
+      # Basically, this returns the parameters needed in the signature key/value gibberish.
+      # FIXME unidentified request gremlins seeding params with mix of symbol and string keys, requiring to_s filth all over the match block.
+      def signature_params
+        route, route_params = Merb::Router.route_for(self)
+        #raise RuntimeError, route_params.inspect
+        return oauth_merged_params.delete_if {|k,v| route_params.keys.map{|s|s.to_s}.include?(k.to_s) or k.to_s == "oauth_signature"}
+      end
+      
+          # Returns the signature_params as a normalised string in line with
+          # http://oauth.net/core/1.0#signing_process
+          def normalise_signature_params
+            signature_params.sort.collect{|key, value| "#{key}=#{value}"}.join("&")
+          end
+          
+          # Returns the params properly merged with the oauth headers if they were given.
+          # OAuth headers take priority if a GET/POST parameter with the same name exists.
+          def oauth_merged_params
+            params.merge(signature_oauth_headers)
+          end
+      
+      # Returns any given OAuth headers as specified in http://oauth.net/core/1.0#auth_header as a hash.
+      def oauth_headers
+        @oauth_headers ||= parse_oauth_headers
+      end
+
+          # Returns the auth headers for duplicating the request signature,
+          # missing the realm variable as defined in
+          # http://oauth.net/core/1.0#signing_process
+          def signature_oauth_headers
+            o = oauth_headers.dup; o.delete(:realm); o
+          end
+            
+          # Parses the given OAuth headers into a hash. See http://oauth.net/core/1.0#auth_header for parsing method.
+          def parse_oauth_headers
+            # Pull headers and return blank hash if no header variables found
+            headers = env['AUTHORIZATION']; result = {};
+            return result unless headers  && headers[0,5] == 'OAuth'
+            # Headers found. Go ahead and match 'em
+            headers.split(/,\n*\r*/).each do |param|
+              phrase, key, value = param.match(/([A-Za-z0-9_\s]+)="([^"]+)"/).to_a.map{|v| v.strip}
+              result[(key["OAuth"])? :realm : key.to_sym] = value
+            end
+            result
+          end
+      
+
+
+      # OAuth variable accessors
+      # --------------------------------------------------------------------------------------------
+
+      # Returns the requested signature signing mechanism from the auth headers, defaulting to HMAC-SHA1
+      def signature_method
+        oauth_merged_params[:oauth_signature_method] || "HMAC-SHA1"
+      end
+      
+      # Returns the oauth_consumer_key from the Authorization header or the GET/POST params, or nil if not present.
+      def consumer_key
+        oauth_merged_params[:oauth_consumer_key]
+      end
+      
+      # Returns the oauth_token from the Authorization header or the GET/POST params, or nil if not present.
+      def token
+        oauth_merged_params[:oauth_token]
+      end
+      
+      # Returns the oauth_signature from the Authorization header or the GET/POST params, or nil if not present.
+      def signature
+        # FIXME merb keeps mangling this by replacing "+" with "\s" 
+        oauth_merged_params[:oauth_signature]
+      end
+      
+      # Returns the oauth_timestamp from the Authorization header or the GET/POST params, or nil if not present.
+      def timestamp
+        oauth_merged_params[:oauth_timestamp]
+      end
+      
+      # Returns the oauth_nonce from the Authorization header or the GET/POST params, or nil if not present.
+      def nonce
+        oauth_merged_params[:oauth_nonce]
+      end
+      
+      def callback
+        oauth_merged_params[:oauth_callback]
+      end
+      
+      # Returns the oauth_version from the Authorization header or the GET/POST params, or nil if not present, defaulting to "1.0" if not given.
+      def oauth_version
+        oauth_merged_params[:oauth_version] || "1.0"
+      end
+      
+    end
+  end
+end

data/lib/ooh-auth/slicetasks.rb

@@ -0,0 +1,18 @@
+namespace :slices do
+  namespace :ooh_auth do 
+    
+    # add your own ooh-auth tasks here
+    
+    # implement this to test for structural/code dependencies
+    # like certain directories or availability of other files
+    desc "Test for any dependencies"
+    task :preflight do
+    end
+    
+    # implement this to perform any database related setup steps
+    desc "Migrate the database"
+    task :migrate do
+    end
+    
+  end
+end

data/lib/ooh-auth/spectasks.rb

@@ -0,0 +1,65 @@
+namespace :slices do
+  namespace :ooh_auth do
+      
+    desc "Run slice specs within the host application context"
+    task :spec => [ "spec:explain", "spec:default" ]
+    
+    namespace :spec do
+      
+      slice_root = File.expand_path(File.join(File.dirname(__FILE__), '..', '..'))
+      
+      task :explain do
+        puts "\nNote: By running OohAuth specs inside the application context any\n" +
+             "overrides could break existing specs. This isn't always a problem,\n" +
+             "especially in the case of views. Use these spec tasks to check how\n" +
+             "well your application conforms to the original slice implementation."
+      end
+      
+      Spec::Rake::SpecTask.new('default') do |t|
+        t.spec_opts = ["--format", "specdoc", "--colour"]
+        t.spec_files = Dir["#{slice_root}/spec/**/*_spec.rb"].sort
+      end
+
+      desc "Run all model specs, run a spec for a specific Model with MODEL=MyModel"
+      Spec::Rake::SpecTask.new('model') do |t|
+        t.spec_opts = ["--format", "specdoc", "--colour"]
+        if(ENV['MODEL'])
+          t.spec_files = Dir["#{slice_root}/spec/models/**/#{ENV['MODEL']}_spec.rb"].sort
+        else
+          t.spec_files = Dir["#{slice_root}/spec/models/**/*_spec.rb"].sort
+        end
+      end
+
+      desc "Run all controller specs, run a spec for a specific Controller with CONTROLLER=MyController"
+      Spec::Rake::SpecTask.new('controller') do |t|
+        t.spec_opts = ["--format", "specdoc", "--colour"]
+        if(ENV['CONTROLLER'])
+          t.spec_files = Dir["#{slice_root}/spec/controllers/**/#{ENV['CONTROLLER']}_spec.rb"].sort
+        else    
+          t.spec_files = Dir["#{slice_root}/spec/controllers/**/*_spec.rb"].sort
+        end
+      end
+
+      desc "Run all view specs, run specs for a specific controller (and view) with CONTROLLER=MyController (VIEW=MyView)"
+      Spec::Rake::SpecTask.new('view') do |t|
+        t.spec_opts = ["--format", "specdoc", "--colour"]
+        if(ENV['CONTROLLER'] and ENV['VIEW'])
+          t.spec_files = Dir["#{slice_root}/spec/views/**/#{ENV['CONTROLLER']}/#{ENV['VIEW']}*_spec.rb"].sort
+        elsif(ENV['CONTROLLER'])
+          t.spec_files = Dir["#{slice_root}/spec/views/**/#{ENV['CONTROLLER']}/*_spec.rb"].sort
+        else
+          t.spec_files = Dir["#{slice_root}/spec/views/**/*_spec.rb"].sort
+        end
+      end
+
+      desc "Run all specs and output the result in html"
+      Spec::Rake::SpecTask.new('html') do |t|
+        t.spec_opts = ["--format", "html"]
+        t.libs = ['lib', 'server/lib' ]
+        t.spec_files = Dir["#{slice_root}/spec/**/*_spec.rb"].sort
+      end
+      
+    end
+    
+  end
+end

data/lib/ooh-auth/strategies/oauth.rb

@@ -0,0 +1,16 @@
+# Authentication Strategy for OohAuth's AuthenticatingClient model.
+
+class Merb::Authentication
+  module Strategies
+    class OAuth < Merb::Authentication::Strategy
+        
+        def run!
+          if request.signed? and request.token and request.consumer_key
+            return OohAuth::Token.authenticate!(request.consumer_key, request.token)
+          end
+          return nil
+        end
+              
+      end # APIToken      
+  end # Strategies
+end # MAuth

data/public/stylesheets/master.css

@@ -0,0 +1,2 @@
+html, body { margin: 0; padding: 0; }
+#container { width: 800px; margin: 4em auto; padding: 4em 4em 6em 4em; background: #DDDDDD; }

data/readme.markdown

@@ -0,0 +1,43 @@
+There's Auth, there's OAuth, and there's OohAuth.
+=================================================
+
+OohAuth extends merb-auth-more with a functionally-complete approach to OAuth, turning your merb-auth applications into full OAuth providers.
+
+OAuth at a glance:
+==================
+
+* Your users won't have to give their names and passwords to client applications
+* Your users can revoke or limit access from a particular client at any time
+* Your users do not have to give client applications everything they need to steal their account
+* Your developer community can authenticate using a solid authentication schema endorsed by [industry giants](http://google.com)
+* Resilient to both man-in-the-middle and signature replay attacks.
+
+OohAuth gives you:
+========================
+
+* Integration with merb-auth and your application's own User model
+* RESTful creation of API keys for client apps
+* RESTful creation of request and access tokens to allow client apps to authenticate on behalf of users
+* merb-auth strategies for both web-based and non web-based API authentication.
+
+It depends on:
+==============
+
+* merb-slices
+* merb-action-args
+* merb-auth-core
+* merb-auth-more
+* nokogiri (tests only)
+* ruby-hmac
+* Erb **(we need your help to get started on HAML support)**
+* datamapper **(we need your help to become ORM-agnostic)**
+
+You should read:
+================
+
+* [Why we wrote it](http://singlecell.angryamoeba.co.uk/post/62022487/the-api-antipattern-twitter-and-the-fail-whales-new)
+* [OohAuth on github](http://github.com/danski/ooh-auth)
+* [OAuth 1.0 specification](http://oauth.net/core/1.0) a hefty spec document containing instructions for authenticating with OAuth apps and more.
+* [securing.markdown](http://github.com/danski/ooh-auth/tree/master/securing.markdown), your guide to properly securing an application using OohAuth.
+* [OohAuth's bugtracker on Tails](http://www.bugtails.com/projects/171)
+

data/spec/controllers/application_spec.rb

@@ -0,0 +1,35 @@
+require File.join(File.dirname(__FILE__), '..', 'spec_helper.rb')
+
+describe OohAuth::Application do
+  
+  before :all do
+    Merb::Router.prepare { add_slice(:OohAuth) } if standalone?
+    @controller = dispatch_to(OohAuth::Public, :index)
+  end
+  
+  after :all do
+    Merb::Router.reset! if standalone?
+  end
+  
+  it "should have access to the slice module" do
+    @controller.slice.should == OohAuth
+    @controller.slice.should == OohAuth::Public.slice
+  end
+
+  it "should have helper methods for dealing with public paths" do
+    @controller.public_path_for(:image).should == "/slices/ooh-auth/images"
+    @controller.public_path_for(:javascript).should == "/slices/ooh-auth/javascripts"
+    @controller.public_path_for(:stylesheet).should == "/slices/ooh-auth/stylesheets"
+    
+    @controller.image_path.should == "/slices/ooh-auth/images"
+    @controller.javascript_path.should == "/slices/ooh-auth/javascripts"
+    @controller.stylesheet_path.should == "/slices/ooh-auth/stylesheets"
+  end
+
+  it "should have a slice-specific _template_root" do
+    OohAuth::Public._template_root.should == OohAuth.dir_for(:view)
+    OohAuth::Public._template_root.should == OohAuth::Application._template_root
+  end
+  
+  
+end