danski-ooh-auth 0.1.2

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2008 Dan Glegg
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,58 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+
+require 'merb-core'
+require 'merb-core/tasks/merb'
+
+require 'spec/rake/spectask'
+require 'merb-core/test/tasks/spectasks'
+require 'merb_datamapper/merbtasks'
+
+desc 'Default: run spec examples'
+task :default => 'spec'
+
+
+GEM_NAME = "ooh-auth"
+AUTHOR = "Dan Glegg"
+EMAIL = "dan@angryamoeba.co.uk"
+HOMEPAGE = "http://github.com/danski/ooh-auth"
+SUMMARY = "Merb Slice that provides RESTful authentication functionality for your application."
+GEM_VERSION = "0.1.2"
+
+spec = Gem::Specification.new do |s|
+  s.rubyforge_project = 'merb'
+  s.name = GEM_NAME
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README", "LICENSE", 'TODO']
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.author = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+  s.add_dependency('merb-slices', '>= 0.9.10')
+  s.require_path = 'lib'
+  s.files = %w(LICENSE README Rakefile TODO) + Dir.glob("{lib,spec,app,public,stubs}/**/*")
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "Install the gem"
+task :install do
+  Merb::RakeHelper.install(GEM_NAME, :version => GEM_VERSION)
+end
+
+desc "Uninstall the gem"
+task :uninstall do
+  Merb::RakeHelper.uninstall(GEM_NAME, :version => GEM_VERSION)
+end
+
+desc "Create a gemspec file"
+task :gemspec do
+  File.open("#{GEM_NAME}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end

data/app/controllers/application.rb

@@ -0,0 +1,16 @@
+class OohAuth::Application < Merb::Controller
+  
+  controller_for_slice
+  
+  private
+  def user_class
+    Merb::Authentication.user_class
+  end  
+
+  # Can be removed once http://merb.lighthouseapp.com/projects/7433/tickets/956-patch-add-message-support
+  # is merged.
+  def message=(arg)
+    @_message = arg
+  end
+  
+end

data/app/controllers/authenticating_clients.rb

@@ -0,0 +1,60 @@
+class OohAuth::AuthenticatingClients < OohAuth::Application
+  
+  before :ensure_authenticated, :exclude=>[:index]
+  only_provides :html
+
+  def index
+    @authenticating_clients = OohAuth::AuthenticatingClient.find_for_user(session.user)
+    render :index
+  end
+
+  def show(id)
+    @authenticating_client = OohAuth::AuthenticatingClient.get(id)
+    raise NotFound unless @authenticating_client and @authenticating_client.editable_by?(session.user)
+    display @authenticating_client, :show
+  end
+
+  def new
+    @authenticating_client = OohAuth::AuthenticatingClient.new
+    display @authenticating_client
+  end
+
+  def create(authenticating_client)
+    @authenticating_client = OohAuth::AuthenticatingClient.new_for_user(session.user, authenticating_client)
+    if @authenticating_client.save
+      headers['Location'] = slice_url(:authenticating_client, @authenticating_client)
+      render :show, :status=>201
+    else
+      message[:error] = "There were problems creating the Application."
+      render :new
+    end
+  end
+
+  def edit(id)
+    @authenticating_client = OohAuth::AuthenticatingClient.get(id)
+    raise NotFound unless @authenticating_client and @authenticating_client.editable_by?(session.user)
+    display @authenticating_client, :edit
+  end
+
+  def update(id, authenticating_client)
+    @authenticating_client = OohAuth::AuthenticatingClient.get(id)
+    raise NotFound unless @authenticating_client and @authenticating_client.editable_by?(session.user)
+    if @authenticating_client.update_attributes(authenticating_client)
+      message[:success] = "Application updated successfully!"
+      redirect slice_url(:authenticating_client, @authenticating_client)
+    else
+      display @authenticating_client, :edit
+    end
+  end
+
+  def destroy(id)
+    @authenticating_client = OohAuth::AuthenticatingClient.get(id)
+    raise NotFound unless @authenticating_client and @authenticating_client.editable_by?(session.user)
+    if @authenticating_client.destroy
+      redirect slice_url(:authenticating_clients)
+    else
+      raise InternalServerError
+    end
+  end
+
+end # OohAuth::AuthenticatingClients

data/app/controllers/tokens.rb

@@ -0,0 +1,94 @@
+=begin
+OohAuth::Tokens
+
+This controller is intended to allow applications to authenticate on behalf of a user. 
+Applications follow a set process as shown in authenticating.markdown, in which a number of background 
+requests are made to the host application while the user is run through a short process in which they
+specify which privileges to give to the authenticating client, and how long to give them for.
+
+The Authentications controller provides a relatively opaque interface to 
+users and authenticating clients compared to other resource controllers. Most of the views provide only HTML
+representations as they not only are intended for human interaction, but specifically require it.
+=end
+
+require 'net/http'
+
+class OohAuth::Tokens < OohAuth::Application
+
+  # Define other formats
+  provides :js, :xml, :yaml
+
+  # The index and new actions require a signed request.
+  before :ensure_signed,                    :only=>[:index]
+  # All other actions require that the user be authenticated directly, rather than through the api.
+  before :forbid_authentication_with_oauth, :exclude=>[:index]
+  
+  # Main action used for starting the authorisation process (desktop clients) and finishing it (web clients)
+  def index
+    raise NotAcceptable unless @authenticating_client = request.authenticating_client
+    if @token = request.authentication_token
+      # If client and request key, give the activated token if it was activated.
+      raise NotAcceptable unless @token.authenticating_client == @authenticating_client
+    else
+      # Generate a request key
+      @token = OohAuth::Token.create_request_key(@authenticating_client)
+    end
+    # # Okay, no error raised. Gogo render.
+    display @token, :show, :layout=>false
+  end
+
+  def new
+    only_provides :html
+    unless (@token = OohAuth::Token.first(:token_key=>request.token) and
+            @authenticating_client = @token.authenticating_client)
+      raise NotAcceptable 
+    end
+    display @token, :new
+  end
+
+  # Activates an authentication receipt, converting it into a token the authenticating client can use in future requests.
+  def create(token)
+    only_provides :html
+    commit = (params[:commit]=="allow") # Did they click the allow or the deny button? ENQUIRING MINDS NEED TO KNOW!
+    raise NotFound unless @token = OohAuth::Token.get_token(request.token) # The oauth_token is now in the post body.
+    raise NotFound unless @authenticating_client = @token.authenticating_client # Stop right there, criminal scum.
+        
+    @activated = @token.activate!(session.user, token[:expires], token[:permissions]) if commit
+    redirect("#{request.callback}#{(request.callback["?"])? "&" : "?"}oauth_token=#{@token.token_key}") if commit and request.callback # the callback is in the post body        
+    display @token, :create
+  end
+  
+  #def show(id)
+  #  @token = ::Authentication.get(id)
+  #  raise NotFound unless @token
+  #  display @token
+  #end
+  #
+  #def edit(id)
+  #  only_provides :html
+  #  @token = OohAuth::Token.get(id)
+  #  raise NotFound unless @token
+  #  display @token
+  #end
+  #
+  #def update(id, token)
+  #  @token = OohAuth::Token.get(id)
+  #  raise NotFound unless @token
+  #  if @token.update_attributes(authentication)
+  #     redirect slice_url(:tokens, @token)
+  #  else
+  #    display @token, :edit
+  #  end
+  #end
+  #
+  #def destroy(id)
+  #  @token = OohAuth::Token.get(id)
+  #  raise NotFound unless @token
+  #  if @token.destroy
+  #    redirect slice_url(:tokens)
+  #  else
+  #    raise InternalServerError
+  #  end
+  #end
+
+end # OohAuth::Tokens

data/app/helpers/application_helper.rb

@@ -0,0 +1,64 @@
+module Merb
+  module OohAuth
+    module ApplicationHelper
+      
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path relative to the public directory, with added segments.
+      def image_path(*segments)
+        public_path_for(:image, *segments)
+      end
+      
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path relative to the public directory, with added segments.
+      def javascript_path(*segments)
+        public_path_for(:javascript, *segments)
+      end
+      
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path relative to the public directory, with added segments.
+      def stylesheet_path(*segments)
+        public_path_for(:stylesheet, *segments)
+      end
+      
+      # Construct a path relative to the public directory
+      # 
+      # @param <Symbol> The type of component.
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path relative to the public directory, with added segments.
+      def public_path_for(type, *segments)
+        ::OohAuth.public_path_for(type, *segments)
+      end
+      
+      # Construct an app-level path.
+      # 
+      # @param <Symbol> The type of component.
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path within the host application, with added segments.
+      def app_path_for(type, *segments)
+        ::OohAuth.app_path_for(type, *segments)
+      end
+      
+      # Construct a slice-level path.
+      # 
+      # @param <Symbol> The type of component.
+      # @param *segments<Array[#to_s]> Path segments to append.
+      #
+      # @return <String> 
+      #  A path within the slice source (Gem), with added segments.
+      def slice_path_for(type, *segments)
+        ::OohAuth.slice_path_for(type, *segments)
+      end
+      
+    end
+  end
+end

data/app/helpers/authenticating_clients_helper.rb

@@ -0,0 +1,5 @@
+module Merb
+  module AuthenticatingClientsHelper
+
+  end
+end # Merb

data/app/helpers/authentications_helper.rb

@@ -0,0 +1,5 @@
+module Merb
+  module AuthenticationsHelper
+
+  end
+end # Merb

data/app/models/authenticating_client.rb

@@ -0,0 +1,12 @@
+path = File.expand_path(File.dirname(__FILE__)) / "authenticating_client"
+if defined?(DataMapper)
+  require path / "dm_authenticating_client"
+#elsif defined?(ActiveRecord)
+#  require path / "ar_password_reset"
+#elsif defined?(Sequel)
+#  require path / "sq_password_reset"
+#elsif defined?(RelaxDB)
+#  require path / "relaxdb_password_reset"
+else
+  raise RuntimeError, "Datamapper is a dependency of the slice at this time."
+end

data/app/models/authenticating_client/dm_authenticating_client.rb

@@ -0,0 +1,71 @@
+=begin
+OohAuth::AuthenticatingClient
+========================================================================================
+An authenticating client is an external application which wants to use your application's public API while authenticated as one of your users.
+=end
+
+class OohAuth::AuthenticatingClient
+  include DataMapper::Resource
+  
+  # Key it
+  property :id,             Serial
+  # The registration will belong to a user, who will be able to edit the client properties.
+  property :user_id,        Integer,  :writer => :protected
+  # Timestamp it
+  property :created_at,     DateTime
+   
+  # Used by all type of authenticating apps                         
+  property :name,           String      # e.g. "Mobilator PRO"
+  property :web_url,        URI         # e.g. "http://mobilator.portionator.net"
+  property :api_key,        String, :index=>true # the unique key for this application.
+  property :secret,         String      # the secret which will NEVER be transmitted during the authentication procedure. Used only to sign requests.
+  property :kind,           String      # e.g  "desktop", "web", "mobile"
+
+  validates_present     :name, :web_url, :api_key, :secret, :kind
+  validates_is_unique   :name
+  validates_is_unique   :api_key
+  validates_with_method :kind, :valid_kind?
+  
+  before :valid?, :generate_keys_if_not_present
+  
+  def self.new_for_user(user, attrs)
+    o = new(attrs)
+    o.user = user
+    return o
+  end
+  
+  def self.find_for_user(user)
+    return [] unless user
+    return all(:user_id=>user.id)
+  end
+  
+  def is_webapp?
+    self.kind == "web"
+  end
+  
+  def generate_keys_if_not_present
+    api_key_length = 15
+    while self.api_key.blank? or self.class.first(:id.not=>id, :api_key=>self.api_key) do
+      self.api_key = OohAuth::KeyGenerators::Alphanum.gen(api_key_length)
+      api_key_length += 1
+    end
+    self.secret = OohAuth::KeyGenerators::Alphanum.gen(40) if secret.blank?
+  end
+  
+  def valid_kind?
+    if OohAuth[:client_kinds].include?(self.kind)
+      return true
+    else
+      return false, "illegal kind"
+    end
+  end
+  
+  def user=(user)
+    self.user_id = user.id
+  end
+  
+  def editable_by?(user)
+    user.id == self.user_id
+  end
+  
+end # OohAuth::AuthenticatingClient

data/app/models/token.rb

@@ -0,0 +1,12 @@
+path = File.expand_path(File.dirname(__FILE__)) / "token"
+if defined?(DataMapper)
+  require path / "dm_token"
+#elsif defined?(ActiveRecord)
+#  require path / "ar_password_reset"
+#elsif defined?(Sequel)
+#  require path / "sq_password_reset"
+#elsif defined?(RelaxDB)
+#  require path / "relaxdb_password_reset"
+else
+  raise RuntimeError, "Datamapper is a dependency of the slice at this time."
+end

data/app/models/token/dm_token.rb

@@ -0,0 +1,150 @@
+=begin
+ Token model
+ 
+ A token is a stored authorisation allowing an authenticating client to:
+ 
+  1. Get a *request key*. This is done by creating an unactivated token belonging to the authenticating client which has a _request key_.
+  2. *Request access*. This is done by directing the user to a URL unique to the given request key, presenting them with a form.
+     The user must be logged in through direct means in order to grant access.
+  3. Getting an *access key* which is a property of the now-activated token.
+  
+=end
+
+class OohAuth::Token
+  include DataMapper::Resource
+  
+  property  :id,                        Serial
+  property  :user_id,                   Integer,  :writer=>:protected
+  property  :authenticating_client_id,  Integer,  :writer=>:protected
+  
+  # Expiry date will always be respected. You cannot authenticate using an expired token, and nor can you
+  # convert an expired request key into an access key.
+  property  :expires,       DateTime
+  property  :created_at,    DateTime
+  property  :permissions,   String
+  
+  property  :token_key,     String,   :writer=>:private, :index=>true
+  property  :activated,     Boolean,  :writer=>:private, :index=>true, :default=>false
+  property  :secret,        String,   :writer=>:private
+  
+  validates_is_unique     :token_key
+  validates_present       :secret
+  validates_present       :authenticating_client
+  validates_with_method   :permissions, :permissions_valid?
+  
+  belongs_to :authenticating_client, :class_name=>"OohAuth::AuthenticatingClient", :child_key=>[:authenticating_client_id]
+  belongs_to :user, :class_name=>Merb::Authentication.user_class.to_s, :child_key=>[:user_id]
+  
+  before :valid?, :create_token_key_if_not_present
+  before :valid?, :create_secret_if_not_present
+  
+  # Authenticates a client on behalf of a user given the API parameters sent by the client
+  # in the given API request. Returns the user on successful authentication, or false in
+  # the event of a failure to authenticate. If the user was since deleted, NIL will be
+  # returned.
+  def self.authenticate!(consumer_key, access_key)
+    auth = first('authenticating_client.api_key'=>consumer_key, :token_key=>access_key, :activated=>true, :expires.gt=>DateTime.now)
+    return (auth)? auth.user : nil
+  end
+  
+  # FIXME the relationship helper should be sorting this. Something to do with the variable class.
+  def user
+    Merb::Authentication.user_class.get(user_id)
+  end
+  
+  # Tentatively create a request_key for a given client, not yet tied to a user.
+  def self.create_request_key(authenticating_client, expires=1.hour.since)
+    o = new(:authenticating_client=>authenticating_client, :expires=>expires)
+    o.save or raise RuntimeError, "OAuth request key failed to save with errors: #{o.errors.inspect}"
+    o
+  end
+  
+  # Fetch a request_key given the request_key code
+  def self.get_request_key_for_client(client, request_key)
+    first :token_key=>request_key, :authenticating_client_id=>client.id, :expires.gt=>DateTime.now, :activated=>false
+  end
+  
+  def self.get_token(token)
+    first :token_key=>token
+  end
+  
+  # Make this Authentication object active by generating an access key against it.
+  # You may optionally specify a new expiry date/time for the access key.
+  def activate!(with_user, expire_on=nil, permissions=nil)
+    if authenticating_client and with_user
+      self.activated = true
+      self.expires = (expire_on || 1.year.since)
+      self.permissions = (permissions || OohAuth[:default_permissions])
+      self.user_id = with_user.id
+      generate_token_key!
+      return save
+    else
+      return false
+    end
+  end
+  
+  # Checks to see if this Authentication is activated - if there is an access key defined, then
+  # true is returned.
+  #def activated?
+  #  ac
+  #end
+  
+  # Assigns a valid, unique request_key to the object if one is not already defined.  
+  def create_token_key_if_not_present
+    generate_token_key! if token_key.blank?
+  end
+  
+  def create_secret_if_not_present
+    self.secret ||= OohAuth::KeyGenerators::Alphanum.gen(30)
+  end
+    
+  # Generates a valid, unique access_key which the client can use to authenticate with in future,
+  # and applies it to the object.
+  def generate_token_key!
+    while (token_key.blank? or self.class.first(:token_key=>token_key)) do
+      self.token_key = OohAuth::KeyGenerators::Alphanum.gen(30)
+    end
+  end
+  
+  # Returns true if the given user is the owner of this object.
+  def editable_by_user?(user)
+    return user.id == user_id
+  end
+  
+  # Returns the permissions for this particular token, or the :default_permissions if not set.
+  def permissions
+    attribute_get(:permissions) or OohAuth[:default_permissions]
+  end
+  
+  # Returns true if the set permissions are a valid value according to the keys of the slice's :client_permission_levels hash.
+  def permissions_valid?
+    OohAuth[:client_permission_levels].keys.include?(permissions.to_sym)
+  end
+  
+  # Transformation - returns a hash representing this object, ready to be converted to XML, JSON or YAML.
+  def to_hash
+    if activated?
+      {
+        :access_key=>{
+          :token=>token_key,
+          :secret=>secret,
+          :expires=>expires
+        }
+      }
+    else
+      {
+        :request_key=>{
+          :token=>token_key,
+          :secret=>secret,
+          :expires=>expires
+        }
+      }      
+    end
+  end
+  # FIXME why is to_xml not available?
+  def to_xml;   (activated?)? "<access-key><token>#{token_key}</token><secret>#{secret}</secret><expires>#{expires}</expires></access-key>" : "<request-key><token>#{token_key}</token><secret>#{secret}</secret><expires>#{expires}</expires></request-key>"; end
+  def to_json;  to_hash.to_json; end
+  def to_yaml;  to_hash.to_yaml; end
+  
+  
+end