frodo 0.12.2 → 0.12.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 026c6e3af2cf841015fe7b99ab24b6025c989c39f4ecfdc34b7e2f6335be0d54
-  data.tar.gz: cff43f6fd873888c0525a032410f2e0955e40e758d4ad23b28764e6b22c19d68
+  metadata.gz: 6171a906fa516145d1ea9bbff61f771cdbf9b936ceb815071ac93390ab9775c2
+  data.tar.gz: 0f2c9b9d8d3c0311edd87b8a624ca8a6c807662a2522b3acfeffcdb29abb8b8b
 SHA512:
-  metadata.gz: 6660e988e7f76473c5e8eed25498cf4dd5fc7186da8017ae9ef7aa84a628f0f7378976c894fd292eb535a63e22d027986a4ea32858d87e6de757fc0e1ad55531
-  data.tar.gz: 46db130f68dc67d7bb74418e535a7b2cb923fbbf3126d17ec0c2fd797949f254a73c31e47ca3b09b122a5f4c51ebd015bb5ac59469966e3319c6d94316e4add0
+  metadata.gz: be855e21a2371911d083c079059cd79473826f310334e11b75bda47d9cc59d883da3649587b308bec88b1bb2a0af779cec8bc29acc5bae3532ecf84049fc8be3
+  data.tar.gz: 1de688ddb8d1695c59d29d42f92d14e1a86572d4cc2e0fd16268fe7f1a7a4bd8e56e145265aeb3b000ca4053f5ff4ac74328b20db31740053e93f03375e2fa43

data/README.md

@@ -52,7 +52,7 @@ building an application where many users from different orgs are authenticated
 through oauth and you need to interact with data in their org on their behalf,
 you should use the OAuth token authentication method.
 
-This is currently the only supported method. This may change overtime
+The "client credentials", and "password" flows are also supported.
 
 It is also important to note that the client object should not be reused across different threads, otherwise you may encounter [thread-safety issues](https://www.youtube.com/watch?v=p5zQOkyCACc).
 
@@ -98,6 +98,37 @@ The proc is passed one argument, a `Hash` of the response, similar than the one
 
 The `id` field can be used to [uniquely identify](https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-protocols-oauth-code#refreshing-the-access-tokens) the user that the `access_token` and `refresh_token` belong to.
 
+#### Client credentials authentication
+
+This should be considered experimental. At the time of this writing, it was possible to obtain an access token using this method, but it was not possible to use the access token without receiving 401 from Dynamics. Configuration is as above, but you specify `client_id`, `client_secret`, and `tenant_id`:
+
+```ruby
+client = Frodo.new({
+  instance_url: 'instance url',
+  client_id: 'client_id',
+  client_secret: 'client_secret',
+  tenant_id: 'tenant_id',
+  authentication_callback: Proc.new { |x| Rails.logger.debug x.to_s },
+  base_path: '/path/to/service'
+})
+```
+
+#### User password authentication
+
+As above, but you specify `client_id`, `tenant_id`, `username`, and `password`:
+
+```ruby
+client = Frodo.new({
+  instance_url: 'instance url',
+  client_id: 'client_id',
+  tenant_id: 'tenant_id',
+  username: 'username',
+  password: 'password',
+  authentication_callback: Proc.new { |x| Rails.logger.debug x.to_s },
+  base_path: '/path/to/service'
+})
+```
+
 ### Proxy Support
 
 You can specify a HTTP proxy using the `proxy_uri` option, as follows, or by setting the `FRODATA_PROXY_URI` environment variable:

data/lib/frodo/concerns/authentication.rb

@@ -16,8 +16,31 @@ module Frodo
       # Internal: Determines what middleware will be used based on the options provided
       def authentication_middleware
         if oauth_refresh?
-          Frodo::Middleware::Authentication::Token
+          return Frodo::Middleware::Authentication::Token
         end
+        if password?
+          return Frodo::Middleware::Authentication::Password
+        end
+        if client_credentials?
+          return Frodo::Middleware::Authentication::ClientCredentials
+        end
+      end
+
+      # Internal: Returns true if oauth password grant
+      # should be used for authentication.
+      def password?
+        options[:username] &&
+          options[:password] &&
+          options[:client_id] &&
+          options[:tenant_id]
+      end
+
+      # Internal: Returns true if oauth client_credentials flow should be used for
+      # authentication.
+      def client_credentials?
+        options[:tenant_id] &&
+          options[:client_id] &&
+          options[:client_secret]
       end
 
       # Internal: Returns true if oauth token refresh flow should be used for

data/lib/frodo/concerns/base.rb

@@ -24,7 +24,12 @@ module Frodo
       #
       #        :client_id               - The oauth client id to use. Needed for both
       #                                   password and oauth authentication
-      #        :client_secret           - The oauth client secret to use.
+      #        :client_secret           - The oauth client secret to use. Required for
+      #                                   client_credentials auth flow
+      #        :tenant_id               - The Azure AD tenant id. Required for
+      #                                   client_credentials and password auth flows
+      #        :username                - User's dynamics username for password auth flow
+      #        :password                - User's dynamics password for password auth flow
       #
       #        :host                    - The String hostname to use during
       #                                   authentication requests

data/lib/frodo/middleware/authentication/client_credentials.rb

@@ -0,0 +1,10 @@
+module Frodo
+  # Authentication middleware used if client_id, client_secret, and client_credentials: true are set
+  class Middleware::Authentication::ClientCredentials < Frodo::Middleware::Authentication
+    def params
+      { grant_type: 'client_credentials',
+        client_id: @options[:client_id],
+        client_secret: @options[:client_secret] }
+    end
+  end
+end

data/lib/frodo/middleware/authentication/password.rb

@@ -0,0 +1,13 @@
+module Frodo
+  # Authentication middleware used if client_id, client_secret, and client_credentials: true are set
+  class Middleware::Authentication::Password < Frodo::Middleware::Authentication
+    def params
+      { grant_type: 'password',
+        client_id: @options[:client_id],
+        username: @options[:username],
+        password: @options[:password],
+        resource: @options[:instance_url],
+      }
+    end
+  end
+end

data/lib/frodo/middleware/authentication.rb

@@ -6,7 +6,9 @@ module Frodo
   # will attempt to either reauthenticate (username and password) or refresh
   # the oauth access token (if a refresh token is present).
   class Middleware::Authentication < Frodo::Middleware
-    autoload :Token,    'frodo/middleware/authentication/token'
+    autoload :Token, 'frodo/middleware/authentication/token'
+    autoload :ClientCredentials, 'frodo/middleware/authentication/client_credentials'
+    autoload :Password, 'frodo/middleware/authentication/password'
 
     # Rescue from 401's, authenticate then raise the error again so the client
     # can reissue the request.
@@ -19,7 +21,7 @@ module Frodo
 
     # Internal: Performs the authentication and returns the response body.
     def authenticate!
-      response = connection.post '/common/oauth2/token' do |req|
+      response = connection.post token_endpoint do |req|
         req.body = encode_www_form(params)
       end
 
@@ -29,8 +31,8 @@ module Frodo
         raise Frodo::AuthenticationError, error_message(response)
       end
 
-      @options[:oauth_token]  = response.body['access_token']
-      @options[:refresh_token]  = response.body['refresh_token']
+      @options[:oauth_token] = response.body['access_token']
+      @options[:refresh_token] = response.body['refresh_token']
       @options[:authentication_callback]&.call(response.body)
 
       response.body
@@ -83,5 +85,9 @@ module Frodo
         proxy: @options[:proxy_uri],
         ssl: @options[:ssl] }
     end
+
+    def token_endpoint
+      "/#{@options[:tenant_id] || 'common'}/oauth2/token"
+    end
   end
 end

data/lib/frodo/version.rb

@@ -1,3 +1,3 @@
 module Frodo
-  VERSION = '0.12.2'
+  VERSION = '0.12.4'
 end

data/spec/fixtures/client_credentials_auth_success_response.json

@@ -0,0 +1,9 @@
+{
+    "token_type": "Bearer",
+    "expires_in": "3600",
+    "ext_expires_in": "3600",
+    "expires_on": "1573802322",
+    "not_before": "1573798422",
+    "resource": "00000002-0000-0000-c000-000000000000",
+    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI"
+}

data/spec/fixtures/client_credentials_refresh_error_response.json

@@ -0,0 +1,9 @@
+{
+    "error":"invalid_client",
+    "error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: c95cc528-b2ca-4eef-9030-b4039aeb0500\r\nCorrelation ID: dee56428-96b1-471a-a666-2d45560df657\r\nTimestamp: 2019-11-15 06:26:46Z",
+    "error_codes":[7000215],
+    "timestamp":"2019-11-15 06:26:46Z",
+    "trace_id":"c95cc528-b2ca-4eef-9030-b4039aeb0500",
+    "correlation_id":"dee56428-96b1-471a-a666-2d45560df657",
+    "error_uri":"https://login.microsoftonline.com/error?code=7000215"
+}

data/spec/fixtures/password_auth_failure_response.json

@@ -0,0 +1,11 @@
+{
+    "error": "invalid_grant",
+    "error_description": "AADSTS50126: Invalid username or password.\r\nTrace ID: 4f54f595-fd1f-4edf-8990-a08bb24e6600\r\nCorrelation ID: 54c414ed-ffc7-4187-871a-df2a6896bc8b\r\nTimestamp: 2019-11-15 18:43:57Z",
+    "error_codes": [
+        50126
+    ],
+    "timestamp": "2019-11-15 18:43:57Z",
+    "trace_id": "4f54f595-fd1f-4edf-8990-a08bb24e6600",
+    "correlation_id": "54c414ed-ffc7-4187-871a-df2a6896bc8b",
+    "error_uri": "https://login.microsoftonline.com/error?code=50126"
+}

data/spec/fixtures/password_auth_success_response.json

@@ -0,0 +1,11 @@
+{
+    "token_type": "Bearer",
+    "scope": "user_impersonation",
+    "expires_in": "3599",
+    "ext_expires_in": "3599",
+    "expires_on": "1573846156",
+    "not_before": "1573842256",
+    "resource": "https://getoutreach.crm.dynamics.com",
+    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOi",
+    "refresh_token": "AQABAAAAAACQN9QBRU3jT6bcBQLZ"
+}

data/spec/frodo/concerns/authentication_spec.rb

@@ -50,7 +50,36 @@ describe Frodo::Concerns::Authentication do
         expect(client).to receive(:oauth_refresh?).and_return(true)
       end
 
-    it { should eq Frodo::Middleware::Authentication::Token }
+      it { should eq Frodo::Middleware::Authentication::Token }
+    end
+
+    context 'when client_credentials options are provided' do
+      before do
+        expect(client).to receive(:oauth_refresh?).and_return(false)
+        expect(client).to receive(:client_credentials?).and_return(true)
+      end
+
+      it { should eq Frodo::Middleware::Authentication::ClientCredentials }
+    end
+
+    context 'when password options are provided' do
+      before do
+        allow(client).to receive(:oauth_refresh?).and_return(false)
+        allow(client).to receive(:client_credentials?).and_return(false)
+        allow(client).to receive(:password?).and_return(true)
+      end
+
+      it { should eq Frodo::Middleware::Authentication::Password }
+    end
+
+    context 'when no auth options are provided' do
+      before do
+        expect(client).to receive(:oauth_refresh?).and_return(false)
+        expect(client).to receive(:password?).and_return(false)
+        expect(client).to receive(:client_credentials?).and_return(false)
+      end
+
+      it { should be_falsy }
     end
   end
 
@@ -76,4 +105,52 @@ describe Frodo::Concerns::Authentication do
       it { should_not be_truthy }
     end
   end
+
+  describe '.client_credentials?' do
+    subject       { client.client_credentials? }
+    let(:options) { {} }
+
+    before do
+      expect(client).to receive(:options).and_return(options).at_least(1).times
+    end
+
+    context 'when oauth options are provided' do
+      let(:options) do
+        { tenant_id: 'tenant',
+          client_id: 'client',
+          client_secret: 'secret' }
+      end
+
+      it { should be_truthy}
+    end
+
+    context 'when oauth options are not provided' do
+      it { should_not be_truthy }
+    end
+  end
+
+  describe '.password?' do
+    subject { client.password? }
+    let(:options) { {} }
+
+    before do
+      expect(client).to receive(:options).and_return(options).at_least(1).times
+    end
+
+    context 'when oauth options are provided' do
+      let(:options) do
+        { tenant_id: 'tenant',
+          client_id: 'client',
+          username: 'username',
+          password: 'password',
+        }
+      end
+
+      it { should be_truthy}
+    end
+
+    context 'when oauth options are not provided' do
+      it { should_not be_truthy }
+    end
+  end
 end

data/spec/frodo/middleware/authentication/client_credentials_spec.rb

@@ -0,0 +1,87 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webmock/rspec'
+
+describe Frodo::Middleware::Authentication::ClientCredentials do
+  include WebMock::API
+
+  describe 'authentication middleware' do
+    let(:options) do
+      { client_id: 'client_id',
+        client_secret: 'client_secret',
+        tenant_id: 'tenant_id',
+        adapter: :net_http,
+        host: 'login.window.net'
+      }
+    end
+
+      let(:success_request) do
+        stub_request(:post, "https://login.window.net/tenant_id/oauth2/token").with(
+          body: "grant_type=client_credentials&" \
+                   "client_id=client_id&client_secret=client_secret"
+        ).to_return(status: 200, body: fixture("client_credentials_auth_success_response"))
+      end
+
+      let(:fail_request) do
+        stub_request(:post, "https://login.window.net/tenant_id/oauth2/token").with(
+          body: "grant_type=client_credentials&" \
+                   "client_id=client_id&client_secret=client_secret"
+        ).to_return(status: 400, body: fixture("client_credentials_refresh_error_response"))
+      end
+
+    describe '.authenticate!' do
+      context 'when successful' do
+        let!(:request) { success_request }
+
+        describe '@options' do
+          subject { options }
+
+          before do
+            middleware.authenticate!
+          end
+
+          it { expect(subject[:host]).to eq 'login.window.net' }
+
+          it { expect(subject[:oauth_token]).to eq "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI" }
+
+          it { expect(subject[:refresh_token]).to be_nil }
+        end
+
+        context 'when an authentication_callback is specified' do
+          before(:each) do
+            options.merge!(authentication_callback: auth_callback)
+          end
+
+          it 'calls the authentication callback with the response body' do
+            expect(auth_callback).to receive(:call)
+            middleware.authenticate!
+          end
+        end
+      end
+
+      context 'when unsuccessful' do
+        let!(:request) { fail_request }
+
+        it 'raises an exception' do
+          expect {
+            middleware.authenticate!
+          }.to raise_error Frodo::AuthenticationError
+        end
+
+        context 'when an authentication_callback is specified' do
+          before(:each) do
+            options.merge!(authentication_callback: auth_callback)
+          end
+
+          it 'does not call the authentication callback' do
+            expect(auth_callback).to_not receive(:call)
+            expect do
+              middleware.authenticate!
+            end.to raise_error(Frodo::AuthenticationError)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/frodo/middleware/authentication/password_spec.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+require 'webmock/rspec'
+
+describe Frodo::Middleware::Authentication::Password do
+  include WebMock::API
+
+  describe 'authentication middleware' do
+    let(:options) do
+      { client_id: 'client_id',
+        tenant_id: 'tenant_foo_id',
+        username: 'username',
+        password: 'password',
+        adapter: :net_http,
+        host: 'login.window.net',
+        instance_url: "https://endpoint.example.com",
+      }
+    end
+
+      let(:success_request) do
+        stub_request(:post, "https://login.window.net/#{options[:tenant_id]}/oauth2/token").with(
+          body: {
+            "client_id"=>options[:client_id], "grant_type"=>"password", "password"=>options[:password],
+            "resource"=>options[:instance_url], "username"=>options[:username]
+          },
+        ).to_return(status: 200, body: fixture("password_auth_success_response"))
+      end
+
+      let(:fail_request) do
+        stub_request(:post, "https://login.window.net/#{options[:tenant_id]}/oauth2/token").with(
+          body: {
+            "client_id"=>options[:client_id], "grant_type"=>"password", "password"=>options[:password],
+            "resource"=>options[:instance_url], "username"=>options[:username]
+          },
+        ).to_return(status: 400, body: fixture("password_auth_failure_response"))
+      end
+
+    describe '.authenticate!' do
+      context 'when successful' do
+        let!(:request) { success_request }
+
+        describe '@options' do
+          subject { options }
+
+          before do
+            middleware.authenticate!
+          end
+
+          it { expect(subject[:host]).to eq 'login.window.net' }
+
+          it { expect(subject[:oauth_token]).to eq "eyJ0eXAiOiJKV1QiLCJhbGciOi" }
+
+          it { expect(subject[:refresh_token]).to eq 'AQABAAAAAACQN9QBRU3jT6bcBQLZ' }
+        end
+
+        context 'when an authentication_callback is specified' do
+          before(:each) do
+            options.merge!(authentication_callback: auth_callback)
+          end
+
+          it 'calls the authentication callback with the response body' do
+            expect(auth_callback).to receive(:call)
+            middleware.authenticate!
+          end
+        end
+      end
+
+      context 'when unsuccessful' do
+        let!(:request) { fail_request }
+
+        it 'raises an exception' do
+          expect {
+            middleware.authenticate!
+          }.to raise_error Frodo::AuthenticationError
+        end
+
+        context 'when an authentication_callback is specified' do
+          before(:each) do
+            options.merge!(authentication_callback: auth_callback)
+          end
+
+          it 'does not call the authentication callback' do
+            expect(auth_callback).to_not receive(:call)
+            expect do
+              middleware.authenticate!
+            end.to raise_error(Frodo::AuthenticationError)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/frodo/middleware/authentication/token_spec.rb

@@ -78,7 +78,7 @@ describe Frodo::Middleware::Authentication::Token do
             expect(auth_callback).to_not receive(:call)
             expect do
               middleware.authenticate!
-            end.to raise_error
+            end.to raise_error(Frodo::AuthenticationError)
           end
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: frodo
 version: !ruby/object:Gem::Version
-  version: 0.12.2
+  version: 0.12.4
 platform: ruby
 authors:
 - Emmanuel Pinault
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-11-14 00:00:00.000000000 Z
+date: 2019-11-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: nokogiri
@@ -250,6 +250,8 @@ files:
 - lib/frodo/entity_set.rb
 - lib/frodo/middleware.rb
 - lib/frodo/middleware/authentication.rb
+- lib/frodo/middleware/authentication/client_credentials.rb
+- lib/frodo/middleware/authentication/password.rb
 - lib/frodo/middleware/authentication/token.rb
 - lib/frodo/middleware/authorization.rb
 - lib/frodo/middleware/caching.rb
@@ -302,6 +304,8 @@ files:
 - lib/frodo/service_registry.rb
 - lib/frodo/version.rb
 - spec/fixtures/auth_success_response.json
+- spec/fixtures/client_credentials_auth_success_response.json
+- spec/fixtures/client_credentials_refresh_error_response.json
 - spec/fixtures/error.json
 - spec/fixtures/files/entity_to_xml.xml
 - spec/fixtures/files/error.xml
@@ -315,6 +319,8 @@ files:
 - spec/fixtures/files/supplier_0.json
 - spec/fixtures/files/supplier_0.xml
 - spec/fixtures/leads.json
+- spec/fixtures/password_auth_failure_response.json
+- spec/fixtures/password_auth_success_response.json
 - spec/fixtures/refresh_error_response.json
 - spec/frodo/abstract_client_spec.rb
 - spec/frodo/client_spec.rb
@@ -328,6 +334,8 @@ files:
 - spec/frodo/entity_container_spec.rb
 - spec/frodo/entity_set_spec.rb
 - spec/frodo/entity_spec.rb
+- spec/frodo/middleware/authentication/client_credentials_spec.rb
+- spec/frodo/middleware/authentication/password_spec.rb
 - spec/frodo/middleware/authentication/token_spec.rb
 - spec/frodo/middleware/authentication_spec.rb
 - spec/frodo/middleware/authorization_spec.rb
@@ -396,6 +404,8 @@ specification_version: 4
 summary: Simple OData library
 test_files:
 - spec/fixtures/auth_success_response.json
+- spec/fixtures/client_credentials_auth_success_response.json
+- spec/fixtures/client_credentials_refresh_error_response.json
 - spec/fixtures/error.json
 - spec/fixtures/files/entity_to_xml.xml
 - spec/fixtures/files/error.xml
@@ -409,6 +419,8 @@ test_files:
 - spec/fixtures/files/supplier_0.json
 - spec/fixtures/files/supplier_0.xml
 - spec/fixtures/leads.json
+- spec/fixtures/password_auth_failure_response.json
+- spec/fixtures/password_auth_success_response.json
 - spec/fixtures/refresh_error_response.json
 - spec/frodo/abstract_client_spec.rb
 - spec/frodo/client_spec.rb
@@ -422,6 +434,8 @@ test_files:
 - spec/frodo/entity_container_spec.rb
 - spec/frodo/entity_set_spec.rb
 - spec/frodo/entity_spec.rb
+- spec/frodo/middleware/authentication/client_credentials_spec.rb
+- spec/frodo/middleware/authentication/password_spec.rb
 - spec/frodo/middleware/authentication/token_spec.rb
 - spec/frodo/middleware/authentication_spec.rb
 - spec/frodo/middleware/authorization_spec.rb