googleauth 0.1.0 → 0.16.1

data/lib/googleauth/signet.rb

@@ -27,36 +27,97 @@
 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 
-require 'signet/oauth_2/client'
+require "signet/oauth_2/client"
 
 module Signet
   # OAuth2 supports OAuth2 authentication.
   module OAuth2
-    AUTH_METADATA_KEY = :Authorization
+    AUTH_METADATA_KEY = :authorization
     # Signet::OAuth2::Client creates an OAuth2 client
     #
     # This reopens Client to add #apply and #apply! methods which update a
     # hash with the fetched authentication token.
     class Client
+      def configure_connection options
+        @connection_info =
+          options[:connection_builder] || options[:default_connection]
+        self
+      end
+
       # Updates a_hash updated with the authentication token
-      def apply!(a_hash, opts = {})
+      def apply! a_hash, opts = {}
         # fetch the access token there is currently not one, or if the client
         # has expired
-        fetch_access_token!(opts) if access_token.nil? || expired?
-        a_hash[AUTH_METADATA_KEY] = "Bearer #{access_token}"
+        token_type = target_audience ? :id_token : :access_token
+        fetch_access_token! opts if send(token_type).nil? || expires_within?(60)
+        a_hash[AUTH_METADATA_KEY] = "Bearer #{send token_type}"
       end
 
       # Returns a clone of a_hash updated with the authentication token
-      def apply(a_hash, opts = {})
+      def apply a_hash, opts = {}
         a_copy = a_hash.clone
-        apply!(a_copy, opts)
+        apply! a_copy, opts
         a_copy
       end
 
       # Returns a reference to the #apply method, suitable for passing as
       # a closure
       def updater_proc
-        lambda(&method(:apply))
+        proc { |a_hash, opts = {}| apply a_hash, opts }
+      end
+
+      def on_refresh &block
+        @refresh_listeners = [] unless defined? @refresh_listeners
+        @refresh_listeners << block
+      end
+
+      alias orig_fetch_access_token! fetch_access_token!
+      def fetch_access_token! options = {}
+        unless options[:connection]
+          connection = build_default_connection
+          options = options.merge connection: connection if connection
+        end
+        info = retry_with_error do
+          orig_fetch_access_token! options
+        end
+        notify_refresh_listeners
+        info
+      end
+
+      def notify_refresh_listeners
+        listeners = defined?(@refresh_listeners) ? @refresh_listeners : []
+        listeners.each do |block|
+          block.call self
+        end
+      end
+
+      def build_default_connection
+        if !defined?(@connection_info)
+          nil
+        elsif @connection_info.respond_to? :call
+          @connection_info.call
+        else
+          @connection_info
+        end
+      end
+
+      def retry_with_error max_retry_count = 5
+        retry_count = 0
+
+        begin
+          yield
+        rescue StandardError => e
+          raise e if e.is_a?(Signet::AuthorizationError) || e.is_a?(Signet::ParseError)
+
+          if retry_count < max_retry_count
+            retry_count += 1
+            sleep retry_count * 0.3
+            retry
+          else
+            msg = "Unexpected error: #{e.inspect}"
+            raise Signet::AuthorizationError, msg
+          end
+        end
       end
     end
   end

data/lib/googleauth/stores/file_token_store.rb

@@ -0,0 +1,65 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "yaml/store"
+require "googleauth/token_store"
+
+module Google
+  module Auth
+    module Stores
+      # Implementation of user token storage backed by a local YAML file
+      class FileTokenStore < Google::Auth::TokenStore
+        # Create a new store with the supplied file.
+        #
+        # @param [String, File] file
+        #  Path to storage file
+        def initialize options = {}
+          super()
+          path = options[:file]
+          @store = YAML::Store.new path
+        end
+
+        # (see Google::Auth::Stores::TokenStore#load)
+        def load id
+          @store.transaction { @store[id] }
+        end
+
+        # (see Google::Auth::Stores::TokenStore#store)
+        def store id, token
+          @store.transaction { @store[id] = token }
+        end
+
+        # (see Google::Auth::Stores::TokenStore#delete)
+        def delete id
+          @store.transaction { @store.delete id }
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/stores/redis_token_store.rb

@@ -0,0 +1,96 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "redis"
+require "googleauth/token_store"
+
+module Google
+  module Auth
+    module Stores
+      # Implementation of user token storage backed by Redis. Tokens
+      # are stored as JSON using the supplied key, prefixed with
+      # `g-user-token:`
+      class RedisTokenStore < Google::Auth::TokenStore
+        DEFAULT_KEY_PREFIX = "g-user-token:".freeze
+
+        # Create a new store with the supplied redis client.
+        #
+        # @param [::Redis, String] redis
+        #  Initialized redis client to connect to.
+        # @param [String] prefix
+        #  Prefix for keys in redis. Defaults to 'g-user-token:'
+        # @note If no redis instance is provided, a new one is created and
+        #  the options passed through. You may include any other keys accepted
+        #  by `Redis.new`
+        def initialize options = {}
+          super()
+          redis = options.delete :redis
+          prefix = options.delete :prefix
+          @redis = case redis
+                   when Redis
+                     redis
+                   else
+                     Redis.new options
+                   end
+          @prefix = prefix || DEFAULT_KEY_PREFIX
+        end
+
+        # (see Google::Auth::Stores::TokenStore#load)
+        def load id
+          key = key_for id
+          @redis.get key
+        end
+
+        # (see Google::Auth::Stores::TokenStore#store)
+        def store id, token
+          key = key_for id
+          @redis.set key, token
+        end
+
+        # (see Google::Auth::Stores::TokenStore#delete)
+        def delete id
+          key = key_for id
+          @redis.del key
+        end
+
+        private
+
+        # Generate a redis key from a token ID
+        #
+        # @param [String] id
+        #  ID of the token
+        # @return [String]
+        #  Redis key
+        def key_for id
+          @prefix + id
+        end
+      end
+    end
+  end
+end

data/lib/googleauth/token_store.rb

@@ -0,0 +1,69 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+module Google
+  module Auth
+    # Interface definition for token stores. It is not required that
+    # implementations inherit from this class. It is provided for documentation
+    # purposes to illustrate the API contract.
+    class TokenStore
+      class << self
+        attr_accessor :default
+      end
+
+      # Load the token data from storage for the given ID.
+      #
+      # @param [String] id
+      #  ID of token data to load.
+      # @return [String]
+      #  The loaded token data.
+      def load _id
+        raise "Not implemented"
+      end
+
+      # Put the token data into storage for the given ID.
+      #
+      # @param [String] id
+      #  ID of token data to store.
+      # @param [String] token
+      #  The token data to store.
+      def store _id, _token
+        raise "Not implemented"
+      end
+
+      # Remove the token data from storage for the given ID.
+      #
+      # @param [String] id
+      #  ID of the token data to delete
+      def delete _id
+        raise "Not implemented"
+      end
+    end
+  end
+end

data/lib/googleauth/user_authorizer.rb

@@ -0,0 +1,285 @@
+# Copyright 2014, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+require "uri"
+require "multi_json"
+require "googleauth/signet"
+require "googleauth/user_refresh"
+
+module Google
+  module Auth
+    # Handles an interactive 3-Legged-OAuth2 (3LO) user consent authorization.
+    #
+    # Example usage for a simple command line app:
+    #
+    #     credentials = authorizer.get_credentials(user_id)
+    #     if credentials.nil?
+    #       url = authorizer.get_authorization_url(
+    #         base_url: OOB_URI)
+    #       puts "Open the following URL in the browser and enter the " +
+    #            "resulting code after authorization"
+    #       puts url
+    #       code = gets
+    #       credentials = authorizer.get_and_store_credentials_from_code(
+    #         user_id: user_id, code: code, base_url: OOB_URI)
+    #     end
+    #     # Credentials ready to use, call APIs
+    #     ...
+    class UserAuthorizer
+      MISMATCHED_CLIENT_ID_ERROR =
+        "Token client ID of %s does not match configured client id %s".freeze
+      NIL_CLIENT_ID_ERROR = "Client id can not be nil.".freeze
+      NIL_SCOPE_ERROR = "Scope can not be nil.".freeze
+      NIL_USER_ID_ERROR = "User ID can not be nil.".freeze
+      NIL_TOKEN_STORE_ERROR = "Can not call method if token store is nil".freeze
+      MISSING_ABSOLUTE_URL_ERROR =
+        'Absolute base url required for relative callback url "%s"'.freeze
+
+      # Initialize the authorizer
+      #
+      # @param [Google::Auth::ClientID] client_id
+      #  Configured ID & secret for this application
+      # @param [String, Array<String>] scope
+      #  Authorization scope to request
+      # @param [Google::Auth::Stores::TokenStore] token_store
+      #  Backing storage for persisting user credentials
+      # @param [String] callback_uri
+      #  URL (either absolute or relative) of the auth callback.
+      #  Defaults to '/oauth2callback'
+      def initialize client_id, scope, token_store, callback_uri = nil
+        raise NIL_CLIENT_ID_ERROR if client_id.nil?
+        raise NIL_SCOPE_ERROR if scope.nil?
+
+        @client_id = client_id
+        @scope = Array(scope)
+        @token_store = token_store
+        @callback_uri = callback_uri || "/oauth2callback"
+      end
+
+      # Build the URL for requesting authorization.
+      #
+      # @param [String] login_hint
+      #  Login hint if need to authorize a specific account. Should be a
+      #  user's email address or unique profile ID.
+      # @param [String] state
+      #  Opaque state value to be returned to the oauth callback.
+      # @param [String] base_url
+      #  Absolute URL to resolve the configured callback uri against. Required
+      #  if the configured callback uri is a relative.
+      # @param [String, Array<String>] scope
+      #  Authorization scope to request. Overrides the instance scopes if not
+      #  nil.
+      # @return [String]
+      #  Authorization url
+      def get_authorization_url options = {}
+        scope = options[:scope] || @scope
+        credentials = UserRefreshCredentials.new(
+          client_id:     @client_id.id,
+          client_secret: @client_id.secret,
+          scope:         scope
+        )
+        redirect_uri = redirect_uri_for options[:base_url]
+        url = credentials.authorization_uri(access_type:            "offline",
+                                            redirect_uri:           redirect_uri,
+                                            approval_prompt:        "force",
+                                            state:                  options[:state],
+                                            include_granted_scopes: true,
+                                            login_hint:             options[:login_hint])
+        url.to_s
+      end
+
+      # Fetch stored credentials for the user.
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @param [Array<String>, String] scope
+      #  If specified, only returns credentials that have all
+      #  the requested scopes
+      # @return [Google::Auth::UserRefreshCredentials]
+      #  Stored credentials, nil if none present
+      def get_credentials user_id, scope = nil
+        saved_token = stored_token user_id
+        return nil if saved_token.nil?
+        data = MultiJson.load saved_token
+
+        if data.fetch("client_id", @client_id.id) != @client_id.id
+          raise format(MISMATCHED_CLIENT_ID_ERROR,
+                       data["client_id"], @client_id.id)
+        end
+
+        credentials = UserRefreshCredentials.new(
+          client_id:     @client_id.id,
+          client_secret: @client_id.secret,
+          scope:         data["scope"] || @scope,
+          access_token:  data["access_token"],
+          refresh_token: data["refresh_token"],
+          expires_at:    data.fetch("expiration_time_millis", 0) / 1000
+        )
+        scope ||= @scope
+        return monitor_credentials user_id, credentials if credentials.includes_scope? scope
+        nil
+      end
+
+      # Exchanges an authorization code returned in the oauth callback
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @param [String] code
+      #  The authorization code from the OAuth callback
+      # @param [String, Array<String>] scope
+      #  Authorization scope requested. Overrides the instance
+      #  scopes if not nil.
+      # @param [String] base_url
+      #  Absolute URL to resolve the configured callback uri against.
+      #  Required if the configured
+      #  callback uri is a relative.
+      # @return [Google::Auth::UserRefreshCredentials]
+      #  Credentials if exchange is successful
+      def get_credentials_from_code options = {}
+        user_id = options[:user_id]
+        code = options[:code]
+        scope = options[:scope] || @scope
+        base_url = options[:base_url]
+        credentials = UserRefreshCredentials.new(
+          client_id:     @client_id.id,
+          client_secret: @client_id.secret,
+          redirect_uri:  redirect_uri_for(base_url),
+          scope:         scope
+        )
+        credentials.code = code
+        credentials.fetch_access_token!({})
+        monitor_credentials user_id, credentials
+      end
+
+      # Exchanges an authorization code returned in the oauth callback.
+      # Additionally, stores the resulting credentials in the token store if
+      # the exchange is successful.
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @param [String] code
+      #  The authorization code from the OAuth callback
+      # @param [String, Array<String>] scope
+      #  Authorization scope requested. Overrides the instance
+      #  scopes if not nil.
+      # @param [String] base_url
+      #  Absolute URL to resolve the configured callback uri against.
+      #  Required if the configured
+      #  callback uri is a relative.
+      # @return [Google::Auth::UserRefreshCredentials]
+      #  Credentials if exchange is successful
+      def get_and_store_credentials_from_code options = {}
+        credentials = get_credentials_from_code options
+        store_credentials options[:user_id], credentials
+      end
+
+      # Revokes a user's credentials. This both revokes the actual
+      # grant as well as removes the token from the token store.
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      def revoke_authorization user_id
+        credentials = get_credentials user_id
+        if credentials
+          begin
+            @token_store.delete user_id
+          ensure
+            credentials.revoke!
+          end
+        end
+        nil
+      end
+
+      # Store credentials for a user. Generally not required to be
+      # called directly, but may be used to migrate tokens from one
+      # store to another.
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @param [Google::Auth::UserRefreshCredentials] credentials
+      #  Credentials to store.
+      def store_credentials user_id, credentials
+        json = MultiJson.dump(
+          client_id:              credentials.client_id,
+          access_token:           credentials.access_token,
+          refresh_token:          credentials.refresh_token,
+          scope:                  credentials.scope,
+          expiration_time_millis: credentials.expires_at.to_i * 1000
+        )
+        @token_store.store user_id, json
+        credentials
+      end
+
+      private
+
+      # @private Fetch stored token with given user_id
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @return [String] The saved token from @token_store
+      def stored_token user_id
+        raise NIL_USER_ID_ERROR if user_id.nil?
+        raise NIL_TOKEN_STORE_ERROR if @token_store.nil?
+
+        @token_store.load user_id
+      end
+
+      # Begin watching a credential for refreshes so the access token can be
+      # saved.
+      #
+      # @param [String] user_id
+      #  Unique ID of the user for loading/storing credentials.
+      # @param [Google::Auth::UserRefreshCredentials] credentials
+      #  Credentials to store.
+      def monitor_credentials user_id, credentials
+        credentials.on_refresh do |cred|
+          store_credentials user_id, cred
+        end
+        credentials
+      end
+
+      # Resolve the redirect uri against a base.
+      #
+      # @param [String] base_url
+      #  Absolute URL to resolve the callback against if necessary.
+      # @return [String]
+      #  Redirect URI
+      def redirect_uri_for base_url
+        return @callback_uri if uri_is_postmessage?(@callback_uri) || !URI(@callback_uri).scheme.nil?
+        raise format(MISSING_ABSOLUTE_URL_ERROR, @callback_uri) if base_url.nil? || URI(base_url).scheme.nil?
+        URI.join(base_url, @callback_uri).to_s
+      end
+
+      # Check if URI is Google's postmessage flow (not a valid redirect_uri by spec, but allowed)
+      def uri_is_postmessage? uri
+        uri.to_s.casecmp("postmessage").zero?
+      end
+    end
+  end
+end