grape-security 0.8.0

data/lib/grape/locale/en.yml

@@ -0,0 +1,32 @@
+en:
+  grape:
+    errors:
+      format: ! '%{attribute} %{message}'
+      messages:
+        coerce: 'is invalid'
+        presence: 'is missing'
+        regexp: 'is invalid'
+        values: 'does not have a valid value'
+        missing_vendor_option:
+          problem: 'missing :vendor option.'
+          summary: 'when version using header, you must specify :vendor option. '
+          resolution: "eg: version 'v1', :using => :header, :vendor => 'twitter'"
+        missing_mime_type:
+          problem: 'missing mime type for %{new_format}'
+          resolution:
+            "you can choose existing mime type from Grape::ContentTypes::CONTENT_TYPES
+            or add your own with content_type :%{new_format}, 'application/%{new_format}'
+            "
+        invalid_with_option_for_represent:
+          problem: 'You must specify an entity class in the :with option.'
+          resolution: 'eg: represent User, :with => Entity::User'
+        missing_option: 'You must specify :%{option} options.'
+        invalid_formatter: 'cannot convert %{klass} to %{to_format}'
+        invalid_versioner_option:
+          problem: 'Unknown :using for versioner: %{strategy}'
+          resolution: 'available strategy for :using is :path, :header, :param'
+        unknown_validator: 'unknown validator: %{validator_type}'
+        unknown_options: 'unknown options: %{options}'
+        incompatible_option_values: '%{option1}: %{value1} is incompatible with %{option2}: %{value2}'
+        mutual_exclusion: 'are mutually exclusive'
+        exactly_one: "- exactly one parameter must be provided"

data/lib/grape/middleware/auth/base.rb

@@ -0,0 +1,30 @@
+require 'rack/auth/basic'
+
+module Grape
+  module Middleware
+    module Auth
+      class Base < Grape::Middleware::Base
+        attr_reader :authenticator
+
+        def initialize(app, options = {}, &authenticator)
+          super(app, options)
+          @authenticator = authenticator
+        end
+
+        def base_request
+          raise NotImplementedError, "You must implement base_request."
+        end
+
+        def credentials
+          base_request.provided? ? base_request.credentials : [nil, nil]
+        end
+
+        def before
+          unless authenticator.call(*credentials)
+            throw :error, status: 401, message: "API Authorization Failed."
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/auth/basic.rb

@@ -0,0 +1,13 @@
+require 'rack/auth/basic'
+
+module Grape
+  module Middleware
+    module Auth
+      class Basic < Grape::Middleware::Auth::Base
+        def base_request
+          Rack::Auth::Basic::Request.new(env)
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/auth/digest.rb

@@ -0,0 +1,13 @@
+require 'rack/auth/digest/md5'
+
+module Grape
+  module Middleware
+    module Auth
+      class Digest < Grape::Middleware::Auth::Base
+        def base_request
+          Rack::Auth::Digest::Request.new(env)
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/auth/oauth2.rb

@@ -0,0 +1,83 @@
+module Grape
+  module Middleware
+    module Auth
+      # OAuth 2.0 authorization for Grape APIs.
+      class OAuth2 < Grape::Middleware::Base
+        def default_options
+          {
+            token_class: 'AccessToken',
+            realm: 'OAuth API',
+            parameter: %w(bearer_token oauth_token access_token),
+            accepted_headers: %w(HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION REDIRECT_X_HTTP_AUTHORIZATION),
+            header: [/Bearer (.*)/i, /OAuth (.*)/i],
+            required: true
+          }
+        end
+
+        def before
+          verify_token(token_parameter || token_header)
+        end
+
+        def request
+          @request ||= Grape::Request.new(env)
+        end
+
+        def params
+          @params ||= request.params
+        end
+
+        def token_parameter
+          Array(options[:parameter]).each do |p|
+            return params[p] if params[p]
+          end
+          nil
+        end
+
+        def token_header
+          return false unless authorization_header
+          Array(options[:header]).each do |regexp|
+            return $1 if authorization_header =~ regexp
+          end
+          nil
+        end
+
+        def authorization_header
+          options[:accepted_headers].each do |head|
+            return env[head] if env[head]
+          end
+          nil
+        end
+
+        def token_class
+          @klass ||= eval(options[:token_class]) # rubocop:disable Eval
+        end
+
+        def verify_token(token)
+          token = token_class.verify(token)
+          if token
+            if token.respond_to?(:expired?) && token.expired?
+              error_out(401, 'invalid_grant')
+            else
+              if !token.respond_to?(:permission_for?) || token.permission_for?(env)
+                env['api.token'] = token
+              else
+                error_out(403, 'insufficient_scope')
+              end
+            end
+          elsif !!options[:required]
+            error_out(401, 'invalid_grant')
+          end
+        end
+
+        def error_out(status, error)
+          throw :error,
+                message: error,
+                status: status,
+                headers: {
+                  'WWW-Authenticate' => "OAuth realm='#{options[:realm]}', error='#{error}'"
+                }
+        end
+      end
+    end
+  end
+end

data/lib/grape/middleware/base.rb

@@ -0,0 +1,62 @@
+module Grape
+  module Middleware
+    class Base
+      attr_reader :app, :env, :options
+
+      # @param [Rack Application] app The standard argument for a Rack middleware.
+      # @param [Hash] options A hash of options, simply stored for use by subclasses.
+      def initialize(app, options = {})
+        @app = app
+        @options = default_options.merge(options)
+      end
+
+      def default_options
+        {}
+      end
+
+      def call(env)
+        dup.call!(env)
+      end
+
+      def call!(env)
+        @env = env
+        before
+        @app_response = @app.call(@env)
+        after || @app_response
+      end
+
+      # @abstract
+      # Called before the application is called in the middleware lifecycle.
+      def before
+      end
+
+      # @abstract
+      # Called after the application is called in the middleware lifecycle.
+      # @return [Response, nil] a Rack SPEC response or nil to call the application afterwards.
+      def after
+      end
+
+      def response
+        Rack::Response.new(@app_response)
+      end
+
+      def content_type_for(format)
+        HashWithIndifferentAccess.new(content_types)[format]
+      end
+
+      def content_types
+        ContentTypes.content_types_for(options[:content_types])
+      end
+
+      def content_type
+        content_type_for(env['api.format'] || options[:format]) || 'text/html'
+      end
+
+      def mime_types
+        content_types.each_with_object({}) { |(k, v), types_without_params|
+          types_without_params[k] = v.split(';').first
+        }.invert
+      end
+    end
+  end
+end

data/lib/grape/middleware/error.rb

@@ -0,0 +1,89 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    class Error < Base
+      def default_options
+        {
+          default_status: 500, # default status returned on error
+          default_message: "",
+          format: :txt,
+          formatters: {},
+          error_formatters: {},
+          rescue_all: false, # true to rescue all exceptions
+          rescue_subclasses: true, # rescue subclasses of exceptions listed
+          rescue_options: { backtrace: false }, # true to display backtrace
+          rescue_handlers: {}, # rescue handler blocks
+          base_only_rescue_handlers: {}, # rescue handler blocks rescuing only the base class
+          all_rescue_handler: nil # rescue handler block to rescue from all exceptions
+        }
+      end
+
+      def call!(env)
+        @env = env
+
+        begin
+          error_response(catch(:error) do
+            return @app.call(@env)
+          end)
+        rescue StandardError => e
+          is_rescuable = rescuable?(e.class)
+          if e.is_a?(Grape::Exceptions::Base) && !is_rescuable
+            handler = lambda { |arg| error_response(arg) }
+          else
+            raise unless is_rescuable
+            handler = find_handler(e.class)
+          end
+
+          handler.nil? ? handle_error(e) : exec_handler(e, &handler)
+        end
+      end
+
+      def find_handler(klass)
+        handler = options[:rescue_handlers].find(-> { [] }) { |error, _| klass <= error }[1]
+        handler ||= options[:base_only_rescue_handlers][klass]
+        handler ||= options[:all_rescue_handler]
+        handler
+      end
+
+      def rescuable?(klass)
+        options[:rescue_all] || (options[:rescue_handlers] || []).any? { |error, handler| klass <= error } || (options[:base_only_rescue_handlers] || []).include?(klass)
+      end
+
+      def exec_handler(e, &handler)
+        if handler.lambda? && handler.arity == 0
+          instance_exec(&handler)
+        else
+          instance_exec(e, &handler)
+        end
+      end
+
+      def handle_error(e)
+        error_response(message: e.message, backtrace: e.backtrace)
+      end
+
+      def error_response(error = {})
+        status = error[:status] || options[:default_status]
+        message = error[:message] || options[:default_message]
+        headers = { 'Content-Type' => content_type }
+        headers.merge!(error[:headers]) if error[:headers].is_a?(Hash)
+        backtrace = error[:backtrace] || []
+        rack_response(format_message(message, backtrace), status, headers)
+      end
+
+      def rack_response(message, status = options[:default_status], headers = { 'Content-Type' => content_type })
+        if headers['Content-Type'] == 'text/html'
+          message = ERB::Util.html_escape(message)
+        end
+        Rack::Response.new([message], status, headers).finish
+      end
+
+      def format_message(message, backtrace)
+        format = env['api.format'] || options[:format]
+        formatter = Grape::ErrorFormatter::Base.formatter_for(format, options)
+        throw :error, status: 406, message: "The requested format '#{format}' is not supported." unless formatter
+        formatter.call(message, backtrace, options, env)
+      end
+    end
+  end
+end

data/lib/grape/middleware/filter.rb

@@ -0,0 +1,17 @@
+module Grape
+  module Middleware
+    # This is a simple middleware for adding before and after filters
+    # to Grape APIs. It is used like so:
+    #
+    #     use Grape::Middleware::Filter, before: lambda { do_something }, after: lambda { do_something }
+    class Filter < Base
+      def before
+        app.instance_eval(&options[:before]) if options[:before]
+      end
+
+      def after
+        app.instance_eval(&options[:after]) if options[:after]
+      end
+    end
+  end
+end

data/lib/grape/middleware/formatter.rb

@@ -0,0 +1,150 @@
+require 'grape/middleware/base'
+
+module Grape
+  module Middleware
+    class Formatter < Base
+      def default_options
+        {
+          default_format: :txt,
+          formatters: {},
+          parsers: {}
+        }
+      end
+
+      def headers
+        env.dup.inject({}) do |h, (k, v)|
+          h[k.to_s.downcase[5..-1]] = v if k.to_s.downcase.start_with?('http_')
+          h
+        end
+      end
+
+      def before
+        negotiate_content_type
+        read_body_input
+      end
+
+      def after
+        status, headers, bodies = *@app_response
+        # allow content-type to be explicitly overwritten
+        api_format = mime_types[headers["Content-Type"]] || env['api.format']
+        formatter = Grape::Formatter::Base.formatter_for api_format, options
+        begin
+          bodymap = bodies.collect do |body|
+            formatter.call body, env
+          end
+        rescue Grape::Exceptions::InvalidFormatter => e
+          throw :error, status: 500, message: e.message
+        end
+        headers['Content-Type'] = content_type_for(env['api.format']) unless headers['Content-Type']
+        Rack::Response.new(bodymap, status, headers).to_a
+      end
+
+      private
+
+      def request
+        @request ||= Rack::Request.new(env)
+      end
+
+      # store read input in env['api.request.input']
+      def read_body_input
+        if (request.post? || request.put? || request.patch? || request.delete?) &&
+          (!request.form_data? || !request.media_type) &&
+          (!request.parseable_data?) &&
+          (request.content_length.to_i > 0 || request.env['HTTP_TRANSFER_ENCODING'] == 'chunked')
+
+          if (input = env['rack.input'])
+            input.rewind
+            body = env['api.request.input'] = input.read
+            begin
+              read_rack_input(body) if body && body.length > 0
+            ensure
+              input.rewind
+            end
+          end
+        end
+      end
+
+      # store parsed input in env['api.request.body']
+      def read_rack_input(body)
+        fmt = mime_types[request.media_type] if request.media_type
+        fmt ||= options[:default_format]
+        if content_type_for(fmt)
+          parser = Grape::Parser::Base.parser_for fmt, options
+          if parser
+            begin
+              body = (env['api.request.body'] = parser.call(body, env))
+              if body.is_a?(Hash)
+                if env['rack.request.form_hash']
+                  env['rack.request.form_hash'] = env['rack.request.form_hash'].merge(body)
+                else
+                  env['rack.request.form_hash'] = body
+                end
+                env['rack.request.form_input'] = env['rack.input']
+              end
+            rescue StandardError => e
+              throw :error, status: 400, message: e.message
+            end
+          else
+            env['api.request.body'] = body
+          end
+        else
+          throw :error, status: 406, message: "The requested content-type '#{request.media_type}' is not supported."
+        end
+      end
+
+      def negotiate_content_type
+        fmt = format_from_extension || format_from_params || options[:format] || format_from_header || options[:default_format]
+        if content_type_for(fmt)
+          env['api.format'] = fmt
+        else
+          throw :error, status: 406, message: "The requested format '#{fmt}' is not supported."
+        end
+      end
+
+      def format_from_extension
+        parts = request.path.split('.')
+
+        if parts.size > 1
+          extension = parts.last
+          # avoid symbol memory leak on an unknown format
+          return extension.to_sym if content_type_for(extension)
+        end
+        nil
+      end
+
+      def format_from_params
+        fmt = Rack::Utils.parse_nested_query(env['QUERY_STRING'])["format"]
+        # avoid symbol memory leak on an unknown format
+        return fmt.to_sym if content_type_for(fmt)
+        fmt
+      end
+
+      def format_from_header
+        mime_array.each do |t|
+          return mime_types[t] if mime_types.key?(t)
+        end
+        nil
+      end
+
+      def mime_array
+        accept = headers['accept']
+        return [] unless accept
+
+        accept_into_mime_and_quality = %r{
+          (
+            \w+/[\w+.-]+)     # eg application/vnd.example.myformat+xml
+          (?:
+           (?:;[^,]*?)?       # optionally multiple formats in a row
+           ;\s*q=([\d.]+)     # optional "quality" preference (eg q=0.5)
+          )?
+        }x
+
+        vendor_prefix_pattern = /vnd\.[^+]+\+/
+
+        accept.scan(accept_into_mime_and_quality)
+          .sort_by { |_, quality_preference| -quality_preference.to_f }
+          .map { |mime, _| mime.sub(vendor_prefix_pattern, '') }
+      end
+    end
+  end
+end