grape_oauth2 0.1.1

data/lib/grape_oauth2/responses/token.rb

@@ -0,0 +1,10 @@
+module Grape
+  module OAuth2
+    # Grape::OAuth2 responses namespace.
+    module Responses
+      # Token response.
+      class Token < Base
+      end
+    end
+  end
+end

data/lib/grape_oauth2/scopes.rb

@@ -0,0 +1,74 @@
+module Grape
+  module OAuth2
+    # OAuth2 helper for scopes validation
+    # (between requested and presented in Access Token).
+    class Scopes
+      # Array of requested scopes
+      #
+      # @return [Array<String>] scopes
+      #
+      attr_reader :scopes
+
+      # Helper class initializer.
+      #
+      # @param scopes [Array, String, #to_a]
+      #   array, string of any object that responds to `to_a`
+      #
+      def initialize(scopes)
+        @scopes = to_array(scopes || [])
+      end
+
+      # Checks if requested scopes (passed and processed on initialization)
+      # are presented in the Access Token.
+      #
+      # @param access_token [Object]
+      #   instance of the Access Token class that responds to `scopes`
+      #
+      # @return [Boolean]
+      #   true if requested scopes are empty or present in access token scopes
+      #   and false in other cases
+      #
+      def valid_for?(access_token)
+        scopes.empty? || present_in?(access_token.scopes)
+      end
+
+      private
+
+      # Checks if scopes present in Access Token scopes.
+      #
+      # @param token_scopes [Array, String, #to_a]
+      #   array, string of any object that responds to `to_a`
+      #
+      # @return [Boolean]
+      #   true if requested scopes present in Access Token and false in other cases
+      #
+      def present_in?(token_scopes)
+        required_scopes = Set.new(to_array(scopes))
+        authorized_scopes = Set.new(to_array(token_scopes))
+
+        authorized_scopes >= required_scopes
+      end
+
+      # Converts scopes set to the array.
+      #
+      # @param scopes [Array, String, #to_a]
+      #   string, array or object that responds to `to_a`
+      # @return [Array<String>]
+      #   array of scopes
+      #
+      def to_array(scopes)
+        return [] if scopes.nil?
+
+        collection = if scopes.is_a?(Array) || scopes.respond_to?(:to_a)
+                       scopes.to_a
+                     elsif scopes.is_a?(String)
+                       scopes.split
+                     else
+                       raise ArgumentError, 'scopes class is not supported!'
+                     end
+
+        collection.map(&:to_s)
+      end
+    end
+  end
+end

data/lib/grape_oauth2/strategies/authorization_code.rb

@@ -0,0 +1,38 @@
+module Grape
+  module OAuth2
+    module Strategies
+      # Auth Code strategy class.
+      # Processes request and responds with Token or Code
+      # (depend on requested response type).
+      class AuthorizationCode < Base
+        class << self
+          # Processes Authorization request.
+          def process(request, response)
+            client = authenticate_client(request)
+            request.bad_request! if client.nil?
+
+            response.redirect_uri = request.verify_redirect_uri!(client.redirect_uri)
+
+            # TODO: verify scopes if they valid
+            # scopes = request.scope
+            # request.invalid_scope! "Unknown scope: #{scope}"
+
+            case request.response_type
+            when :code
+              # resource owner can't be nil!
+              authorization_code = config.access_grant_class.create_for(client, nil, response.redirect_uri)
+              response.code = authorization_code.token
+            when :token
+              # resource owner can't be nil!
+              access_token = config.access_token_class.create_for(client, nil, scopes_from(request))
+              response.access_token = expose_to_bearer_token(access_token)
+            end
+
+            response.approve!
+            response
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/strategies/base.rb

@@ -0,0 +1,47 @@
+module Grape
+  module OAuth2
+    # Grape::OAuth2 strategies namespace
+    module Strategies
+      # Base Grape::OAuth2 Strategies class .
+      # Contains common functionality for all the descendants.
+      class Base
+        class << self
+          # Authenticates Client from the request.
+          def authenticate_client(request)
+            config.client_class.authenticate(request.client_id, request.try(:client_secret))
+          end
+
+          # Authenticates Resource Owner from the request.
+          def authenticate_resource_owner(client, request)
+            config.resource_owner_class.oauth_authenticate(client, request.username, request.password)
+          end
+
+          # Short getter for Grape::OAuth2 configuration
+          def config
+            Grape::OAuth2.config
+          end
+
+          # Converts scopes from the request string. Separate them by the whitespace.
+          # @return [String] scopes string
+          #
+          def scopes_from(request)
+            return nil if request.scope.nil?
+
+            Array(request.scope).join(' ')
+          end
+
+          # Exposes token object to Bearer token.
+          #
+          # @param token [#to_bearer_token]
+          #   any object that responds to `to_bearer_token`
+          # @return [Rack::OAuth2::AccessToken::Bearer]
+          #   bearer token instance
+          #
+          def expose_to_bearer_token(token)
+            Rack::OAuth2::AccessToken::Bearer.new(token.to_bearer_token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/strategies/client_credentials.rb

@@ -0,0 +1,20 @@
+module Grape
+  module OAuth2
+    module Strategies
+      # Client Credentials strategy class.
+      # Processes request and respond with Access Token.
+      class ClientCredentials < Base
+        class << self
+          # Processes Client Credentials request.
+          def process(request)
+            client = authenticate_client(request)
+            request.invalid_client! if client.nil?
+
+            token = config.access_token_class.create_for(client, nil, scopes_from(request))
+            expose_to_bearer_token(token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/strategies/password.rb

@@ -0,0 +1,22 @@
+module Grape
+  module OAuth2
+    module Strategies
+      # Resource Owner Password Credentials strategy class.
+      # Processes request and respond with Access Token.
+      class Password < Base
+        class << self
+          # Processes Password request.
+          def process(request)
+            client = authenticate_client(request) || request.invalid_client!
+            resource_owner = authenticate_resource_owner(client, request)
+
+            request.invalid_grant! if resource_owner.nil?
+
+            token = config.access_token_class.create_for(client, resource_owner, scopes_from(request))
+            expose_to_bearer_token(token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/strategies/refresh_token.rb

@@ -0,0 +1,47 @@
+module Grape
+  module OAuth2
+    module Strategies
+      # Refresh Token strategy class.
+      # Processes request and respond with Access Token.
+      class RefreshToken < Base
+        class << self
+          # Processes Refresh Token request.
+          def process(request)
+            client = authenticate_client(request)
+
+            request.invalid_client! if client.nil?
+
+            refresh_token = config.access_token_class.authenticate(request.refresh_token, type: :refresh_token)
+            request.invalid_grant! if refresh_token.nil?
+            request.unauthorized_client! if refresh_token && refresh_token.client != client
+
+            token = config.access_token_class.create_for(client, refresh_token.resource_owner)
+            run_on_refresh_callback(refresh_token) if config.on_refresh_runnable?
+
+            expose_to_bearer_token(token)
+          end
+
+          private
+
+          # Invokes custom callback on Access Token refresh.
+          # If callback is a proc, then call it with token.
+          # If access token responds to callback value (symbol for example), then call it from the token.
+          #
+          # @param access_token [Object] Access Token instance
+          #
+          def run_on_refresh_callback(access_token)
+            callback = config.on_refresh
+
+            if callback.respond_to?(:call)
+              callback.call(access_token)
+            elsif access_token.respond_to?(callback)
+              access_token.send(callback)
+            else
+              raise ArgumentError, ":on_refresh is not a block and Access Token class doesn't respond to #{callback}!"
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/grape_oauth2/unique_token.rb

@@ -0,0 +1,20 @@
+module Grape
+  module OAuth2
+    # OAuth2 helper for generation of unique token values.
+    # Can process custom payload and options.
+    module UniqueToken
+      # Generates unique token value.
+      #
+      # @param _payload [Hash]
+      #   payload
+      # @param options [Hash]
+      #   options for generator
+      #
+      # @return [String]
+      #   unique token value
+      def self.generate(_payload = {}, options = {})
+        SecureRandom.hex(options.delete(:size) || 32)
+      end
+    end
+  end
+end

data/lib/grape_oauth2/version.rb

@@ -0,0 +1,14 @@
+require_relative 'gem_version'
+
+module Grape
+  module OAuth2
+    # Grape::OAuth2 gem version.
+    #
+    # @return [Gem::Version]
+    #   version value
+    #
+    def self.version
+      gem_version
+    end
+  end
+end

data/spec/configuration/config_spec.rb

@@ -0,0 +1,231 @@
+require 'spec_helper'
+
+describe Grape::OAuth2::Configuration do
+  let(:config) { described_class.new }
+
+  # Refactor: Mock it
+  class CustomClient
+    def self.authenticate(key, secret = nil)
+      'Test'
+    end
+  end
+
+  class CustomAccessToken
+    def self.create_for(client, resource_owner, scopes = nil)
+    end
+
+    def self.authenticate(token, type: :access_token)
+      'Test'
+    end
+
+    def client
+    end
+
+    def resource_owner
+    end
+
+    def expired?
+    end
+
+    def revoked?
+    end
+
+    def revoke!(revoked_at = Time.now)
+    end
+
+    def to_bearer_token
+    end
+  end
+
+  class CustomResourceOwner
+    def self.oauth_authenticate(client, username, password)
+      'Test'
+    end
+  end
+
+  context 'default config' do
+    it 'setup config with default values' do
+      expect(config.access_token_lifetime).to eq(7200)
+      expect(config.authorization_code_lifetime).to eq(1800)
+
+      expect(config.realm).to eq(Grape::OAuth2::Configuration::DEFAULT_REALM)
+      expect(config.allowed_grant_types).to eq(%w(password client_credentials))
+
+      expect(config.issue_refresh_token).to be_falsey
+      expect(config.on_refresh).to eq(:nothing)
+
+      expect(config.scopes_validator_class_name).to eq(Grape::OAuth2::Scopes.name)
+    end
+  end
+
+  context 'custom config' do
+    class CustomScopesValidator
+      def initialize(scopes)
+        @scopes = scopes
+      end
+
+      def valid_for?(access_token)
+        false
+      end
+    end
+
+    class CustomTokenGenerator
+      def self.generate(options = {})
+        if options[:custom]
+          'custom_token'
+        else
+          'default_token'
+        end
+      end
+    end
+
+    before do
+      config.access_token_class_name = 'CustomAccessToken'
+      config.resource_owner_class_name = 'CustomResourceOwner'
+      config.client_class_name = 'CustomClient'
+      config.access_grant_class_name = 'Object'
+      config.scopes_validator_class_name = 'CustomScopesValidator'
+    end
+
+    it 'invokes custom scopes validator' do
+      expect(config.scopes_validator.new([]).valid_for?(nil)).to be_falsey
+    end
+
+    it 'works with custom Access Token class' do
+      expect(config.access_token_class.authenticate('')).to eq('Test')
+    end
+
+    it 'works with custom Client class' do
+      expect(config.client_class.authenticate('')).to eq('Test')
+    end
+
+    it 'works with custom Resource Owner class' do
+      expect(config.resource_owner_class.oauth_authenticate('', '', '')).to eq('Test')
+    end
+
+    it 'works with custom token authenticator' do
+      # before
+      Grape::OAuth2.configure do |config|
+        config.token_authenticator do |request|
+          raise ArgumentError, 'Test'
+        end
+      end
+
+      expect { config.token_authenticator.call }.to raise_error(ArgumentError)
+
+      # after
+      Grape::OAuth2.configure do |config|
+        config.token_authenticator = config.default_token_authenticator
+      end
+    end
+
+    it 'works with custom token generator' do
+      # before
+      Grape::OAuth2.configure do |config|
+        config.token_generator_class_name = 'CustomTokenGenerator'
+      end
+
+      expect(Grape::OAuth2.config.token_generator.generate).to eq('default_token')
+      expect(Grape::OAuth2.config.token_generator.generate(custom: true)).to eq('custom_token')
+
+      # after
+      Grape::OAuth2.configure do |config|
+        config.token_generator_class_name = Grape::OAuth2::UniqueToken.name
+      end
+    end
+
+    it 'works with custom on_refresh callback' do
+      token = AccessToken.create
+
+      # before
+      Grape::OAuth2.configure do |config|
+        config.on_refresh do |access_token|
+          access_token.update(scopes: 'test')
+        end
+      end
+
+      expect {
+        Grape::OAuth2::Strategies::RefreshToken.send(:run_on_refresh_callback, token)
+      }.to change { token.scopes }.to('test')
+
+      # after
+      Grape::OAuth2.configure do |config|
+        config.on_refresh = :nothing
+      end
+    end
+
+    it 'raises an error with invalid on_refresh callback' do
+      # before
+      Grape::OAuth2.configure do |config|
+        config.on_refresh = 'invalid'
+      end
+
+      expect {
+        Grape::OAuth2::Strategies::RefreshToken.send(:run_on_refresh_callback, nil)
+      }.to raise_error(ArgumentError)
+
+      # after
+      Grape::OAuth2.configure do |config|
+        config.on_refresh = :nothing
+      end
+    end
+  end
+
+  context 'validation' do
+    context 'with invalid config options' do
+      it 'raises an error for default configuration' do
+        expect { config.check! }.to raise_error(Grape::OAuth2::Configuration::Error)
+      end
+
+      it "raises an error if configured classes doesn't have an instance methods" do
+        class InvalidAccessToken
+          # Only class methods
+          def self.create_for(client, resource_owner, scopes = nil)
+          end
+
+          def self.authenticate(token, type: :access_token)
+            'Test'
+          end
+        end
+
+        config.access_token_class_name = 'InvalidAccessToken'
+        config.resource_owner_class_name = 'CustomResourceOwner'
+        config.client_class_name = 'CustomClient'
+        config.access_grant_class_name = 'Object'
+
+        expect { config.check! }.to raise_error(Grape::OAuth2::Configuration::APIMissing) do |error|
+          expect(error.message).to include('access_token_class')
+          expect(error.message).to include('Instance method')
+        end
+      end
+
+      it "raises an error if configured classes doesn't have a class methods" do
+        class InvalidClient
+        end
+
+        config.access_token_class_name = 'CustomAccessToken'
+        config.resource_owner_class_name = 'CustomResourceOwner'
+        config.client_class_name = 'InvalidClient'
+        config.access_grant_class_name = 'Object'
+
+        expect { config.check! }.to raise_error(Grape::OAuth2::Configuration::APIMissing) do |error|
+          expect(error.message).to include('client_class')
+          expect(error.message).to include('Class method')
+        end
+      end
+    end
+
+    context 'with valid config options' do
+      before do
+        config.access_token_class_name = 'CustomAccessToken'
+        config.resource_owner_class_name = 'CustomResourceOwner'
+        config.client_class_name = 'CustomClient'
+        config.access_grant_class_name = 'Object'
+      end
+
+      it 'successfully pass' do
+        expect { config.check! }.not_to raise_error
+      end
+    end
+  end
+end