leash_provider 0.0.1

data/app/controllers/leash_controller.rb

@@ -0,0 +1,2 @@
+class LeashController < ActionController::Base
+end

data/app/models/leash/provider/access_token.rb

@@ -0,0 +1,68 @@
+class Leash::Provider::AccessToken < Ohm::Model
+  MAX_ASSIGN_TRIES = 20
+
+  attribute :app_name
+  attribute :access_token
+  attribute :owner
+  attribute :created_at
+  attribute :accessed_at
+
+  index :app_name
+  index :owner
+  index :access_token
+  index :accessed_at
+  unique :access_token
+
+
+  def self.assign!(app_name, owner)
+    tries = 0
+    access_token = nil
+
+    loop do
+      begin
+        access_token = SecureRandom.hex(24)
+        timestamp = Time.now.to_i
+        self.create app_name: app_name, owner: owner_key(owner), access_token: access_token, created_at: timestamp, accessed_at: timestamp
+        break
+      
+      rescue Ohm::UniqueIndexViolation => e
+        tries += 1
+
+        fail if tries > MAX_ASSIGN_TRIES
+      end
+    end
+
+    access_token
+  end
+
+
+  def self.assign_from_auth_code!(auth_code)
+    access_token = assign! auth_code.app_name, auth_code.owner
+    auth_code.delete
+    access_token
+  end
+
+
+  def self.valid?(access_token)
+    self.find(access_token: access_token).size != 0
+  end
+
+
+  def self.find_by_access_token(access_token)
+    self.find(access_token: access_token).sort_by(:created_at, order: "DESC").first
+  end
+
+
+  def self.find_by_app_name_and_owner(app_name, owner)
+    self.find(app_name: app_name, owner: owner_key(owner)).sort_by(:created_at, order: "DESC").first
+  end
+
+
+  def self.owner_key(owner)
+    if owner.is_a? ActiveRecord::Base
+      "#{owner.class.name}##{owner.id}"
+    else
+      owner
+    end
+  end
+end

data/app/models/leash/provider/auth_code.rb

@@ -0,0 +1,44 @@
+class Leash::Provider::AuthCode < Ohm::Model
+  MAX_ASSIGN_TRIES = 20
+
+  attribute :app_name
+  attribute :auth_code
+  attribute :owner
+  attribute :created_at
+
+  index :owner
+  index :auth_code
+  unique :auth_code
+
+
+  def self.assign!(app_name, owner)
+    tries = 0
+    auth_code = nil
+
+    loop do
+      begin
+        auth_code = SecureRandom.hex(24)
+        timestamp = Time.now.to_i
+        self.create app_name: app_name, owner: owner, auth_code: auth_code, created_at: timestamp
+        break
+      
+      rescue Ohm::UniqueIndexViolation => e
+        tries += 1
+
+        fail if tries > MAX_ASSIGN_TRIES
+      end
+    end
+
+    auth_code
+  end
+
+
+  def self.valid?(auth_code)
+    self.find(auth_code: auth_code).size != 0
+  end
+
+
+  def self.find_by_auth_code(auth_code)
+    self.find(auth_code: auth_code).first
+  end
+end

data/config.ru

@@ -0,0 +1,7 @@
+require 'rubygems'
+require 'bundler'
+
+Bundler.require :default, :development
+
+Combustion.initialize! :action_controller, :active_record
+run Combustion::Application

data/leash_provider.gemspec

@@ -0,0 +1,27 @@
+$:.push File.expand_path("../lib", __FILE__)
+
+require "leash/provider/version"
+
+Gem::Specification.new do |s|
+  s.name        = "leash_provider"
+  s.version     = Leash::Provider::VERSION
+  s.authors     = ["Marcin Lewandowski"]
+  s.email       = ["marcin@saepia.net"]
+  s.homepage    = "http://github.com/mspanc/leash-provider"
+  s.summary     = "High-performance OAuth2 provider for a closed set of trusted apps with multiple roles support"
+  s.description = "Leash allows you to build an OAuth2 provider for closed set of trusted apps. I can support multiple user types and is designed with high load in mind."
+
+  s.add_dependency "rails", "~> 4.2"
+  s.add_dependency "ohm"
+  s.add_dependency "devise"
+  s.add_development_dependency "rspec-rails"
+  s.add_development_dependency "rake"
+  s.add_development_dependency "factory_girl_rails", "~> 4.0"
+  s.add_development_dependency "bundler"
+  s.add_development_dependency "sqlite3"
+  s.add_development_dependency "combustion", "~> 0.5.3"
+
+  s.files         = `git ls-files`.split("\n")
+  s.require_paths = ['lib']
+  s.required_ruby_version = '>= 1.9.3'
+end

data/lib/generators/leash/install_generator.rb

@@ -0,0 +1,20 @@
+require 'rails/generators/base'
+
+module Leash
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+
+      desc "Creates a Leash initializer and copy locale files to your application."
+
+      def copy_initializer
+        template "leash.rb", "config/initializers/leash.rb"
+      end
+
+
+      def add_route
+        route "leash"
+      end
+    end
+  end
+end

data/lib/generators/leash/provider/install_generator.rb

@@ -0,0 +1,22 @@
+require 'rails/generators/base'
+
+module Leash
+  module Provider
+    module Generators
+      class InstallGenerator < Rails::Generators::Base
+        source_root File.expand_path("../../templates", __FILE__)
+
+        desc "Creates a Leash initializer and route."
+
+        def copy_initializer
+          template "leash_provider.rb", "config/initializers/leash_provider.rb"
+        end
+
+
+        def add_route
+          route "leash_provicer"
+        end
+      end
+    end
+  end
+end

data/lib/generators/templates/leash_provider.rb

@@ -0,0 +1,28 @@
+Leash::Provider.configure do |config|
+
+  ### ==> User classes
+  ## Allowed user classes. Please create devise models with such names first.
+  ## None by default so you have to set it to something meaningful in order
+  ## to use Leash.  
+  config.user_roles = [ "User", "Admin" ]
+
+
+  ### ==> Redis
+  ## Redis database address. Will use redis://localhost:6379/0 by default.
+  ## Leash internally uses Ohm gem for encapsulating redis data into models.
+  ## At the moment this setting will be shared with all Ohm models, so
+  ## if you use any other Ohm models in the app and they need to use different
+  ## database, you must hack the gem.
+  ##
+  ## If you need to initialize connection to redis database specified below,
+  ## e.g. in unicorn or puma initializer please use the following syntax: 
+  ## Leash.establish_connection!
+  # config.redis_url = "redis://127.0.0.1:6379/0"
+
+
+  ### ==> Access tokens
+  ## Tells whether leash should reuse access tokens if there is already one
+  ## present for application/owner combination. True by default.
+  # config.reuse_access_tokens = true
+
+end

data/lib/leash/provider/engine.rb

@@ -0,0 +1,8 @@
+module Leash
+  module Provider
+    class Engine < ::Rails::Engine
+      isolate_namespace Leash
+
+    end
+  end
+end

data/lib/leash/provider/routing.rb

@@ -0,0 +1,11 @@
+module ActionDispatch::Routing
+  class Mapper
+    def leash_provider
+      scope :oauth do
+        get  "authorize", to: "leash/provider/authorize#authorize", as: "leash_provider_authorize"
+        post "token",     to: "leash/provider/token#token",         as: "leash_provider_token"
+      end
+    end
+  end
+end
+

data/lib/leash/provider/version.rb

@@ -0,0 +1,5 @@
+module Leash
+  module Provider
+    VERSION = "0.0.1"
+  end
+end

data/lib/leash_provider.rb

@@ -0,0 +1,30 @@
+require "rails"
+require "devise"
+require "ohm"
+require "leash/provider/version"
+require "leash/provider/engine"
+require "leash/provider/routing"
+
+module Leash
+  module Provider
+    mattr_accessor :user_roles
+    @@user_roles = []
+
+    mattr_accessor :redis_url
+    @@redis_url = "redis://127.0.0.1:6379/0"
+
+
+    mattr_accessor :reuse_access_tokens
+    @@reuse_access_tokens = true
+
+
+    def self.configure
+      yield self
+    end
+
+
+    def self.establish_connection!
+      Ohm.redis = Redic.new(@@redis_url)
+    end
+  end
+end

data/spec/controllers/leash/provider/authorize_controller_spec.rb

@@ -0,0 +1,267 @@
+require 'spec_helper'
+
+RSpec.describe Leash::Provider::AuthorizeController, :type => :controller do
+  before do
+    @OLD_ENV = ENV
+    ENV["APP_TEST_OAUTH2_CLIENT_ID"] = "123456"
+    ENV["APP_TEST_OAUTH2_SECRET"] = "qwerty"
+    ENV["APP_TEST_OAUTH2_REDIRECT_URL"] = "http://example.com"  # TODO test multiple allowed redirect urls
+    
+    allow(Leash::Provider).to receive(:user_roles).and_return([ valid_user_role ])
+  end
+
+  after do
+    (ENV.keys - @OLD_ENV.keys).each{ |key| ENV.delete(key) }
+  end
+
+  let(:app_name)             { "test" }
+  let(:valid_user_role)      { "Admin" }
+  let(:valid_client_id)      { ENV["APP_TEST_OAUTH2_CLIENT_ID"] }
+  let(:valid_redirect_uri)   { ENV["APP_TEST_OAUTH2_REDIRECT_URL"] }
+  let(:invalid_user_role)    { "Ufo" }
+  let(:invalid_client_id)    { "098765" }
+  let(:invalid_redirect_uri) { "http://whatever.com" }
+  let(:authentication_route) { new_admin_session_path }
+
+
+  describe "GET authorize" do
+    context "for authorization code flow" do
+      let(:response_type) { "code" }
+      
+      pending "without all necessary params"
+
+      context "with all necessary params" do
+        let(:params) { { user_role: user_role, response_type: response_type, client_id: client_id, redirect_uri: redirect_uri } }
+      
+        context "with invalid client_id" do
+          let(:client_id) { invalid_client_id }
+
+          context "with valid redirect_uri" do
+            let(:redirect_uri) { valid_redirect_uri }
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should return 422 status" do
+                expect(response.status).to eq 422
+              end
+
+              it "should return 'unknown_client_id' in the response" do
+                expect(response.body).to eq "unknown_client_id"
+              end
+            end
+          end
+        end
+
+        context "with valid client_id" do
+          let(:client_id) { valid_client_id }
+  
+          context "with invalid redirect_uri" do
+            let(:redirect_uri) { invalid_redirect_uri }
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should return 422 status" do
+                expect(response.status).to eq 422
+              end
+
+              it "should return 'invalid_redirect_uri' in the response" do
+                expect(response.body).to eq "invalid_redirect_uri"
+              end
+            end
+          end
+
+          context "with valid redirect_uri" do
+            let(:redirect_uri) { valid_redirect_uri }
+
+            context "but with unknown user_role" do
+              let(:user_role) { invalid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should return 422 status" do
+                expect(response.status).to eq 422
+              end
+
+              it "should return 'invalid_user_role' in the response" do
+                expect(response.body).to eq "invalid_user_role"
+              end
+            end  
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+
+              before do
+                get :authorize, params
+              end
+
+
+              context "if not authenticated" do
+                it "should redirect to devise sign in screen for this user role" do
+                  expect(response).to redirect_to(authentication_route)
+                end
+              end
+
+              context "if authenticated" do
+                context "and there is already an access token for this app_name/owner combination" do
+                  pending "should redirect to the redirect_uri specified in the app with appended '#access_token=(already present access token)'"
+                end
+                
+                context "and there is are no access token for this app_name/owner combination" do
+                  pending "should redirect to the redirect_uri specified in the app with appended '#access_token=(newly generated access token)'"
+                end
+              end
+            end          
+          end
+        end
+      end
+    end
+
+
+    context "for implicit flow" do
+      let(:response_type) { "token" }
+
+      pending "without all necessary params"
+
+      context "with all necessary params" do
+        let(:params) { { user_role: user_role, response_type: response_type, client_id: client_id, redirect_uri: redirect_uri } }
+      
+        context "with invalid client_id" do
+          let(:client_id) { invalid_client_id }
+
+          context "with valid redirect_uri" do
+            let(:redirect_uri) { valid_redirect_uri }
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should return 422 status" do
+                expect(response.status).to eq 422
+              end
+
+              it "should return 'unknown_client_id' in the response" do
+                expect(response.body).to eq "unknown_client_id"
+              end
+            end
+          end
+        end
+
+        context "with valid client_id" do
+          let(:client_id) { valid_client_id }
+  
+          context "with invalid redirect_uri" do
+            let(:redirect_uri) { invalid_redirect_uri }
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should redirect to the first redirect_uri specified in the app with appended '#error=invalid_redirect_uri'" do
+                expect(response).to redirect_to("#{valid_redirect_uri}#error=invalid_redirect_uri")
+              end
+            end
+          end
+
+          context "with valid redirect_uri" do
+            let(:redirect_uri) { valid_redirect_uri }
+
+            context "but with unknown user_role" do
+              let(:user_role) { invalid_user_role }
+
+              before do
+                get :authorize, params
+              end
+
+              it "should redirect to the first redirect_uri specified in the app with appended '#error=invalid_user_role'" do
+                expect(response).to redirect_to("#{valid_redirect_uri}#error=invalid_user_role")
+              end
+            end  
+
+            context "with valid user role" do
+              let(:user_role) { valid_user_role }
+
+
+              context "if not authenticated" do
+                before do
+                  get :authorize, params
+                end
+  
+                it "should redirect to devise sign in screen for this user role" do
+                  expect(response).to redirect_to(authentication_route)
+                end
+              end
+
+
+              context "if authenticated" do
+                let(:admin) { create(:admin) }
+
+                context "and there is already an access token for this app_name/owner combination" do
+                  context "and Leash::Provider.reuse_access_tokens is set to true" do
+                    before do
+                      expect(Leash::Provider).to receive(:reuse_access_tokens).and_return(true)
+
+                      @existing_access_token = Leash::Provider::AccessToken.assign! app_name, admin
+
+                      sign_in admin
+                      get :authorize, params
+                    end
+
+                    it "should redirect to the redirect_uri specified in the params with appended '#access_token=(already present access token)'" do
+                      expect(response).to redirect_to("#{valid_redirect_uri}#access_token=#{URI.encode(@existing_access_token)}")
+                    end
+                  end
+                  
+                  context "and Leash::Provider.reuse_access_tokens is set to false" do
+                    before do
+                      expect(Leash::Provider).to receive(:reuse_access_tokens).and_return(false)
+
+                      @existing_access_token = Leash::Provider::AccessToken.assign! app_name, admin
+
+                      sign_in admin
+                      get :authorize, params
+                    end
+
+                    it "should redirect to the redirect_uri specified in the params with appended '#access_token=(newly generated access token)'" do
+                      expect(response).not_to redirect_to("#{valid_redirect_uri}#access_token=#{URI.encode(@existing_access_token)}")
+                      expect(response).to redirect_to("#{valid_redirect_uri}#access_token=#{Leash::Provider::AccessToken.find_by_app_name_and_owner(app_name, admin).access_token}")
+                    end
+                  end
+                end
+                
+                context "and there is are no access token for this app_name/owner combination" do
+                  before do
+                    sign_in admin
+                    get :authorize, params
+                  end
+
+                  it "should redirect to the redirect_uri specified in the app with appended '#access_token=(newly generated access token)'" do
+                    expect(response).to redirect_to("#{valid_redirect_uri}#access_token=#{URI.encode(Leash::Provider::AccessToken.find_by_app_name_and_owner(app_name, admin).access_token)}")
+                  end
+                end
+              end
+            end          
+          end
+        end
+      end
+    end
+  end
+end