motionauth-oauth2 1.0.0

data/lib/oauth2/access_token.rb

@@ -0,0 +1,177 @@
+module OAuth2
+  class AccessToken
+    attr_reader :client, :token, :expires_in, :expires_at, :params
+    attr_accessor :options, :refresh_token
+
+    class << self
+      # Initializes an AccessToken from a Hash
+      #
+      # @param [Client] the OAuth2::Client instance
+      # @param [Hash] a hash of AccessToken property values
+      # @return [AccessToken] the initalized AccessToken
+      def from_hash(client, hash)
+        new(client, hash.delete("access_token") || hash.delete(:access_token), hash)
+      end
+
+      # Initializes an AccessToken from a key/value application/x-www-form-urlencoded string
+      #
+      # @param [Client] client the OAuth2::Client instance
+      # @param [String] kvform the application/x-www-form-urlencoded string
+      # @return [AccessToken] the initalized AccessToken
+      def from_kvform(client, kvform)
+        from_hash(client, Utils.params_from_query(kvform))
+      end
+    end
+
+    # Initalize an AccessToken
+    #
+    # @param [Client] client the OAuth2::Client instance
+    # @param [String] token the Access Token value
+    # @param [Hash] opts the options to create the Access Token with
+    # @option opts [String] :refresh_token (nil) the refresh_token value
+    # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
+    # @option opts [FixNum, String] :expires_at (nil) the epoch time in seconds in which AccessToken will expire
+    # @option opts [Symbol] :mode (:header) the transmission mode of the Access Token parameter value
+    #    one of :header, :body or :query
+    # @option opts [String] :header_format ("Bearer %s") the string format to use for the Authorization header
+    # @option opts [String] :param_name ("access_token") the parameter name to use for transmission of the
+    #    Access Token value in :body or :query transmission mode
+    def initialize(client, token, opts = {})
+      @client = client
+      @token = token.to_s
+      [:refresh_token, :expires_in, :expires_at].each do |arg|
+        instance_variable_set("@#{arg}", opts.delete(arg) || opts.delete(arg.to_s))
+      end
+      @expires_in ||= opts.delete("expires")
+      @expires_in &&= @expires_in.to_i
+      @expires_at &&= @expires_at.to_i
+      @expires_at ||= Time.now.to_i + @expires_in if @expires_in
+      @options = {
+        mode:          opts.delete(:mode) || :header,
+        header_format: opts.delete(:header_format) || "Bearer %s",
+        param_name:    opts.delete(:param_name) || "access_token"
+      }
+      @params = opts
+    end
+
+    # Indexer to additional params present in token response
+    #
+    # @param [String] key entry key to Hash
+    def [](key)
+      @params[key]
+    end
+
+    # Whether or not the token expires
+    #
+    # @return [Boolean]
+    def expires?
+      !!@expires_at # rubocop:disable DoubleNegation
+    end
+
+    # Whether or not the token is expired
+    #
+    # @return [Boolean]
+    def expired?
+      expires? && (expires_at < Time.now.to_i)
+    end
+
+    # Refreshes the current Access Token
+    #
+    # @return [AccessToken] a new AccessToken
+    # @note options should be carried over to the new AccessToken
+    def refresh!(params = {})
+      fail("A refresh_token is not available") unless refresh_token
+      params.merge!(
+        client_id:     @client.id,
+        client_secret: @client.secret,
+        grant_type:    "refresh_token",
+        refresh_token: refresh_token
+      )
+      new_token = @client.get_token(params)
+      new_token.options = options
+      new_token.refresh_token = refresh_token unless new_token.refresh_token
+      new_token
+    end
+
+    # Convert AccessToken to a hash which can be used to rebuild itself with AccessToken.from_hash
+    #
+    # @return [Hash] a hash of AccessToken property values
+    def to_hash
+      params.merge(access_token: token, refresh_token: refresh_token, expires_at: expires_at)
+    end
+
+    # Make a request with the Access Token
+    #
+    # @param [Symbol] verb the HTTP request method
+    # @param [String] path the HTTP URL path of the request
+    # @param [Hash] opts the options to make the request with
+    # @see Client#request
+    def request(verb, path, opts = {}, &block)
+      self.token = opts
+      @client.request(verb, path, opts, &block)
+    end
+
+    # Make a GET request with the Access Token
+    #
+    # @see AccessToken#request
+    def get(path, opts = {}, &block)
+      request(:get, path, opts, &block)
+    end
+
+    # Make a POST request with the Access Token
+    #
+    # @see AccessToken#request
+    def post(path, opts = {}, &block)
+      request(:post, path, opts, &block)
+    end
+
+    # Make a PUT request with the Access Token
+    #
+    # @see AccessToken#request
+    def put(path, opts = {}, &block)
+      request(:put, path, opts, &block)
+    end
+
+    # Make a PATCH request with the Access Token
+    #
+    # @see AccessToken#request
+    def patch(path, opts = {}, &block)
+      request(:patch, path, opts, &block)
+    end
+
+    # Make a DELETE request with the Access Token
+    #
+    # @see AccessToken#request
+    def delete(path, opts = {}, &block)
+      request(:delete, path, opts, &block)
+    end
+
+    # Get the headers hash (includes Authorization token)
+    def headers
+      { "Authorization" => options[:header_format] % token }
+    end
+
+  private
+
+    def token=(opts) # rubocop:disable MethodLength
+      case options[:mode]
+      when :header
+        opts[:headers] ||= {}
+        opts[:headers].merge!(headers)
+      when :query
+        opts[:params] ||= {}
+        opts[:params][options[:param_name]] = token
+      when :body
+        opts[:body] ||= {}
+        if opts[:body].is_a?(Hash)
+          opts[:body][options[:param_name]] = token
+        else
+          opts[:body] << "&#{options[:param_name]}=#{token}"
+        end
+        # @todo support for multi-part (file uploads)
+      else
+        fail("invalid :mode option of #{options[:mode]}")
+      end
+    end
+  end
+end

data/lib/oauth2/client.rb

@@ -0,0 +1,163 @@
+module OAuth2
+  # The OAuth2::Client class
+  class Client
+    attr_reader :id, :secret, :site
+    attr_accessor :options
+    attr_writer :connection
+
+    # Instantiate a new OAuth 2.0 client using the
+    # Client ID and Client Secret registered to your
+    # application.
+    #
+    # @param [String] client_id the client_id value
+    # @param [String] client_secret the client_secret value
+    # @param [Hash] opts the options to create the client with
+    # @option opts [String] :site the OAuth2 provider site host
+    # @option opts [String] :authorize_url ("/oauth/authorize") absolute or relative URL path to the Authorization endpoint
+    # @option opts [String] :token_url ("/oauth/token") absolute or relative URL path to the Token endpoint
+    # @option opts [Symbol] :token_method (:post) HTTP method to use to request token (:get or :post)
+    # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
+    # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
+    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
+    #  on responses with 400+ status codes
+    def initialize(client_id, client_secret, options = {})
+      opts = options.dup
+      @id = client_id
+      @secret = client_secret
+      @site = opts.delete(:site)
+      ssl = opts.delete(:ssl)
+      @options = {
+        authorize_url:   "/oauth/authorize",
+        token_url:       "/oauth/token",
+        token_method:    :post,
+        connection_opts: {},
+        max_redirects:   5,
+        raise_errors:    true
+      }.merge(opts)
+      @options[:connection_opts][:ssl] = ssl if ssl
+    end
+
+    # Set the site host
+    #
+    # @param [String] the OAuth2 provider site host
+    def site=(value)
+      @connection = nil
+      @site = value
+    end
+
+    # The OAuth2::Connection object
+    def connection
+      @connection ||= Connection.new(site, options[:connection_opts])
+    end
+
+    # The authorize endpoint URL of the OAuth2 provider
+    #
+    # @param [Hash] params additional query parameters
+    def authorize_url(params = nil)
+      connection.build_url(options[:authorize_url], params).to_s
+    end
+
+    # The token endpoint URL of the OAuth2 provider
+    #
+    # @param [Hash] params additional query parameters
+    def token_url(params = nil)
+      connection.build_url(options[:token_url], params).to_s
+    end
+
+    # Makes a request relative to the specified site root.
+    #
+    # @param [Symbol] verb one of :get, :post, :put, :delete
+    # @param [String] url URL path of request
+    # @param [Hash] opts the options to make the request with
+    # @option opts [Hash] :params additional query parameters for the URL of the request
+    # @option opts [Hash, String] :body the body of the request
+    # @option opts [Hash] :headers http request headers
+    # @option opts [Boolean] :raise_errors whether or not to raise an OAuth2::Error on 400+ status
+    #   code response for this request.  Will default to client option
+    # @option opts [Symbol] :parse @see Response::initialize
+    # @yield [req] The OAuth2::Request
+    def request(verb, url, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength
+      # connection.response :logger, ::Logger.new($stdout) if ENV["OAUTH_DEBUG"] == "true"
+
+      url = connection.build_url(url, opts[:params]).to_s
+      response = connection.run_request(verb, url, opts[:body], opts[:headers], opts[:parse])
+
+      case response.status
+      when 301, 302, 303, 307
+        opts[:redirect_count] ||= 0
+        opts[:redirect_count] += 1
+        return response if opts[:redirect_count] > options[:max_redirects]
+        if response.status == 303
+          verb = :get
+          opts.delete(:body)
+        end
+        request(verb, response.headers["location"], opts)
+      when 200..299, 300..399
+        # on non-redirecting 3xx statuses, just return the response
+        response
+      when 400..599
+        error = Error.new(response)
+        fail(error) if opts.fetch(:raise_errors, options[:raise_errors])
+        response.error = error
+        response
+      else
+        error = Error.new(response)
+        fail(error, "Unhandled status code value of #{response.status}")
+      end
+    end
+
+    # Initializes an AccessToken by making a request to the token endpoint
+    #
+    # @param [Hash] params a Hash of params for the token endpoint
+    # @param [Hash] access token options, to pass to the AccessToken object
+    # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
+    # @return [AccessToken] the initalized AccessToken
+    def get_token(params, access_token_opts = {}, access_token_class = AccessToken)
+      opts = { raise_errors: options[:raise_errors], parse: params.delete(:parse) }
+      if options[:token_method] == :post
+        headers = params.delete(:headers)
+        opts[:body] = params
+        opts[:headers] =  { "Content-Type" => "application/x-www-form-urlencoded" }
+        opts[:headers].merge!(headers) if headers
+      else
+        opts[:params] = params
+      end
+      response = request(options[:token_method], token_url, opts)
+      error = Error.new(response)
+      fail(error) if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed["access_token"])
+      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
+    end
+
+    # The Authorization Code strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    def auth_code
+      @auth_code ||= OAuth2::Strategy::AuthCode.new(self)
+    end
+
+    # The Implicit strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    def implicit
+      @implicit ||= OAuth2::Strategy::Implicit.new(self)
+    end
+
+    # The Resource Owner Password Credentials strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    def password
+      @password ||= OAuth2::Strategy::Password.new(self)
+    end
+
+    # The Client Credentials strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    def client_credentials
+      @client_credentials ||= OAuth2::Strategy::ClientCredentials.new(self)
+    end
+
+    def assertion
+      @assertion ||= OAuth2::Strategy::Assertion.new(self)
+    end
+  end
+end

data/lib/oauth2/connection.rb

@@ -0,0 +1,35 @@
+module OAuth2
+  class Connection
+    # A Set of allowed HTTP verbs.
+    METHODS = [:get, :post, :put, :delete, :head, :patch, :options]
+
+    # Public: Returns a Hash of URI query unencoded key/value pairs.
+    attr_reader :params
+
+    # Public: Returns a Hash of unencoded HTTP header key/value pairs.
+    attr_reader :headers
+
+    # Public: Returns a URI with the prefix used for all requests from this
+    # Connection.  This includes a default host name, scheme, port, and path.
+    attr_reader :url_prefix
+
+    # Public: Returns the Faraday::Builder for this Connection.
+    attr_reader :builder
+
+    # Public: Returns a Hash of the request options.
+    attr_reader :options
+
+    # Public: Returns a Hash of the SSL options.
+    attr_reader :ssl
+
+    # Public: Sets the Hash of unencoded HTTP header key/value pairs.
+    def headers=(hash)
+      @headers.replace(hash)
+    end
+
+    # Public: Sets the Hash of URI query unencoded key/value pairs.
+    def params=(hash)
+      @params.replace(hash)
+    end
+  end
+end

data/lib/oauth2/error.rb

@@ -0,0 +1,24 @@
+module OAuth2
+  class Error < StandardError
+    attr_reader :response, :code, :description
+
+    # standard error values include:
+    # :invalid_request, :invalid_client, :invalid_token, :invalid_grant, :unsupported_grant_type, :invalid_scope
+    def initialize(response)
+      response.error = self
+      @response = response
+
+      message = []
+
+      if response.parsed.is_a?(Hash)
+        @code = response.parsed["error"]
+        @description = response.parsed["error_description"]
+        message << "#{@code}: #{@description}"
+      end
+
+      message << response.body
+
+      super(message.join("\n"))
+    end
+  end
+end

data/lib/oauth2/mac_token.rb

@@ -0,0 +1,74 @@
+module OAuth2
+  class MACToken < AccessToken
+    # Generates a MACToken from an AccessToken and secret
+    #
+    # @param [AccessToken] token the OAuth2::Token instance
+    # @option [String] secret the secret key value
+    # @param [Hash] opts the options to create the Access Token with
+    # @see MACToken#initialize
+    def self.from_access_token(token, secret, options = {})
+      new(token.client, token.token, secret, token.params.merge(
+        refresh_token: token.refresh_token,
+        expires_in:    token.expires_in,
+        expires_at:    token.expires_at
+      ).merge(options))
+    end
+
+    attr_reader :algorithm, :secret
+
+    # Initalize a MACToken
+    #
+    # @param [Client] client the OAuth2::Client instance
+    # @param [String] token the Access Token value
+    # @option [String] secret the secret key value
+    # @param [Hash] opts the options to create the Access Token with
+    # @option opts [String] :refresh_token (nil) the refresh_token value
+    # @option opts [FixNum, String] :expires_in (nil) the number of seconds in which the AccessToken will expire
+    # @option opts [FixNum, String] :expires_at (nil) the epoch time in seconds in which AccessToken will expire
+    # @option opts [FixNum, String] :algorithm (hmac-sha-256) the algorithm to use for the HMAC digest (one of 'hmac-sha-256', 'hmac-sha-1')
+    def initialize(client, token, secret, opts = {})
+      @secret = secret
+      self.algorithm = opts.delete(:algorithm) || "hmac-sha-256"
+
+      super(client, token, opts)
+    end
+
+    # Make a request with the MAC Token
+    #
+    # @param [Symbol] verb the HTTP request method
+    # @param [String] path the HTTP URL path of the request
+    # @param [Hash] opts the options to make the request with
+    # @see Client#request
+    def request(verb, path, opts = {}, &block)
+      url = client.connection.build_url(path, opts[:params]).to_s
+
+      opts[:headers] ||= {}
+      opts[:headers].merge!("Authorization" => header(verb, url))
+
+      @client.request(verb, path, opts, &block)
+    end
+
+    # Get the headers hash (always an empty hash)
+    def headers
+      {}
+    end
+
+    # Generate the MAC header
+    #
+    # @param [Symbol] verb the HTTP request method
+    # @param [String] url the HTTP URL path of the request
+    def header(verb, url)
+      timestamp = Time.now.utc.to_i
+      nonce = generate_nonce
+      mac = signature(timestamp, nonce, verb, url)
+      "MAC id=\"#{token}\", ts=\"#{timestamp}\", nonce=\"#{nonce}\", mac=\"#{mac}\""
+    end
+
+  private
+
+    # No-op since we need the verb and path
+    # and the MAC always goes in a header
+    def token=(_)
+    end
+  end
+end