oauth2-aptible 0.9.4.aptible

data/lib/oauth2/error.rb

@@ -0,0 +1,24 @@
+module OAuth2
+  class Error < StandardError
+    attr_reader :response, :code, :description
+
+    # standard error values include:
+    # :invalid_request, :invalid_client, :invalid_token, :invalid_grant, :unsupported_grant_type, :invalid_scope
+    def initialize(response)
+      response.error = self
+      @response = response
+
+      message = []
+
+      if response.parsed.is_a?(Hash)
+        @code = response.parsed['error']
+        @description = response.parsed['error_description']
+        message << "#{@code}: #{@description}"
+      end
+
+      message << response.body
+
+      super(message.join("\n"))
+    end
+  end
+end

data/lib/oauth2/response.rb

@@ -0,0 +1,90 @@
+require 'multi_json'
+require 'multi_xml'
+require 'rack'
+
+module OAuth2
+  # OAuth2::Response class
+  class Response
+    attr_reader :response
+    attr_accessor :error, :options
+
+    # Adds a new content type parser.
+    #
+    # @param [Symbol] key A descriptive symbol key such as :json or :query.
+    # @param [Array] One or more mime types to which this parser applies.
+    # @yield [String] A block returning parsed content.
+    def self.register_parser(key, mime_types, &block)
+      key = key.to_sym
+      PARSERS[key] = block
+      Array(mime_types).each do |mime_type|
+        CONTENT_TYPES[mime_type] = key
+      end
+    end
+
+    # Initializes a Response instance
+    #
+    # @param [Faraday::Response] response The Faraday response instance
+    # @param [Hash] opts options in which to initialize the instance
+    # @option opts [Symbol] :parse (:automatic) how to parse the response body.  one of :query (for x-www-form-urlencoded),
+    #   :json, or :automatic (determined by Content-Type response header)
+    def initialize(response, opts = {})
+      @response = response
+      @options = {:parse => :automatic}.merge(opts)
+    end
+
+    # The HTTP response headers
+    def headers
+      response.headers
+    end
+
+    # The HTTP response status code
+    def status
+      response.status
+    end
+
+    # The HTTP response body
+    def body
+      response.body || ''
+    end
+
+    # Procs that, when called, will parse a response body according
+    # to the specified format.
+    PARSERS = {
+      :query => lambda { |body| Rack::Utils.parse_query(body) },
+      :text  => lambda { |body| body }
+    }
+
+    # Content type assignments for various potential HTTP content types.
+    CONTENT_TYPES = {
+      'application/x-www-form-urlencoded' => :query,
+      'text/plain' => :text
+    }
+
+    # The parsed response body.
+    #   Will attempt to parse application/x-www-form-urlencoded and
+    #   application/json Content-Type response bodies
+    def parsed
+      return nil unless PARSERS.key?(parser)
+      @parsed ||= PARSERS[parser].call(body)
+    end
+
+    # Attempts to determine the content type of the response.
+    def content_type
+      ((response.headers.values_at('content-type', 'Content-Type').compact.first || '').split(';').first || '').strip
+    end
+
+    # Determines the parser that will be used to supply the content of #parsed
+    def parser
+      return options[:parse].to_sym if PARSERS.key?(options[:parse])
+      CONTENT_TYPES[content_type]
+    end
+  end
+end
+
+OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml']) do |body|
+  MultiXml.parse(body) rescue body # rubocop:disable RescueModifier
+end
+
+OAuth2::Response.register_parser(:json, ['application/json', 'text/javascript', 'application/hal+json']) do |body|
+  MultiJson.load(body) rescue body # rubocop:disable RescueModifier
+end

data/lib/oauth2/strategy/assertion.rb

@@ -0,0 +1,72 @@
+require 'jwt'
+
+module OAuth2
+  module Strategy
+    # The Client Assertion Strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-jwt-bearer-07#section-3.1
+    #
+    # Sample usage:
+    #   client = OAuth2::Client.new(client_id, client_secret,
+    #                               :site => 'http://localhost:8080')
+    #
+    #   params = {:hmac_secret => "some secret",
+    #             # or :private_key => "private key string",
+    #             :iss => "http://localhost:3001",
+    #             :sub => "me@here.com",
+    #             :exp => Time.now.utc.to_i + 3600}
+    #
+    #   access = client.assertion.get_token(params)
+    #   access.token                 # actual access_token string
+    #   access.get("/api/stuff")     # making api calls with access token in header
+    #
+    class Assertion < Base
+      # Not used for this strategy
+      #
+      # @raise [NotImplementedError]
+      def authorize_url
+        fail(NotImplementedError, 'The authorization endpoint is not used in this strategy')
+      end
+
+      # Retrieve an access token given the specified client.
+      #
+      # @param [Hash] params assertion params
+      # pass either :hmac_secret or :private_key, but not both.
+      #
+      #   params :hmac_secret, secret string.
+      #   params :private_key, private key string.
+      #
+      #   params :iss, issuer
+      #   params :aud, audience, optional
+      #   params :sub, principal, current user
+      #   params :exp, expired at, in seconds, like Time.now.utc.to_i + 3600
+      #
+      # @param [Hash] opts options
+      def get_token(params = {}, opts = {})
+        hash = build_request(params)
+        @client.get_token(hash, opts.merge('refresh_token' => nil))
+      end
+
+      def build_request(params)
+        assertion = build_assertion(params)
+        {:grant_type     => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+         :assertion      => assertion,
+         :scope          => params[:scope]
+        }.merge(client_params)
+      end
+
+      def build_assertion(params)
+        claims = {:iss => params[:iss],
+                  :aud => params[:aud],
+                  :sub => params[:sub],
+                  :exp => params[:exp]
+                 }
+        if params[:hmac_secret]
+          JWT.encode(claims, params[:hmac_secret], params[:algorithm] || 'HS256')
+        elsif params[:private_key]
+          JWT.encode(claims, params[:private_key], params[:algorithm] || 'RS256')
+        end
+      end
+    end
+  end
+end

data/lib/oauth2/strategy/auth_code.rb

@@ -0,0 +1,33 @@
+module OAuth2
+  module Strategy
+    # The Authorization Code Strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    class AuthCode < Base
+      # The required query parameters for the authorize URL
+      #
+      # @param [Hash] params additional query parameters
+      def authorize_params(params = {})
+        params.merge('response_type' => 'code', 'client_id' => @client.id)
+      end
+
+      # The authorization URL endpoint of the provider
+      #
+      # @param [Hash] params additional query parameters for the URL
+      def authorize_url(params = {})
+        @client.authorize_url(authorize_params.merge(params))
+      end
+
+      # Retrieve an access token given the specified validation code.
+      #
+      # @param [String] code The Authorization Code value
+      # @param [Hash] params additional params
+      # @param [Hash] opts options
+      # @note that you must also provide a :redirect_uri with most OAuth 2.0 providers
+      def get_token(code, params = {}, opts = {})
+        params = {'grant_type' => 'authorization_code', 'code' => code}.merge(client_params).merge(params)
+        @client.get_token(params, opts)
+      end
+    end
+  end
+end

data/lib/oauth2/strategy/base.rb

@@ -0,0 +1,16 @@
+module OAuth2
+  module Strategy
+    class Base
+      def initialize(client)
+        @client = client
+      end
+
+      # The OAuth client_id and client_secret
+      #
+      # @return [Hash]
+      def client_params
+        {'client_id' => @client.id, 'client_secret' => @client.secret}
+      end
+    end
+  end
+end

data/lib/oauth2/strategy/client_credentials.rb

@@ -0,0 +1,36 @@
+require 'base64'
+
+module OAuth2
+  module Strategy
+    # The Client Credentials Strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    class ClientCredentials < Base
+      # Not used for this strategy
+      #
+      # @raise [NotImplementedError]
+      def authorize_url
+        fail(NotImplementedError, 'The authorization endpoint is not used in this strategy')
+      end
+
+      # Retrieve an access token given the specified client.
+      #
+      # @param [Hash] params additional params
+      # @param [Hash] opts options
+      def get_token(params = {}, opts = {})
+        request_body = opts.delete('auth_scheme') == 'request_body'
+        params.merge!('grant_type' => 'client_credentials')
+        params.merge!(request_body ? client_params : {:headers => {'Authorization' => authorization(client_params['client_id'], client_params['client_secret'])}})
+        @client.get_token(params, opts.merge('refresh_token' => nil))
+      end
+
+      # Returns the Authorization header value for Basic Authentication
+      #
+      # @param [String] The client ID
+      # @param [String] the client secret
+      def authorization(client_id, client_secret)
+        'Basic ' + Base64.encode64(client_id + ':' + client_secret).gsub("\n", '')
+      end
+    end
+  end
+end

data/lib/oauth2/strategy/implicit.rb

@@ -0,0 +1,29 @@
+module OAuth2
+  module Strategy
+    # The Implicit Strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    class Implicit < Base
+      # The required query parameters for the authorize URL
+      #
+      # @param [Hash] params additional query parameters
+      def authorize_params(params = {})
+        params.merge('response_type' => 'token', 'client_id' => @client.id)
+      end
+
+      # The authorization URL endpoint of the provider
+      #
+      # @param [Hash] params additional query parameters for the URL
+      def authorize_url(params = {})
+        @client.authorize_url(authorize_params.merge(params))
+      end
+
+      # Not used for this strategy
+      #
+      # @raise [NotImplementedError]
+      def get_token(*)
+        fail(NotImplementedError, 'The token is accessed differently in this strategy')
+      end
+    end
+  end
+end

data/lib/oauth2/strategy/password.rb

@@ -0,0 +1,27 @@
+module OAuth2
+  module Strategy
+    # The Resource Owner Password Credentials Authorization Strategy
+    #
+    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    class Password < Base
+      # Not used for this strategy
+      #
+      # @raise [NotImplementedError]
+      def authorize_url
+        fail(NotImplementedError, 'The authorization endpoint is not used in this strategy')
+      end
+
+      # Retrieve an access token given the specified End User username and password.
+      #
+      # @param [String] username the End User username
+      # @param [String] password the End User password
+      # @param [Hash] params additional params
+      def get_token(username, password, params = {}, opts = {})
+        params = {'grant_type' => 'password',
+                  'username'   => username,
+                  'password'   => password}.merge(client_params).merge(params)
+        @client.get_token(params, opts)
+      end
+    end
+  end
+end

data/lib/oauth2/version.rb

@@ -0,0 +1,15 @@
+module OAuth2
+  class Version
+    MAJOR = 0
+    MINOR = 9
+    PATCH = 4
+    PRE = 'aptible'
+
+    class << self
+      # @return [String]
+      def to_s
+        [MAJOR, MINOR, PATCH, PRE].compact.join('.')
+      end
+    end
+  end
+end

data/oauth2.gemspec

@@ -0,0 +1,27 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'oauth2/version'
+
+Gem::Specification.new do |spec|
+  spec.add_development_dependency 'bundler', '~> 1.0'
+  spec.add_dependency 'faraday', ['>= 0.8', '< 0.10']
+  spec.add_dependency 'multi_json', '~> 1.3'
+  spec.add_dependency 'multi_xml', '~> 0.5'
+  spec.add_dependency 'rack', '~> 1.2'
+  spec.add_dependency 'jwt', '~> 0.1.8'
+  spec.authors       = ['Frank Macreery']
+  spec.description   = %q{A Ruby wrapper for the OAuth 2.0 protocol built with a similar style to the original OAuth spec.}
+  spec.email         = ['frank@macreery.com']
+  spec.files         = %w(.document CONTRIBUTING.md LICENSE.md README.md Rakefile oauth2.gemspec)
+  spec.files        += Dir.glob('lib/**/*.rb')
+  spec.files        += Dir.glob('spec/**/*')
+  spec.homepage      = 'http://github.com/fancyremarker/oauth2-aptible'
+  spec.licenses      = ['MIT']
+  spec.name          = 'oauth2-aptible'
+  spec.require_paths = ['lib']
+  spec.required_rubygems_version = '>= 1.3.5'
+  spec.summary       = %q{A Ruby wrapper for the OAuth 2.0 protocol.}
+  spec.test_files    = Dir.glob('spec/**/*')
+  spec.version       = OAuth2::Version
+end

data/spec/helper.rb

@@ -0,0 +1,29 @@
+require 'simplecov'
+require 'coveralls'
+
+SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[
+  SimpleCov::Formatter::HTMLFormatter,
+  Coveralls::SimpleCov::Formatter
+]
+
+SimpleCov.start do
+  add_filter '/spec/'
+  minimum_coverage(95.29)
+end
+
+require 'oauth2'
+require 'addressable/uri'
+require 'rspec'
+require 'rspec/autorun'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end
+
+Faraday.default_adapter = :test
+
+RSpec.configure do |conf|
+  include OAuth2
+end

data/spec/oauth2/access_token_spec.rb

@@ -0,0 +1,172 @@
+require 'helper'
+
+VERBS = [:get, :post, :put, :delete]
+
+describe AccessToken do
+  let(:token) { 'monkey' }
+  let(:token_body) { MultiJson.encode(:access_token => 'foo', :expires_in => 600, :refresh_token => 'bar') }
+  let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => 'refresh_bar') }
+  let(:client) do
+    Client.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+      builder.request :url_encoded
+      builder.adapter :test do |stub|
+        VERBS.each do |verb|
+          stub.send(verb, '/token/header') { |env| [200, {}, env[:request_headers]['Authorization']] }
+          stub.send(verb, "/token/query?access_token=#{token}") { |env| [200, {}, Addressable::URI.parse(env[:url]).query_values['access_token']] }
+          stub.send(verb, '/token/body') { |env| [200, {}, env[:body]] }
+        end
+        stub.post('/oauth/token') { |env| [200, {'Content-Type' => 'application/json'}, refresh_body] }
+      end
+    end
+  end
+
+  subject { AccessToken.new(client, token) }
+
+  describe '#initialize' do
+    it 'assigns client and token' do
+      expect(subject.client).to eq(client)
+      expect(subject.token).to  eq(token)
+    end
+
+    it 'assigns extra params' do
+      target = AccessToken.new(client, token, 'foo' => 'bar')
+      expect(target.params).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    def assert_initialized_token(target)
+      expect(target.token).to eq(token)
+      expect(target).to be_expires
+      expect(target.params.keys).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    it 'initializes with a Hash' do
+      hash = {:access_token => token, :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      target = AccessToken.from_hash(client, hash)
+      assert_initialized_token(target)
+    end
+
+    it 'initalizes with a form-urlencoded key/value string' do
+      kvform = "access_token=#{token}&expires_at=#{Time.now.to_i + 200}&foo=bar"
+      target = AccessToken.from_kvform(client, kvform)
+      assert_initialized_token(target)
+    end
+
+    it 'sets options' do
+      target = AccessToken.new(client, token, :param_name => 'foo', :header_format => 'Bearer %', :mode => :body)
+      expect(target.options[:param_name]).to eq('foo')
+      expect(target.options[:header_format]).to eq('Bearer %')
+      expect(target.options[:mode]).to eq(:body)
+    end
+
+    it 'initializes with a string expires_at' do
+      hash = {:access_token => token, :expires_at => '1361396829', 'foo' => 'bar'}
+      target = AccessToken.from_hash(client, hash)
+      assert_initialized_token(target)
+      expect(target.expires_at).to be_a(Integer)
+    end
+  end
+
+  describe '#request' do
+    context ':mode => :header' do
+      before do
+        subject.options[:mode] = :header
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/header').body).to include(token)
+        end
+      end
+    end
+
+    context ':mode => :query' do
+      before do
+        subject.options[:mode] = :query
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/query').body).to eq(token)
+        end
+      end
+    end
+
+    context ':mode => :body' do
+      before do
+        subject.options[:mode] = :body
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/body').body.split('=').last).to eq(token)
+        end
+      end
+    end
+  end
+
+  describe '#expires?' do
+    it 'is false if there is no expires_at' do
+      expect(AccessToken.new(client, token)).not_to be_expires
+    end
+
+    it 'is true if there is an expires_in' do
+      expect(AccessToken.new(client, token, :refresh_token => 'abaca', :expires_in => 600)).to be_expires
+    end
+
+    it 'is true if there is an expires_at' do
+      expect(AccessToken.new(client, token, :refresh_token => 'abaca', :expires_in => Time.now.getutc.to_i + 600)).to be_expires
+    end
+  end
+
+  describe '#expired?' do
+    it 'is false if there is no expires_in or expires_at' do
+      expect(AccessToken.new(client, token)).not_to be_expired
+    end
+
+    it 'is false if expires_in is in the future' do
+      expect(AccessToken.new(client, token, :refresh_token => 'abaca', :expires_in => 10_800)).not_to be_expired
+    end
+
+    it 'is true if expires_at is in the past' do
+      access = AccessToken.new(client, token, :refresh_token => 'abaca', :expires_in => 600)
+      @now = Time.now + 10_800
+      allow(Time).to receive(:now).and_return(@now)
+      expect(access).to be_expired
+    end
+
+  end
+
+  describe '#refresh!' do
+    let(:access) do
+      AccessToken.new(client, token, :refresh_token  => 'abaca',
+                                     :expires_in     => 600,
+                                     :param_name     => 'o_param')
+    end
+
+    it 'returns a refresh token with appropriate values carried over' do
+      refreshed = access.refresh!
+      expect(access.client).to eq(refreshed.client)
+      expect(access.options[:param_name]).to eq(refreshed.options[:param_name])
+    end
+
+    context 'with a nil refresh_token in the response' do
+      let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => nil) }
+
+      it 'copies the refresh_token from the original token' do
+        refreshed = access.refresh!
+
+        expect(refreshed.refresh_token).to eq(access.refresh_token)
+      end
+    end
+  end
+
+  describe '#to_hash' do
+    it 'return a hash equals to the hash used to initialize access token' do
+      hash = {:access_token => token, :refresh_token => 'foobar', :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      access_token = AccessToken.from_hash(client, hash.clone)
+      expect(access_token.to_hash).to eq(hash)
+    end
+  end
+end