oauth2-provider-jonrowe 0.1.0

data/lib/oauth2/model/client.rb

@@ -0,0 +1,55 @@
+module OAuth2
+  module Model
+    
+    class Client < ActiveRecord::Base
+      set_table_name :oauth2_clients
+      
+      belongs_to :oauth2_client_owner, :polymorphic => true
+      alias :owner  :oauth2_client_owner
+      alias :owner= :oauth2_client_owner=
+          
+      has_many :authorizations, :class_name => 'OAuth2::Model::Authorization', :dependent => :destroy
+      
+      validates_uniqueness_of :client_id
+      validates_presence_of   :name, :redirect_uri
+      validate :check_format_of_redirect_uri
+      
+      attr_accessible :name, :redirect_uri
+      
+      before_create :generate_credentials
+      
+      def self.create_client_id
+        OAuth2.generate_id do |client_id|
+          count(:conditions => {:client_id => client_id}).zero?
+        end
+      end
+      
+      attr_reader :client_secret
+      
+      def client_secret=(secret)
+        @client_secret = secret
+        self.client_secret_hash = BCrypt::Password.create(secret)
+      end
+      
+      def valid_client_secret?(secret)
+        BCrypt::Password.new(client_secret_hash) == secret
+      end
+      
+    private
+      
+      def check_format_of_redirect_uri
+        uri = URI.parse(redirect_uri)
+        errors.add(:redirect_uri, 'must be an absolute URI') unless uri.absolute?
+      rescue
+        errors.add(:redirect_uri, 'must be a URI')
+      end
+      
+      def generate_credentials
+        self.client_id = self.class.create_client_id
+        self.client_secret = OAuth2.random_string
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/model/client_owner.rb

@@ -0,0 +1,13 @@
+module OAuth2
+  module Model
+    
+    module ClientOwner
+      def self.included(klass)
+        klass.has_many :oauth2_clients,
+                       :class_name => 'OAuth2::Model::Client',
+                       :as => :oauth2_client_owner
+      end
+    end
+    
+  end
+end

data/lib/oauth2/model/hashing.rb

@@ -0,0 +1,27 @@
+module OAuth2
+  module Model
+    
+    module Hashing
+      def hashes_attributes(*attributes)
+        attributes.each do |attribute|
+          define_method("#{attribute}=") do |value|
+            instance_variable_set("@#{attribute}", value)
+            __send__("#{attribute}_hash=", value && OAuth2.hashify(value))
+          end
+          attr_reader attribute
+        end
+        
+        class_eval <<-RUBY
+          def reload(*args)
+            super
+            #{ attributes.inspect }.each do |attribute|
+              instance_variable_set('@' + attribute.to_s, nil)
+            end
+          end
+        RUBY
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/model/resource_owner.rb

@@ -0,0 +1,26 @@
+module OAuth2
+  module Model
+    
+    module ResourceOwner
+      def self.included(klass)
+        klass.has_many :oauth2_authorizations,
+                       :class_name => 'OAuth2::Model::Authorization',
+                       :as => :oauth2_resource_owner,
+                       :dependent => :destroy
+      end
+      
+      def grant_access!(client, options = {})
+        authorization = oauth2_authorizations.find_by_client_id(client.id) ||
+                        Model::Authorization.create(:owner => self, :client => client)
+        
+        if scopes = options[:scopes]
+          scopes = authorization.scopes + scopes
+          authorization.update_attribute(:scope, scopes.join(' '))
+        end
+        
+        authorization
+      end
+    end
+    
+  end
+end

data/lib/oauth2/model/schema.rb

@@ -0,0 +1,42 @@
+module OAuth2
+  module Model
+    
+    class Schema < ActiveRecord::Migration
+      def self.up
+        create_table :oauth2_clients, :force => true do |t|
+          t.timestamps
+          t.string     :oauth2_client_owner_type
+          t.integer    :oauth2_client_owner_id
+          t.string     :name
+          t.string     :client_id
+          t.string     :client_secret_hash
+          t.string     :redirect_uri
+        end
+        add_index :oauth2_clients, :client_id
+        
+        create_table :oauth2_authorizations, :force => true do |t|
+          t.timestamps
+          t.string     :oauth2_resource_owner_type
+          t.integer    :oauth2_resource_owner_id
+          t.belongs_to :client
+          t.string     :scope
+          t.string     :code,               :limit => 40
+          t.string     :access_token_hash,  :limit => 40
+          t.string     :refresh_token_hash, :limit => 40
+          t.datetime   :expires_at
+        end
+        add_index :oauth2_authorizations, [:client_id, :code]
+        add_index :oauth2_authorizations, [:access_token_hash]
+        add_index :oauth2_authorizations, [:client_id, :access_token_hash]
+        add_index :oauth2_authorizations, [:client_id, :refresh_token_hash]
+      end
+      
+      def self.down
+        drop_table :oauth2_clients
+        drop_table :oauth2_authorizations
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/provider.rb

@@ -0,0 +1,117 @@
+require 'cgi'
+require 'digest/sha1'
+require 'bcrypt'
+require 'json'
+require 'active_record'
+
+module OAuth2
+  ROOT = File.expand_path(File.dirname(__FILE__) + '/..')
+  TOKEN_SIZE = 128
+  
+  autoload :Model,  ROOT + '/oauth2/model'
+  autoload :Router, ROOT + '/oauth2/router'
+  
+  def self.random_string
+    rand(2 ** TOKEN_SIZE).to_s(36)
+  end
+  
+  def self.generate_id(&predicate)
+    id = random_string
+    id = random_string until predicate.call(id)
+    id
+  end
+  
+  def self.hashify(token)
+    return nil unless String === token
+    Digest::SHA1.hexdigest(token)
+  end
+  
+  ACCESS_TOKEN           = 'access_token'
+  ASSERTION              = 'assertion'
+  ASSERTION_TYPE         = 'assertion_type'
+  AUTHORIZATION_CODE     = 'authorization_code'
+  CLIENT_ID              = 'client_id'
+  CLIENT_SECRET          = 'client_secret'
+  CODE                   = 'code'
+  CODE_AND_TOKEN         = 'code_and_token'
+  DURATION               = 'duration'
+  ERROR                  = 'error'
+  ERROR_DESCRIPTION      = 'error_description'
+  EXPIRES_IN             = 'expires_in'
+  GRANT_TYPE             = 'grant_type'
+  OAUTH_TOKEN            = 'oauth_token'
+  PASSWORD               = 'password'
+  REDIRECT_URI           = 'redirect_uri'
+  REFRESH_TOKEN          = 'refresh_token'
+  RESPONSE_TYPE          = 'response_type'
+  SCOPE                  = 'scope'
+  STATE                  = 'state'
+  TOKEN                  = 'token'
+  USERNAME               = 'username'
+  
+  INVALID_REQUEST        = 'invalid_request'
+  UNSUPPORTED_RESPONSE   = 'unsupported_response_type'
+  REDIRECT_MISMATCH      = 'redirect_uri_mismatch'
+  UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
+  INVALID_GRANT          = 'invalid_grant'
+  INVALID_CLIENT         = 'invalid_client'
+  UNAUTHORIZED_CLIENT    = 'unauthorized_client'
+  INVALID_SCOPE          = 'invalid_scope'
+  INVALID_TOKEN          = 'invalid_token'
+  EXPIRED_TOKEN          = 'expired_token'
+  INSUFFICIENT_SCOPE     = 'insufficient_scope'
+  ACCESS_DENIED          = 'access_denied'
+  
+  class Provider
+    class << self
+      attr_accessor :realm, :enforce_ssl
+    end
+    
+    def self.clear_assertion_handlers!
+      @password_handler   = nil
+      @assertion_handlers = {}
+      @assertion_filters  = []
+    end
+    
+    clear_assertion_handlers!
+    
+    def self.handle_passwords(&block)
+      @password_handler = block
+    end
+    
+    def self.handle_password(client, username, password)
+      return nil unless @password_handler
+      @password_handler.call(client, username, password)
+    end
+    
+    def self.filter_assertions(&filter)
+      @assertion_filters.push(filter)
+    end
+    
+    def self.handle_assertions(assertion_type, &handler)
+      @assertion_handlers[assertion_type] = handler
+    end
+    
+    def self.handle_assertion(client, assertion)
+      return nil unless @assertion_filters.all? { |f| f.call(client) }
+      handler = @assertion_handlers[assertion.type]
+      handler ? handler.call(client, assertion.value) : nil
+    end
+    
+    def self.parse(*args)
+      Router.parse(*args)
+    end
+    
+    def self.access_token(*args)
+      Router.access_token(*args)
+    end
+    
+    EXPIRY_TIME            = 3600
+    
+    autoload :Authorization, ROOT + '/oauth2/provider/authorization'
+    autoload :Exchange,      ROOT + '/oauth2/provider/exchange'
+    autoload :AccessToken,   ROOT + '/oauth2/provider/access_token'
+    autoload :Error,         ROOT + '/oauth2/provider/error'
+  end
+end
+

data/lib/oauth2/provider/access_token.rb

@@ -0,0 +1,66 @@
+module OAuth2
+  class Provider
+    
+    class AccessToken
+      attr_reader :authorization
+      
+      def initialize(resource_owner = nil, scopes = [], access_token = nil, error = nil)
+        @resource_owner = resource_owner
+        @scopes         = scopes
+        @access_token   = access_token
+        @error          = error && INVALID_REQUEST
+        
+        authorize!(access_token, error)
+        validate!
+      end
+      
+      def client
+        valid? ? @authorization.client : nil
+      end
+      
+      def owner
+        valid? ? @authorization.owner : nil
+      end
+      
+      def response_headers
+        return {} if valid?
+        error_message =  "OAuth realm='#{ Provider.realm }'"
+        error_message << ", error='#{ @error }'" unless @error == ''
+        {'WWW-Authenticate' => error_message}
+      end
+      
+      def response_status
+        case @error
+          when INVALID_REQUEST, INVALID_TOKEN, EXPIRED_TOKEN then 401
+          when INSUFFICIENT_SCOPE                            then 403
+          when ''                                            then 401
+                                                             else 200
+        end
+      end
+      
+      def valid?
+        @error.nil?
+      end
+      
+    private
+      
+      def authorize!(access_token, error)
+        return unless @authorization = Model.find_access_token(access_token)
+        @authorization.update_attribute(:access_token, nil) if error
+      end
+      
+      def validate!
+        return @error = ''                 unless @access_token
+        return @error = INVALID_TOKEN      unless @authorization
+        return @error = EXPIRED_TOKEN      if @authorization.expired?
+        return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
+        
+        if @resource_owner and @authorization.owner != @resource_owner
+          @error = INSUFFICIENT_SCOPE
+        end
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/provider/authorization.rb

@@ -0,0 +1,168 @@
+module OAuth2
+  class Provider
+    
+    class Authorization
+      attr_reader :owner, :client,
+                  :code, :access_token,
+                  :expires_in, :refresh_token,
+                  :error, :error_description
+      
+      REQUIRED_PARAMS = [RESPONSE_TYPE, CLIENT_ID, REDIRECT_URI]
+      VALID_PARAMS    = REQUIRED_PARAMS + [SCOPE, STATE]
+      VALID_RESPONSES = [CODE, TOKEN, CODE_AND_TOKEN]
+      
+      def initialize(resource_owner, params)
+        @owner  = resource_owner
+        @params = params
+        @scope  = params[SCOPE]
+        @state  = params[STATE]
+        
+        validate!
+        return unless @owner and not @error
+        
+        @model = Model::Authorization.for(@owner, @client)
+        return unless @model and @model.in_scope?(scopes) and not @model.expired?
+        
+        @authorized = true
+        @code = @model.generate_code
+      end
+      
+      def scopes
+        @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+      end
+      
+      def unauthorized_scopes
+        @model ? scopes.select { |s| not @model.in_scope?(s) } : scopes
+      end
+      
+      def grant_access!(options = {})
+        @model = Model::Authorization.for_response_type(@params[RESPONSE_TYPE],
+          :owner    => @owner,
+          :client   => @client,
+          :scope    => @scope,
+          :duration => options[:duration])
+        
+        @code          = @model.code
+        @access_token  = @model.access_token
+        @refresh_token = @model.refresh_token
+        @expires_in    = @model.expires_in
+        
+        unless @params[RESPONSE_TYPE] == CODE
+          @expires_in  = @model.expires_in
+        end
+        
+        @authorized = true
+      end
+      
+      def deny_access!
+        @code = @access_token = @refresh_token = nil
+        @error = ACCESS_DENIED
+        @error_description = "The user denied you access"
+      end
+      
+      def params
+        params = {}
+        VALID_PARAMS.each { |key| params[key] = @params[key] if @params.has_key?(key) }
+        params
+      end
+      
+      def redirect?
+        @client and (@authorized or not valid?)
+      end
+      
+      def redirect_uri
+        return nil unless @client
+        base_redirect_uri = @client.redirect_uri
+        
+        if not valid?
+          query = to_query_string(ERROR, ERROR_DESCRIPTION, STATE)
+          "#{ base_redirect_uri }?#{ query }"
+        
+        elsif @params[RESPONSE_TYPE] == CODE_AND_TOKEN
+          query    = to_query_string(CODE, STATE)
+          fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE)
+          "#{ base_redirect_uri }#{ query.empty? ? '' : '?' + query }##{ fragment }"
+        
+        elsif @params[RESPONSE_TYPE] == 'token'
+          fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE, STATE)
+          "#{ base_redirect_uri }##{ fragment }"
+        
+        else
+          query = to_query_string(CODE, SCOPE, STATE)
+          "#{ base_redirect_uri }?#{ query }"
+        end
+      end
+      
+      def response_body
+        return nil if @client and valid?
+        JSON.unparse(
+          ERROR             => INVALID_REQUEST,
+          ERROR_DESCRIPTION => 'This is not a valid OAuth request')
+      end
+      
+      def response_headers
+        valid? ? {} : Exchange::RESPONSE_HEADERS
+      end
+      
+      def response_status
+        return 200 if valid?
+        @client ? 302 : 400
+      end
+      
+      def valid?
+        @error.nil?
+      end
+      
+    private
+      
+      def validate!
+        @client = @params[CLIENT_ID] && Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+        
+        REQUIRED_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+        return if @error
+        
+        [SCOPE, STATE].each do |param|
+          next unless @params.has_key?(param)
+          if @params[param] =~ /\r\n/
+            @error = INVALID_REQUEST
+            @error_description = "Illegal value for #{param} parameter"
+          end
+        end
+        
+        unless VALID_RESPONSES.include?(@params[RESPONSE_TYPE])
+          @error = UNSUPPORTED_RESPONSE
+          @error_description = "Response type #{@params[RESPONSE_TYPE]} is not supported"
+        end
+        
+        @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+        
+        if @client and @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+          @error = REDIRECT_MISMATCH
+          @error_description = "Parameter redirect_uri does not match registered URI"
+        end
+      end
+      
+      def to_query_string(*ivars)
+        ivars.map { |key|
+          value = instance_variable_get("@#{key}")
+          value = value.join(' ') if Array === value
+          value ? "#{ key }=#{ CGI.escape(value.to_s) }" : nil
+        }.compact.join('&')
+      end
+    end
+    
+  end
+end
+