oauth2-provider-jonrowe 0.1.0

data/lib/oauth2/provider/error.rb

@@ -0,0 +1,29 @@
+module OAuth2
+  class Provider
+    
+    class Error
+      def initialize(message = nil)
+        @message = message
+      end
+      
+      def redirect?
+        false
+      end
+      
+      def response_body
+        message = 'Bad request' + (@message ? ": #{@message}" : '')
+        JSON.unparse(ERROR => INVALID_REQUEST, ERROR_DESCRIPTION => message)
+      end
+      
+      def response_headers
+        Exchange::RESPONSE_HEADERS
+      end
+      
+      def response_status
+        400
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/provider/exchange.rb

@@ -0,0 +1,212 @@
+module OAuth2
+  class Provider
+    
+    class Exchange
+      attr_reader :client, :error, :error_description
+      
+      REQUIRED_PARAMS    = [CLIENT_ID, CLIENT_SECRET, GRANT_TYPE]
+      VALID_GRANT_TYPES  = [AUTHORIZATION_CODE, PASSWORD, ASSERTION, REFRESH_TOKEN]
+      
+      REQUIRED_PASSWORD_PARAMS  = [USERNAME, PASSWORD]
+      REQUIRED_ASSERTION_PARAMS = [ASSERTION_TYPE, ASSERTION]
+      
+      RESPONSE_HEADERS = {
+        'Cache-Control' => 'no-store',
+        'Content-Type'  => 'application/json'
+      }
+      
+      def initialize(resource_owner, params)
+        @params     = params
+        @scope      = params[SCOPE]
+        @grant_type = @params[GRANT_TYPE]
+        validate!
+      end
+      
+      def owner
+        @authorization && @authorization.owner
+      end
+      
+      def scopes
+        @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+      end
+      
+      def redirect?
+        false
+      end
+      
+      def response_body
+        return jsonize(ERROR, ERROR_DESCRIPTION) unless valid?
+        update_authorization
+        
+        response = {}
+        %w[access_token refresh_token scope].each do |key|
+          value = @authorization.__send__(key)
+          response[key] = value if value
+        end
+        
+        JSON.unparse(response)
+      end
+      
+      def response_headers
+        RESPONSE_HEADERS
+      end
+      
+      def response_status
+        valid? ? 200 : 400
+      end
+      
+      def update_authorization
+        return if not valid? or @already_updated
+        @authorization.exchange!
+        @already_updated = true
+      end
+      
+      def valid?
+        @error.nil?
+      end
+      
+    private
+      
+      def jsonize(*ivars)
+        hash = {}
+        ivars.each { |key| hash[key] = instance_variable_get("@#{key}") }
+        JSON.unparse(hash)
+      end
+      
+      def validate!
+        validate_required_params
+        
+        return if @error
+        validate_client
+        
+        unless VALID_GRANT_TYPES.include?(@grant_type)
+          @error = UNSUPPORTED_GRANT_TYPE
+          @error_description = "The grant type #{@grant_type} is not recognized"
+        end
+        return if @error
+        
+        __send__("validate_#{@grant_type}")
+        validate_scope
+      end
+      
+      def validate_required_params
+        REQUIRED_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+      end
+      
+      def validate_client
+        @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+        
+        if @client and not @client.valid_client_secret? @params[CLIENT_SECRET]
+          @error = INVALID_CLIENT
+          @error_description = 'Parameter client_secret does not match'
+        end
+      end
+      
+      def validate_scope
+        if @authorization and not @authorization.in_scope?(scopes)
+          @error = INVALID_SCOPE
+          @error_description = 'The request scope was never granted by the user'
+        end
+      end
+      
+      def validate_authorization_code
+        unless @params[CODE]
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter code"
+        end
+        
+        if @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+          @error = REDIRECT_MISMATCH
+          @error_description = "Parameter redirect_uri does not match registered URI"
+        end
+        
+        unless @params.has_key?(REDIRECT_URI)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter redirect_uri"
+        end
+        
+        return if @error
+        
+        @authorization = @client.authorizations.find_by_code(@params[CODE])
+        validate_authorization
+      end
+      
+      def validate_password
+        REQUIRED_PASSWORD_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+        
+        return if @error
+        
+        @authorization = Provider.handle_password(@client, @params[USERNAME], @params[PASSWORD])
+        return validate_authorization if @authorization
+        
+        @error = INVALID_GRANT
+        @error_description = 'The access grant you supplied is invalid'
+      end
+      
+      def validate_assertion
+        REQUIRED_ASSERTION_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+        
+        if @params[ASSERTION_TYPE]
+          uri = URI.parse(@params[ASSERTION_TYPE]) rescue nil
+          unless uri and uri.absolute?
+            @error = INVALID_REQUEST
+            @error_description = 'Parameter assertion_type must be an absolute URI'
+          end
+        end
+        
+        return if @error
+        
+        assertion = Assertion.new(@params)
+        @authorization = Provider.handle_assertion(@client, assertion)
+        return validate_authorization if @authorization
+        
+        @error = UNAUTHORIZED_CLIENT
+        @error_description = 'Client cannot use the given assertion type'
+      end
+      
+      def validate_refresh_token
+        refresh_token_hash = OAuth2.hashify(@params[REFRESH_TOKEN])
+        @authorization = @client.authorizations.find_by_refresh_token_hash(refresh_token_hash)
+        validate_authorization
+      end
+      
+      def validate_authorization
+        unless @authorization
+          @error = INVALID_GRANT
+          @error_description = 'The access grant you supplied is invalid'
+        end
+        
+        if @authorization and @authorization.expired?
+          @error = INVALID_GRANT
+          @error_description = 'The access grant you supplied is invalid'
+        end
+      end
+    end
+    
+    class Assertion
+      attr_reader :type, :value
+      def initialize(params)
+        @type  = params[ASSERTION_TYPE]
+        @value = params[ASSERTION]
+      end
+    end
+    
+  end
+end
+

data/lib/oauth2/router.rb

@@ -0,0 +1,60 @@
+require 'base64'
+
+module OAuth2
+  class Router
+    
+    def self.auth_params(request, params = nil)
+      return {} unless basic = request.env['HTTP_AUTHORIZATION']
+      parts = basic.split(/\s+/)
+      username, password = Base64.decode64(parts.last).split(':')
+      {CLIENT_ID => username, CLIENT_SECRET => password}
+    end
+    
+    def self.transport_error(request)
+      uri = URI.parse(request.url)
+      
+      if Provider.enforce_ssl and not uri.is_a?(URI::HTTPS)
+        return Provider::Error.new("must make requests using HTTPS")
+      end
+    end
+    
+    def self.parse(resource_owner, request, params = nil)
+      if error = transport_error(request)
+        return error
+      end
+      
+      params ||= request.params
+      auth     = auth_params(request, params)
+      
+      if auth[CLIENT_ID] and auth[CLIENT_ID] != params[CLIENT_ID]
+        return Provider::Error.new("#{CLIENT_ID} from Basic Auth and request body do not match")
+      end
+      
+      params = params.merge(auth)
+      
+      if params[GRANT_TYPE]
+        request.post? ?
+            Provider::Exchange.new(resource_owner, params) :
+            Provider::Error.new("should be a POST request")
+      else
+        Provider::Authorization.new(resource_owner, params)
+      end
+    end
+    
+    def self.access_token(resource_owner, scopes, request, params = nil)
+      params ||= request.params
+      header = request.env['HTTP_AUTHORIZATION']
+      
+      access_token = header && header =~ /^OAuth\s+/ ?
+                     header.gsub(/^OAuth\s+/, '') :
+                     params[OAUTH_TOKEN]
+      
+      Provider::AccessToken.new(resource_owner,
+                                scopes,
+                                access_token,
+                                transport_error(request))
+    end
+    
+  end
+end
+

data/spec/factories.rb

@@ -0,0 +1,27 @@
+require 'factory_girl'
+
+Factory.sequence :client_name do |n|
+  "Client ##{n}"
+end
+
+Factory.sequence :user_name do |n|
+  "User ##{n}"
+end
+
+Factory.define :owner, :class => TestApp::User do |u|
+  u.name { Factory.next :user_name }
+end
+
+Factory.define :client, :class => OAuth2::Model::Client do |c|
+  c.client_id     { OAuth2.random_string }
+  c.client_secret { OAuth2.random_string }
+  c.name          { Factory.next :client_name }
+  c.redirect_uri  'https://client.example.com/cb'
+end
+
+Factory.define :authorization, :class => OAuth2::Model::Authorization do |ac|
+  ac.client     Factory(:client)
+  ac.code       { OAuth2.random_string }
+  ac.expires_at nil
+end
+

data/spec/oauth2/model/authorization_spec.rb

@@ -0,0 +1,216 @@
+require 'spec_helper'
+
+describe OAuth2::Model::Authorization do
+  let(:client)   { Factory :client }
+  let(:impostor) { Factory :client }
+  let(:owner)    { Factory :owner }
+  let(:user)     { Factory :owner }
+  
+  let(:authorization) do
+    OAuth2::Model::Authorization.new(:owner => owner, :client => client)
+  end
+  
+  it "is vaid" do
+    authorization.should be_valid
+  end
+  
+  it "is not valid without a client" do
+    authorization.client = nil
+    authorization.should_not be_valid
+  end
+  
+  it "is not valid without an owner" do
+    authorization.owner = nil
+    authorization.should_not be_valid
+  end
+  
+  describe "when there are existing authorizations" do
+    before do
+      OAuth2::Model::Authorization.create(
+        :owner         => user,
+        :client        => impostor,
+        :access_token  => 'existing_access_token')
+        
+      OAuth2::Model::Authorization.create(
+        :owner         => owner,
+        :client        => client,
+        :code          => 'existing_code')
+        
+      OAuth2::Model::Authorization.create(
+        :owner         => owner,
+        :client        => client,
+        :refresh_token => 'existing_refresh_token')
+    end
+    
+    it "is valid if its access_token is unique" do
+      authorization.should be_valid
+    end
+    
+    it "is valid if both access_tokens are nil" do
+      OAuth2::Model::Authorization.first.update_attribute(:access_token, nil)
+      authorization.access_token = nil
+      authorization.should be_valid
+    end
+    
+    it "is not valid if its access_token is not unique" do
+      authorization.access_token = 'existing_access_token'
+      authorization.should_not be_valid
+    end
+    
+    it "is valid if it has a unique code for its client" do
+      authorization.client = impostor
+      authorization.code = 'existing_code'
+      authorization.should be_valid
+    end
+    
+    it "is not valid if it does not have a unique client and code" do
+      authorization.code = 'existing_code'
+      authorization.should_not be_valid
+    end
+    
+    it "is valid if it has a unique refresh_token for its client" do
+      authorization.client = impostor
+      authorization.refresh_token = 'existing_refresh_token'
+      authorization.should be_valid
+    end
+    
+    it "is not valid if it does not have a unique client and refresh_token" do
+      authorization.refresh_token = 'existing_refresh_token'
+      authorization.should_not be_valid
+    end
+    
+    describe ".create_code" do
+      before { OAuth2.stub(:random_string).and_return('existing_code', 'new_code') }
+      
+      it "returns the first code the client has not used" do
+        OAuth2::Model::Authorization.create_code(client).should == 'new_code'
+      end
+      
+      it "returns the first code another client has not used" do
+        OAuth2::Model::Authorization.create_code(impostor).should == 'existing_code'
+      end
+    end
+    
+    describe ".create_access_token" do
+      before { OAuth2.stub(:random_string).and_return('existing_access_token', 'new_access_token') }
+      
+      it "returns the first unused token it can find" do
+        OAuth2::Model::Authorization.create_access_token.should == 'new_access_token'
+      end
+    end
+    
+    describe ".create_refresh_token" do
+      before { OAuth2.stub(:random_string).and_return('existing_refresh_token', 'new_refresh_token') }
+      
+      it "returns the first refresh_token the client has not used" do
+        OAuth2::Model::Authorization.create_refresh_token(client).should == 'new_refresh_token'
+      end
+      
+      it "returns the first refresh_token another client has not used" do
+        OAuth2::Model::Authorization.create_refresh_token(impostor).should == 'existing_refresh_token'
+      end
+    end
+  end
+  
+  describe "#exchange!" do
+    it "saves the record" do
+      authorization.should_receive(:save!)
+      authorization.exchange!
+    end
+    
+    it "uses its helpers to find unique tokens" do
+      OAuth2::Model::Authorization.should_receive(:create_access_token).and_return('access_token')
+      authorization.exchange!
+      authorization.access_token.should == 'access_token'
+    end
+    
+    it "updates the tokens correctly" do
+      authorization.exchange!
+      authorization.should be_valid
+      authorization.code.should be_nil
+      authorization.refresh_token.should be_nil
+    end
+  end
+  
+  describe "#expired?" do
+    it "returns false when not expiry is set" do
+      authorization.should_not be_expired
+    end
+    
+    it "returns false when expiry is in the future" do
+      authorization.expires_at = 2.days.from_now
+      authorization.should_not be_expired
+    end
+    
+    it "returns true when expiry is in the past" do
+      authorization.expires_at = 2.days.ago
+      authorization.should be_expired
+    end
+  end
+  
+  describe "#grants_access?" do
+    it "returns true given the right user" do
+      authorization.grants_access?(owner).should be_true
+    end
+    
+    it "returns false given the wrong user" do
+      authorization.grants_access?(user).should be_false
+    end
+    
+    describe "when the authorization is expired" do
+      before { authorization.expires_at = 2.days.ago }
+      
+      it "returns false in all cases" do
+        authorization.grants_access?(owner).should be_false
+        authorization.grants_access?(user).should be_false
+      end
+    end
+  end
+  
+  describe "with a scope" do
+    before { authorization.scope = 'foo bar' }
+    
+    describe "#in_scope?" do
+      it "returns true for authorized scopes" do
+        authorization.should be_in_scope('foo')
+        authorization.should be_in_scope('bar')
+      end
+      
+      it "returns false for unauthorized scopes" do
+        authorization.should_not be_in_scope('qux')
+        authorization.should_not be_in_scope('fo')
+      end
+    end
+    
+    describe "#grants_access?" do
+      it "returns true given the right user and all authorization scopes" do
+        authorization.grants_access?(owner, 'foo', 'bar').should be_true
+      end
+      
+      it "returns true given the right user and some authorization scopes" do
+        authorization.grants_access?(owner, 'bar').should be_true
+      end
+      
+      it "returns false given the right user and some unauthorization scopes" do
+        authorization.grants_access?(owner, 'foo', 'bar', 'qux').should be_false
+      end
+      
+      it "returns false given an unauthorized scope" do
+        authorization.grants_access?(owner, 'qux').should be_false
+      end
+      
+      it "returns true given the right user" do
+        authorization.grants_access?(owner).should be_true
+      end
+      
+      it "returns false given the wrong user" do
+        authorization.grants_access?(user).should be_false
+      end
+      
+      it "returns false given the wrong user and an authorized scope" do
+        authorization.grants_access?(user, 'foo').should be_false
+      end
+    end
+  end
+end
+