oauth2-provider 0.0.16

data/lib/oauth2/provider/rack/responses.rb

@@ -0,0 +1,34 @@
+require 'addressable/uri'
+
+module OAuth2::Provider::Rack::Responses
+  def self.unauthorized(error = nil)
+    challenge = "OAuth2"
+    challenge << %{ error="#{error}"} if error
+    [401, {'Content-Type' => 'text/plain', 'Content-Length' => '0', 'WWW-Authenticate' => challenge}, []]
+  end
+
+  def self.only_supported(supported)
+    [405, {'Allow' => supported}, ["Only #{supported} requests allowed"]]
+  end
+
+  def self.json_error(error, options = {})
+    description = %{, "error_description": "#{options[:description]}"} if options[:description]
+    [options[:status] || 400, {'Content-Type' => 'application/json'}, [%{{"error": "#{error}"#{description}}}]]
+  end
+
+  def self.redirect_with_error(error, uri)
+    [302, {'Location' => append_to_uri(uri, :error => error)}, []]
+  end
+
+  def self.redirect_with_code(code, uri)
+    [302, {'Location' => append_to_uri(uri, :code => code)}, []]
+  end
+
+  private
+
+  def self.append_to_uri(uri, parameters = {})
+    u = Addressable::URI.parse(uri)
+    u.query_values = (u.query_values || {}).merge(parameters)
+    u.to_s
+  end
+end

data/lib/oauth2/provider/rails.rb

@@ -0,0 +1,37 @@
+require 'oauth2/provider'
+
+module OAuth2::Provider::Rails
+  autoload :ControllerAuthentication, 'oauth2/provider/rails/controller_authentication'
+  
+  class Railtie < Rails::Railtie
+    config.oauth2_provider = ActiveSupport::OrderedOptions.new
+    config.oauth2_provider.activerecord = ActiveSupport::OrderedOptions.new
+    config.oauth2_provider.mongoid = ActiveSupport::OrderedOptions.new
+
+    initializer "oauth2_provider.config" do |app|
+      app.config.oauth2_provider.except(:activerecord, :mongoid).each do |k,v|
+        OAuth2::Provider.send "#{k}=", v
+      end
+
+      app.config.oauth2_provider.activerecord.each do |k, v|
+        OAuth2::Provider::Models::ActiveRecord.send "#{k}=", v
+      end
+
+      app.config.oauth2_provider.mongoid.each do |k, v|
+        OAuth2::Provider::Models::Mongoid.send "#{k}=", v
+      end
+
+      OAuth2::Provider.activate
+    end
+
+    initializer "oauth2_provider.initialize_controller" do |app|
+      ActionController::Base.module_eval do
+        include OAuth2::Provider::Rails::ControllerAuthentication
+      end
+    end
+
+    initializer "oauth2_provider.initialize_middleware" do |app|
+      app.middleware.use ::OAuth2::Provider::Rack::Middleware
+    end
+  end
+end

data/lib/oauth2/provider/rails/controller_authentication.rb

@@ -0,0 +1,21 @@
+require 'oauth2/provider'
+
+module OAuth2::Provider::Rails::ControllerAuthentication
+  extend ActiveSupport::Concern
+
+  module ClassMethods
+    def authenticate_with_oauth(options = {})
+      around_filter AuthenticationFilter.new(options.delete(:scope)), options
+    end
+
+    class AuthenticationFilter
+      def initialize(scope = nil)
+        @scope = scope
+      end
+
+      def filter(controller, &block)
+        controller.request.env['oauth2'].authenticate_request! :scope => @scope, &block
+      end
+    end
+  end
+end

data/lib/oauth2/provider/random.rb

@@ -0,0 +1,30 @@
+require 'oauth2/provider'
+
+module OAuth2::Provider::Random
+  module Base62
+    CHARS = ('0'..'9').to_a + ('a'..'z').to_a + ('A'..'Z').to_a
+
+    # Adapted from http://refactormycode.com/codes/125-base-62-encoding
+    def self.encode(i)
+      return '0' if i == 0
+      s = ''
+      while i > 0
+        s << CHARS[i.modulo(62)]
+        i /= 62
+      end
+      s.reverse!
+      s
+    end
+  end
+
+  def base62(length = 8)
+    number = ActiveSupport::SecureRandom.random_number(62 ** length)
+    Base62.encode(number).rjust(length, '0')
+  end
+
+  def base36(length = 8)
+    ActiveSupport::SecureRandom.random_number(36 ** length).to_s(36).rjust(length, '0')
+  end
+
+  module_function :base62, :base36
+end

data/lib/oauth2/provider/version.rb

@@ -0,0 +1,5 @@
+module OAuth2
+  module Provider
+    VERSION = "0.0.16"
+  end
+end

data/oauth2-provider.gemspec

@@ -0,0 +1,35 @@
+# -*- encoding: utf-8 -*-
+$:.push File.expand_path("../lib", __FILE__)
+require "oauth2/provider/version"
+
+Gem::Specification.new do |s|
+  s.name        = "oauth2-provider"
+  s.version     = OAuth2::Provider::VERSION
+  s.platform    = Gem::Platform::RUBY
+  s.authors     = ["Tom Ward"]
+  s.email       = ["tom@popdog.net"]
+  s.homepage    = "http://tomafro.net"
+  s.summary     = %q{OAuth2 Provider, extracted from api.hashblue.com}
+  s.description = %q{OAuth2 Provider, extracted from api.hashblue.com}
+
+  s.files         = `git ls-files`.split("\n")
+  s.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths = ["lib"]
+
+  # Main dependencies
+  s.add_dependency 'activesupport', '~>3.0.1'
+  s.add_dependency 'addressable', '~>2.2'
+
+  # Development only dependencies
+  s.add_development_dependency 'rails', '~>3.0.1'
+  s.add_development_dependency 'rspec-rails', '~>2.1.0'
+  s.add_development_dependency 'rake', '~>0.8.7'
+  s.add_development_dependency 'sqlite3-ruby', '~>1.3.1'
+  s.add_development_dependency 'timecop', '~>0.3.4'
+  s.add_development_dependency 'yajl-ruby', '~>0.7.5'
+  s.add_development_dependency 'mongoid', '2.0.0.rc.6'
+  s.add_development_dependency 'bson', '1.2.0'
+  s.add_development_dependency 'bson_ext', '1.2.0'
+  s.add_development_dependency 'sdoc', '~>0.2.20'
+end

data/spec/models/access_token_spec.rb

@@ -0,0 +1,123 @@
+require 'spec_helper'
+
+describe OAuth2::Provider.access_token_class do
+  describe "any instance" do
+    subject do
+      OAuth2::Provider.access_token_class.new :authorization => build_authorization
+    end
+
+    it "is valid with an access grant, expiry time and access token" do
+      subject.expires_at.should_not be_nil
+      subject.access_token.should_not be_nil
+      subject.authorization.should_not be_nil
+
+      subject.should be_valid
+    end
+
+    it "is invalid without an access token" do
+      subject.access_token = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid without an access grant" do
+      subject.authorization = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid when expires_at isn't set" do
+      subject.expires_at = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid if expires_at is later than the authorization's value" do
+      subject.authorization.expires_at = 1.minute.from_now
+      subject.expires_at = 10.minutes.from_now
+      subject.should_not be_valid
+    end
+
+    it "returns time in seconds until expiry when expires_in called" do
+      subject.expires_at = 60.minutes.from_now
+      subject.expires_in.should == (60 * 60)
+    end
+
+    it "returns 0 for expired_in when already expired" do
+      subject.expires_at = 60.minutes.ago
+      subject.expires_in.should == 0
+    end
+
+    it "include expires_in, refresh_token and access token as JSON format" do
+      subject.as_json.should == {"expires_in" => subject.expires_in, "access_token" => subject.access_token, "refresh_token" => subject.refresh_token}
+    end
+
+    it "include only expires_in and access token as JSON format if no refresh token set" do
+      subject.refresh_token = nil
+      subject.as_json.should == {"expires_in" => subject.expires_in, "access_token" => subject.access_token}
+    end
+
+    it "is refreshable, if it has a refresh token" do
+      subject.refresh_token = 'abcd1234'
+      subject.should be_refreshable
+    end
+
+    it "is not refreshable if it has no refresh token" do
+      subject.refresh_token = nil
+      subject.should_not be_refreshable
+    end
+
+    it "is not refreshable if it has a refresh token, but its authorization has expired" do
+      subject.refresh_token = 'abcd1234'
+      subject.authorization.expires_at = 60.minutes.ago
+      subject.should_not be_refreshable
+    end
+  end
+
+  describe "a new instance" do
+    subject do
+      OAuth2::Provider.access_token_class.new
+    end
+
+    it "is assigned a randomly generated access token" do
+      subject.access_token.should_not be_nil
+      OAuth2::Provider.access_token_class.new.access_token.should_not be_nil
+      subject.access_token.should_not == OAuth2::Provider.access_token_class.new.access_token
+    end
+
+    it "is assigned a randomly generated refresh token" do
+      subject.refresh_token.should_not be_nil
+      OAuth2::Provider.access_token_class.new.refresh_token.should_not be_nil
+      subject.access_token.should_not == OAuth2::Provider.access_token_class.new.refresh_token
+    end
+
+    it "expires in 1 month by default" do
+      subject.expires_at.should == 1.month.from_now
+    end
+  end
+
+  describe "refreshing an existing token" do
+    subject do
+      OAuth2::Provider.access_token_class.create! :authorization => create_authorization, :expires_at => 23.days.ago
+    end
+
+    it "returns a new access token with the same client, resource_owner and scope, but a new expiry time" do
+      result = OAuth2::Provider.access_token_class.refresh_with(subject.refresh_token)
+      result.should_not be_nil
+      result.expires_at.should == 1.month.from_now
+      result.authorization.should == subject.authorization
+    end
+
+    it "returns token with expires_at set to authorization.expires_at if validation would fail otherwise" do
+      subject.authorization.update_attributes(:expires_at => 5.minutes.from_now)
+      result = OAuth2::Provider.access_token_class.refresh_with(subject.refresh_token)
+      result.expires_at.should == 5.minutes.from_now
+    end
+
+    it "returns nil if the provided token doesn't match" do
+      OAuth2::Provider.access_token_class.refresh_with('wrong').should be_nil
+    end
+
+    it "returns nil if the existing refresh token is nil, whatever value is provided" do
+      subject.update_attributes(:refresh_token => nil)
+      OAuth2::Provider.access_token_class.refresh_with(nil).should be_nil
+    end
+  end
+end

data/spec/models/authorization_code_spec.rb

@@ -0,0 +1,115 @@
+require 'spec_helper'
+
+describe OAuth2::Provider.authorization_code_class do
+  describe "any instance" do
+    subject do
+      OAuth2::Provider.authorization_code_class.new(
+        :authorization => create_authorization,
+        :redirect_uri => "http://redirect.example.com/callback"
+      )
+    end
+
+    it "is valid with an access grant, expiry time, redirect uri and code" do
+      subject.should be_valid
+    end
+
+    it "is invalid without a redirect_uri" do
+      subject.redirect_uri = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid without a code" do
+      subject.code = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid without an access grant" do
+      subject.authorization = nil
+      subject.should_not be_valid
+    end
+
+    it "is invalid when expires_at isn't set" do
+      subject.expires_at = nil
+      subject.should_not be_valid
+    end
+
+    it "has expired when expires_at is in the past" do
+      subject.expires_at = 1.second.ago
+      subject.should be_expired
+    end
+
+    it "has not expired when expires_at is now or in the future" do
+      subject.expires_at = Time.now
+      subject.should_not be_expired
+    end
+  end
+
+  describe "a new instance" do
+    subject do
+      OAuth2::Provider.authorization_code_class.new
+    end
+
+    it "is assigned a randomly generated code" do
+      subject.code.should_not be_nil
+      OAuth2::Provider.authorization_code_class.new.code.should_not be_nil
+      subject.code.should_not == OAuth2::Provider.authorization_code_class.new.code
+    end
+
+    it "expires in 1 minute by default" do
+      subject.expires_at.should == 1.minute.from_now
+    end
+  end
+
+  describe "a saved instance" do
+    subject do
+      OAuth2::Provider.authorization_code_class.create!(
+        :authorization => create_authorization,
+        :redirect_uri => "https://client.example.com/callback/here"
+      )
+    end
+
+    it "can be claimed with the correct code and redirect_uri" do
+      OAuth2::Provider.authorization_code_class.claim(subject.code, subject.redirect_uri).should_not be_nil
+    end
+
+    it "returns an access token when claimed" do
+      OAuth2::Provider.authorization_code_class.claim(subject.code, subject.redirect_uri).should be_instance_of(OAuth2::Provider.access_token_class)
+    end
+
+    it "can't be claimed twice" do
+      OAuth2::Provider.authorization_code_class.claim(subject.code, subject.redirect_uri)
+      OAuth2::Provider.authorization_code_class.claim(subject.code, subject.redirect_uri).should be_nil
+    end
+
+    it "can't be claimed without a matching code" do
+      OAuth2::Provider.authorization_code_class.claim("incorrectCode", subject.redirect_uri).should be_nil
+    end
+
+    it "can't be claimed without a matching redirect_uri" do
+      OAuth2::Provider.authorization_code_class.claim(subject.code, "https://wrong.example.com").should be_nil
+    end
+
+    it "can't be claimed once expired" do
+      Timecop.travel subject.expires_at + 1.minute
+      OAuth2::Provider.authorization_code_class.claim(subject.code, subject.redirect_uri).should be_nil
+    end
+  end
+
+  describe "the access token returned when a code is claimed" do
+    subject do
+      @code = OAuth2::Provider.authorization_code_class.create!(
+        :authorization => create_authorization,
+        :redirect_uri => "https://client.example.com/callback/here"
+      )
+      OAuth2::Provider.authorization_code_class.claim(@code.code, @code.redirect_uri)
+    end
+
+    it "is saved to the database" do
+      subject.should_not be_new_record
+    end
+
+    it "has same access grant as claimed code" do
+      subject.authorization.should == @code.authorization
+    end
+  end
+end

data/spec/models/authorization_spec.rb

@@ -0,0 +1,110 @@
+require 'spec_helper'
+
+describe OAuth2::Provider.authorization_class do
+  describe "any instance" do
+    subject do
+      result = OAuth2::Provider.authorization_class.new :client => create_client
+    end
+  
+    it "is valid with a client" do
+      subject.client.should_not be_nil
+      subject.should be_valid
+    end
+  
+    it "is invalid without a client" do
+      subject.client = nil
+      subject.should_not be_valid
+    end
+  
+    it "has a given scope, if scope string includes scope" do
+      subject.scope = "first second third"
+      subject.should have_scope("first")
+      subject.should have_scope("second")
+      subject.should have_scope("third")
+    end
+  
+    it "doesn't have a given scope, if scope string doesn't scope" do
+      subject.scope = "first second third"
+      subject.should_not have_scope("fourth")
+    end
+  end
+  
+  describe "a new instance" do
+    subject do
+      OAuth2::Provider.authorization_class.new
+    end
+  
+    it "has no expiry time by default" do
+      subject.expires_at.should be_nil
+    end
+  
+    it "is never expired" do
+      subject.should_not be_expired
+      Timecop.travel(100.years.from_now)
+      subject.should_not be_expired
+    end
+  end
+
+  describe "after being persisted and restored" do
+    before :each do
+      @client = create_client
+      @owner = create_resource_owner
+      @original = OAuth2::Provider.authorization_class.create!(:client => @client, :resource_owner => @owner, :expires_at => 1.year.from_now)
+    end
+
+    subject do
+      OAuth2::Provider.authorization_class.find(@original.id)
+    end
+
+    it "remembers client" do
+      subject.client.should eql(@client)
+    end
+
+    it "remembers resource owner" do
+      subject.resource_owner.should eql(@owner)
+    end
+  end
+
+  describe "obtain all authorizations for a resource owner" do
+    before :each do
+      @client = create_client
+      @owner = create_resource_owner
+      @authorization = OAuth2::Provider.authorization_class.create!(:client => @client, :resource_owner => @owner, :expires_at => 1.year.from_now)
+    end
+
+    subject do
+      OAuth2::Provider.authorization_class.all_for(@owner)
+    end
+
+    it "returns correct number of authorizations" do
+      subject.count.should eql(1)
+    end
+
+    it "should hold information on the authorized client" do
+      subject[0].client.should eql(@client)
+    end
+  end
+
+  describe "being revoked" do
+    subject do
+      OAuth2::Provider.authorization_class.create! :client => create_client
+    end
+
+    it "destroys itself" do
+      subject.revoke
+      subject.should be_destroyed
+    end
+
+    it "destroys any related authorization codes" do
+      subject.authorization_codes.create! :redirect_uri => 'https://example.com'
+      subject.revoke
+      subject.authorization_codes.should be_empty
+    end
+
+    it "destroys any related access tokens" do
+      subject.access_tokens.create!
+      subject.revoke
+      subject.access_tokens.should be_empty
+    end
+  end
+end