oauth2-rack 0.0.1

data/.gitignore

@@ -0,0 +1,13 @@
+.DS_Store
+.bundle
+\#*
+.\#*
+*~
+*swp
+TAGS
+.rvmrc
+.yardoc
+/doc/*
+Gemfile.lock
+*.gem
+pkg/*

data/.rspec

@@ -0,0 +1 @@
+--colour

data/Gemfile

@@ -0,0 +1,7 @@
+source :rubygems
+
+gemspec
+
+gem 'libnotify'
+gem 'rb-inotify'
+

data/Guardfile

@@ -0,0 +1,10 @@
+# -*- ruby -*-
+# More info at https://github.com/guard/guard#readme
+
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})                           { |m| "spec/#{m[1]}_spec.rb" }
+  watch(%r{^spec/support/(.+)\.rb$})                  { "spec/" }
+  watch('spec/spec_helper.rb')                        { "spec/" }
+end
+

data/Rakefile

@@ -0,0 +1,4 @@
+require 'rspec/core/rake_task'
+require 'bundler/gem_tasks'
+
+RSpec::Core::RakeTask.new

data/config.ru

@@ -0,0 +1,50 @@
+$: << File.expand_path('../lib', __FILE__)
+require 'oauth2/rack'
+
+class AccessTokenIssuer
+  def self.call(opts = {})
+    opts.merge('access_token' => 'test')
+  end
+end
+class Authenticator
+  def self.call(opts = {})
+    if opts[:username]
+      authenticate_resource_owner(opts)
+    elsif opts[:client_id]
+      authenticate_client(opts)
+    end
+  end
+
+  def self.authenticate_resource_owner(opts)
+    OpenStruct.new(:username => opts[:username])
+  end
+
+  def self.authenticate_client(opts)
+    OpenStruct.new(:client_id => opts[:client_id])
+  end
+end
+
+map '/password/access_token' do
+  use OAuth2::Rack::Authentication::Client::HTTPBasic, :required => false, :authenticator => Authenticator
+  use OAuth2::Rack::Authentication::Client::RequestParams, :required => false, :authenticator => Authenticator
+
+  use OAuth2::Rack::Authentication::ResourceOwner::RequestParams, :authenticator => Authenticator
+
+  use OAuth2::Rack::Authorization::Password::AccessTokenIssuer, :issuer => AccessTokenIssuer
+
+  run proc { |env| [200, {'Content-Type' => 'text/html'}, ['Hello']] }
+end
+
+map '/client_credentials/access_token' do
+  use OAuth2::Rack::Authentication::Client::HTTPBasic, :required => false, :authenticator => Authenticator
+  use OAuth2::Rack::Authentication::Client::RequestParams, :required => false, :authenticator => Authenticator
+
+  use OAuth2::Rack::Authorization::ClientCredentials::AccessTokenIssuer, :issuer => AccessTokenIssuer
+
+  run proc { |env| [200, {'Content-Type' => 'text/html'}, ['Hello']] }
+end
+
+
+map '/inspect' do
+  run proc { |env| [200, {'Content-Type' => 'text/html'}, [env.inspect]] }
+end

data/examples/ruby-client/password_authorization.rb

@@ -0,0 +1,6 @@
+require 'oauth2'
+
+client = OAuth2::Client.new('client_id', 'client_secret', :site => 'http://localhost:9393/', :token_url => '/password/access_token')
+token = client.password.get_token('username', 'password')
+
+p token

data/lib/oauth2/rack/authentication/client/http_basic.rb

@@ -0,0 +1,61 @@
+require 'oauth2/rack'
+
+# 2.4.1. Client Password
+class OAuth2::Rack::Authentication::Client::HTTPBasic
+  HEADER_KEYS = ['HTTP_AUTHORIZATION', 'X-HTTP_AUTHORIZATION', 'X_HTTP_AUTHORIZATION']
+
+  def initialize(app, opts = {}, &authenticator)
+    @app = app
+    @realm = opts.delete(:realm)
+    @required = opts.fetch(:required, true)
+    opts.delete(:required)
+    @authenticator = authenticator || opts.delete(:authenticator)
+  end
+
+  def call(env)
+    return @app.call(env) if env.has_key?('oauth2.client')
+
+    key = HEADER_KEYS.find { |k| env.has_key?(k) }
+    auth_string = env[key]
+
+    if auth_string.nil?
+      return @required ? unauthorized : @app.call(env)
+    end
+
+    schema, credentials = auth_string.split(' ', 2)
+    if schema.downcase != 'basic'
+      return bad_request
+    end
+
+    client_id, client_secret = credentials.unpack('m*').first.split(':', 2)
+    client = @authenticator.call(:client_id => client_id, :client_secret => client_secret)
+    if client
+      env['oauth2.client'] = client
+      @app.call(env)
+    else
+      unauthorized
+    end
+  end
+
+  private
+  def authenticate(opts)
+    @authenticator && @authenticator.call(opts)
+  end
+
+  def unauthorized
+    [ 401,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0',
+        'WWW-Authenticate' => 'Basic realm="%s"' % @realm },
+      []
+    ]
+  end
+
+  def bad_request
+    [ 400,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0' },
+      []
+    ]
+  end
+end

data/lib/oauth2/rack/authentication/client/request_params.rb

@@ -0,0 +1,55 @@
+require 'oauth2/rack'
+
+# 2.4.1. Client Password
+# Send client_id and client_secret in request params
+class OAuth2::Rack::Authentication::Client::RequestParams
+  def initialize(app, opts = {}, &authenticator)
+    @app = app
+    @required = opts.fetch(:required, true)
+    opts.delete(:required)
+    @authenticator = authenticator || opts.delete(:authenticator)
+  end
+
+  def call(env)
+    return @app.call(env) if env.has_key?('oauth2.client')
+
+    @request = Rack::Request.new(env)
+
+    client_id = @request['client_id']
+    client_secret = @request['client_secret']
+    if client_id.nil? && client_secret.nil?
+      return @required ? unauthorized : @app.call(env)
+    elsif client_id.nil? || client_secret.nil?
+      return bad_request
+    end
+
+    client = @authenticator.call(:client_id => client_id, :client_secret => client_secret)
+    if client
+      env['oauth2.client'] = client
+      @app.call(env)
+    else
+      unauthorized
+    end
+  end
+  
+  private
+  def authenticate(opts)
+    @authenticator && @authenticator.call(opts)
+  end
+
+  def unauthorized
+    [ 401,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0' },
+      []
+    ]
+  end
+
+  def bad_request
+    [ 400,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0' },
+      []
+    ]
+  end
+end

data/lib/oauth2/rack/authentication/client.rb

@@ -0,0 +1,5 @@
+# Client authentication
+module OAuth2::Rack::Authentication::Client
+  autoload :HTTPBasic, 'oauth2/rack/authentication/client/http_basic'
+  autoload :RequestParams, 'oauth2/rack/authentication/client/request_params'
+end

data/lib/oauth2/rack/authentication/resource_owner/request_params.rb

@@ -0,0 +1,54 @@
+require 'oauth2/rack'
+
+# Authenticate resource owner with request params
+class OAuth2::Rack::Authentication::ResourceOwner::RequestParams
+  def initialize(app, opts = {}, &authenticator)
+    @app = app
+    @required = opts.fetch(:required, true)
+    opts.delete(:required)
+    @authenticator = authenticator || opts.delete(:authenticator)
+  end
+
+  def call(env)
+    return @app.call(env) if env.has_key?('oauth2.resource_owner')
+
+    @request = Rack::Request.new(env)
+
+    username = @request['username']
+    password = @request['password']
+    if username.nil? && password.nil?
+      return @required ? unauthorized : @app.call(env)
+    elsif username.nil? || password.nil?
+      return bad_request
+    end
+
+    resource_owner = @authenticator.call(:username => username, :password => password)
+    if resource_owner
+      env['oauth2.resource_owner'] = resource_owner
+      @app.call(env)
+    else
+      unauthorized
+    end
+  end
+  
+  private
+  def authenticate(opts)
+    @authenticator && @authenticator.call(opts)
+  end
+
+  def unauthorized
+    [ 401,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0' },
+      []
+    ]
+  end
+  
+  def bad_request
+    [ 400,
+      { 'Content-Type' => 'text/plain',
+        'Content-Length' => '0' },
+      []
+    ]
+  end
+end

data/lib/oauth2/rack/authentication/resource_owner.rb

@@ -0,0 +1,4 @@
+# Client authentication
+module OAuth2::Rack::Authentication::ResourceOwner
+  autoload :RequestParams, 'oauth2/rack/authentication/resource_owner/request_params'
+end

data/lib/oauth2/rack/authentication.rb

@@ -0,0 +1,6 @@
+# Middlewares for authorization server to authenticate client or user
+module OAuth2::Rack::Authentication
+  autoload :Client, 'oauth2/rack/authentication/client'
+  autoload :ResourceOwner, 'oauth2/rack/authentication/resource_owner'
+end
+

data/lib/oauth2/rack/authorization/client_credentials/access_token_issuer.rb

@@ -0,0 +1,58 @@
+# @see 4.4.1 Client Credentials
+require 'oauth2/rack'
+require 'multi_json'
+
+class OAuth2::Rack::Authorization::ClientCredentials::AccessTokenIssuer
+  def initialize(app, opts = {}, &issuer)
+    @app = app
+
+    @issuer = issuer || opts.delete(:issuer)
+  end
+
+  def call(env)
+    client = env['oauth2.client']
+    unless client
+      return error_response(:error => 'invalid_client')
+    end
+
+    request = Rack::Request.new(env)
+    unless request['grant_type'] == 'client_credentials'
+      return error_response(:error => 'invalid_request')
+    end
+
+    access_token = find_acccess_token(:grant_type => 'client_credentials',
+                                      :client => client,
+                                      :scope => request['scope'])
+
+    if access_token['error']
+      error_response(access_token)
+    else
+      successful_response(access_token)
+    end
+  end
+
+  private
+  def find_acccess_token(opts)
+    if @issuer
+      @issuer.call(opts)
+    end || { 'error' => 'unauthorized_client' }
+  end
+
+  def successful_response(response_object)
+    headers = {
+      'Content-Type' => 'application/json;charset=UTF-8',
+      'Cache-Control' => 'no-store',
+      'Pragma' => 'no-cache'
+    }
+
+    [200, headers, [MultiJson.encode(response_object)]]
+  end
+
+  def error_response(response_object)
+    headers = {
+      'Content-Type' => 'application/json;charset=UTF-8'
+    }
+
+    [400, headers, [MultiJson.encode(response_object)]]
+  end
+end

data/lib/oauth2/rack/authorization/client_credentials.rb

@@ -0,0 +1,5 @@
+# Middlewares for authorization server
+module OAuth2::Rack::Authorization::ClientCredentials
+  autoload :AccessTokenIssuer, 'oauth2/rack/authorization/client_credentials/access_token_issuer'
+end
+

data/lib/oauth2/rack/authorization/password/access_token_issuer.rb

@@ -0,0 +1,60 @@
+# @see 4.3. Resource Owner Password Credentials
+require 'oauth2/rack'
+require 'multi_json'
+
+class OAuth2::Rack::Authorization::Password::AccessTokenIssuer
+  def initialize(app, opts = {}, &issuer)
+    @app = app
+
+    @issuer = issuer || opts.delete(:issuer)
+  end
+
+  def call(env)
+    resource_owner = env['oauth2.resource_owner']
+    unless resource_owner
+      return error_response(:error => 'invalid_grant')
+    end
+
+    request = Rack::Request.new(env)
+    unless request['grant_type'] == 'password'
+      return error_response(:error => 'invalid_request')
+    end
+
+    # oauth2.client is set in client authentication
+    access_token = find_acccess_token(:grant_type => 'password',
+                                      :resource_owner => resource_owner,
+                                      :client => env['oath2.client'],
+                                      :scope => request['scope'])
+
+    if access_token['error']
+      error_response(access_token)
+    else
+      successful_response(access_token)
+    end
+  end
+
+  private
+  def find_acccess_token(opts)
+    if @issuer
+      @issuer.call(opts)
+    end || { 'error' => 'unauthorized_client' }
+  end
+
+  def successful_response(response_object)
+    headers = {
+      'Content-Type' => 'application/json;charset=UTF-8',
+      'Cache-Control' => 'no-store',
+      'Pragma' => 'no-cache'
+    }
+
+    [200, headers, [MultiJson.encode(response_object)]]
+  end
+
+  def error_response(response_object)
+    headers = {
+      'Content-Type' => 'application/json;charset=UTF-8'
+    }
+
+    [400, headers, [MultiJson.encode(response_object)]]
+  end
+end

data/lib/oauth2/rack/authorization/password.rb

@@ -0,0 +1,5 @@
+# Middlewares for authorization server
+module OAuth2::Rack::Authorization::Password
+  autoload :AccessTokenIssuer, 'oauth2/rack/authorization/password/access_token_issuer'
+end
+

data/lib/oauth2/rack/authorization.rb

@@ -0,0 +1,6 @@
+# Middlewares for authorization server
+module OAuth2::Rack::Authorization
+  autoload :ClientCredentials, 'oauth2/rack/authorization/client_credentials'
+  autoload :Password, 'oauth2/rack/authorization/password'
+end
+

data/lib/oauth2/rack.rb

@@ -0,0 +1,9 @@
+require 'oauth2/rack/version'
+
+module OAuth2
+  # Oauth2::Rack module, the top namespace for all oauth2-rack modules and classes
+  module Rack
+    autoload :Authorization, 'oauth2/rack/authorization'
+    autoload :Authentication, 'oauth2/rack/authentication'
+  end
+end

data/lib/oauth2-rack.rb

@@ -0,0 +1 @@
+require 'oauth2/rack'

data/spec/oauth2/rack/authentication/client/http_basic_spec.rb

@@ -0,0 +1,76 @@
+require 'spec_helper'
+
+describe OAuth2::Rack::Authentication::Client::HTTPBasic do
+  let(:client) { double('client').as_null_object }
+  let(:authenticator) { double('authenticator').as_null_object }
+  let(:opts) { Hash.new }
+  let(:chained_app_response) { [200, { 'Content-Type' => 'text/plain' }, []] }
+
+  def do_request
+    post '/', opts
+  end
+
+  context 'when oauth2.client is already set' do
+    it 'continues the app' do
+      opts['oauth2.client'] = client
+      chained_app.should_receive(:call).with(hash_including('oauth2.client' => client)).and_return(chained_app_response)
+      do_request
+      response.status.should eq(200)
+    end
+  end
+
+  context 'when auth header is not specified' do
+    context 'and http basic auth is required' do
+      it 'responds with 401 unauthorized' do
+        do_request
+        response.status.should eq(401)
+      end
+    end
+    context 'and http basic auth is optional' do
+      app { OAuth2::Rack::Authentication::Client::HTTPBasic.new(chained_app, :required => false) }
+      it 'continues the app' do
+        chained_app.should_receive(:call).with(hash_not_including('oauth2.client')).and_return(chained_app_response)
+        do_request
+        response.status.should eq(200)
+      end
+    end
+  end
+
+  context 'when schema is not basic' do
+    before { opts['HTTP_AUTHORIZATION'] = 'Digest xxx' }
+
+    it 'responds with 400 bad request' do
+      do_request
+      response.status.should eq(400)
+    end
+  end
+
+  context 'when schema is basic' do
+    app {
+      OAuth2::Rack::Authentication::Client::HTTPBasic.new(chained_app) do |opts|
+        authenticator.call(opts)
+      end
+    }
+    before { opts['HTTP_AUTHORIZATION'] = "Basic #{["user:pass"].pack('m*')}" }
+
+    context 'and credentials are valid' do
+      it 'sets oauth2.client in env' do
+        authenticator.should_receive(:call).with(:client_id => 'user', :client_secret => 'pass').and_return(client)
+        chained_app.should_receive(:call).with(hash_including('oauth2.client' => client)).and_return(chained_app_response)
+
+        do_request
+      end
+    end
+
+    context 'but credentials are invalid' do
+      it 'responds with 401 unauthorized' do
+        authenticator.should_receive(:call).with(:client_id => 'user', :client_secret => 'pass').and_return(nil)
+        chained_app.should_not_receive(:call)
+
+        do_request
+
+        response.status.should eq(401)
+      end
+    end
+  end
+end

data/spec/oauth2/rack/authentication/client/request_params_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+describe OAuth2::Rack::Authentication::Client::RequestParams do
+  let(:client) { double('client').as_null_object }
+  let(:authenticator) { double('authenticator').as_null_object }
+  let(:params) { Hash.new }
+  let(:opts) { Hash[:params => params] }
+  let(:chained_app_response) { [200, { 'Content-Type' => 'text/plain' }, []] }
+
+  def do_request
+    post '/', opts
+  end
+
+  context 'when oauth2.client is already set' do
+    it 'continues the app' do
+      opts['oauth2.client'] = client
+      chained_app.should_receive(:call).with(hash_including('oauth2.client' => client)).and_return(chained_app_response)
+      do_request
+      response.status.should eq(200)
+    end
+  end
+
+  context 'when client_id and client_secret are both missed' do
+    context 'and request params auth is required' do
+      it 'responds with 401 unauthorized' do
+        do_request
+        response.status.should eq(401)
+      end
+    end
+    context 'and request params auth is optional' do
+      app { OAuth2::Rack::Authentication::Client::RequestParams.new(chained_app, :required => false) }
+      it 'continues the app' do
+        chained_app.should_receive(:call).with(hash_not_including('oauth2.client')).and_return(chained_app_response)
+        do_request
+        response.status.should eq(200)
+      end
+    end
+  end
+
+  context 'when client_id is missed' do
+    before { params['client_secret'] = 'secret' }
+
+    it 'responds with 400 bad request' do
+      do_request
+      response.status.should eq(400)
+    end
+  end
+  context 'when client_secret is missed' do
+    before { params['client_id'] = 'client_x' }
+
+    it 'responds with 400 bad request' do
+      do_request
+      response.status.should eq(400)
+    end
+  end
+
+  context 'when client_id and client_secret are specified' do
+    app {
+      OAuth2::Rack::Authentication::Client::RequestParams.new(chained_app) do |opts|
+        authenticator.call(opts)
+      end
+    }
+    let(:credentials) { Hash[:client_id => 'client_x', :client_secret => 'secret'] }
+    before { params.merge! credentials }
+
+    context 'and credentials are valid' do
+      it 'sets oauth2.client in env' do
+        authenticator.should_receive(:call).with(credentials).and_return(client)
+        chained_app.should_receive(:call).with(hash_including('oauth2.client' => client)).and_return(chained_app_response)
+
+        do_request
+      end
+    end
+
+    context 'but credentials are invalid' do
+      it 'responds with 401 unauthorized' do
+        authenticator.should_receive(:call).with(credentials).and_return(nil)
+        chained_app.should_not_receive(:call)
+
+        do_request
+
+        response.status.should eq(401)
+      end
+    end
+  end
+end

data/spec/oauth2/rack/authentication/resource_owner/request_params_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+describe OAuth2::Rack::Authentication::ResourceOwner::RequestParams do
+  let(:resource_owner) { double('resource_owner').as_null_object }
+  let(:authenticator) { double('authenticator').as_null_object }
+  let(:params) { Hash.new }
+  let(:opts) { Hash[:params => params] }
+  let(:chained_app_response) { [200, { 'Content-Type' => 'text/plain' }, []] }
+
+  def do_request
+    post '/', opts
+  end
+
+  context 'when oauth2.resource_owner is already set' do
+    it 'continues the app' do
+      opts['oauth2.resource_owner'] = resource_owner
+      chained_app.should_receive(:call).with(hash_including('oauth2.resource_owner' => resource_owner)).and_return(chained_app_response)
+      do_request
+      response.status.should eq(200)
+    end
+  end
+
+  context 'when username and password are both missed' do
+    context 'and request params auth is required' do
+      it 'responds with 401 unauthorized' do
+        do_request
+        response.status.should eq(401)
+      end
+    end
+    context 'and request params auth is optional' do
+      app { OAuth2::Rack::Authentication::ResourceOwner::RequestParams.new(chained_app, :required => false) }
+      it 'continues the app' do
+        chained_app.should_receive(:call).with(hash_not_including('oauth2.resource_owner')).and_return(chained_app_response)
+        do_request
+        response.status.should eq(200)
+      end
+    end
+  end
+
+  context 'when username is missed' do
+    before { params['password'] = 'secret' }
+
+    it 'responds with 400 bad request' do
+      do_request
+      response.status.should eq(400)
+    end
+  end
+  context 'when password is missed' do
+    before { params['username'] = 'user_x' }
+
+    it 'responds with 400 bad request' do
+      do_request
+      response.status.should eq(400)
+    end
+  end
+
+  context 'when username and password are specified' do
+    app {
+      OAuth2::Rack::Authentication::ResourceOwner::RequestParams.new(chained_app) do |opts|
+        authenticator.call(opts)
+      end
+    }
+    let(:credentials) { Hash[:username => 'user_x', :password => 'secret'] }
+    before { params.merge! credentials }
+
+    context 'and credentials are valid' do
+      it 'sets oauth2.resource_owner in env' do
+        authenticator.should_receive(:call).with(credentials).and_return(resource_owner)
+        chained_app.should_receive(:call).with(hash_including('oauth2.resource_owner' => resource_owner)).and_return(chained_app_response)
+
+        do_request
+      end
+    end
+
+    context 'but credentials are invalid' do
+      it 'responds with 401 unauthorized' do
+        authenticator.should_receive(:call).with(credentials).and_return(nil)
+        chained_app.should_not_receive(:call)
+
+        do_request
+
+        response.status.should eq(401)
+      end
+    end
+  end
+end

data/spec/oauth2/rack/authorization/client_credentials/access_token_issuer_spec.rb

@@ -0,0 +1,99 @@
+require 'spec_helper'
+
+describe OAuth2::Rack::Authorization::ClientCredentials::AccessTokenIssuer do
+  let(:client) { double('client') }
+  let(:opts) { Hash.new }
+
+  def do_request
+    post '/', opts
+  end
+
+  context 'when client is authenticated' do
+    before { opts['oauth2.client'] = client }
+
+    context 'and grant_type is invalid' do
+      let(:params) { Hash[:grant_type => 'xclient_credentials'] }
+      before { opts[:params] = params }
+
+      it 'responds with invalid_request' do
+        do_request
+
+        response.status.should eq(400)
+        response_object['error'].should eq('invalid_request')
+      end
+    end
+
+    context 'and grant_type is valid' do
+      let(:params) { Hash[:grant_type => 'client_credentials'] }
+      before { opts[:params] = params }
+
+      context 'and issuer is not specified' do
+        it 'responds with unauthorized_client' do
+          do_request
+
+          response.status.should eq(400)
+          response_object['error'].should eq('unauthorized_client')
+        end
+      end
+
+      context 'and issuer is specified' do
+        let(:issuer) { double('issuer') }
+        let(:expected_find_opts) {
+          Hash[:grant_type => 'client_credentials',
+               :client => client,
+               :scope => nil]
+        }
+
+        app { OAuth2::Rack::Authorization::ClientCredentials::AccessTokenIssuer.new(chained_app) { |opts| issuer.call(opts) } }
+
+        context 'but token is not found for the client' do
+          context 'and error is returned' do
+            before {
+              issuer.should_receive(:call).with(expected_find_opts).and_return({'error' => 'customized_error'})
+            }
+            it 'responds with the that error' do
+              do_request
+
+              response.status.should eq(400)
+              response_object['error'].should eq('customized_error')
+            end
+          end
+          context 'and nothing is returned' do
+            before {
+              issuer.should_receive(:call).with(expected_find_opts).and_return(nil)
+            }
+            it 'responds with unauthorized_client' do
+              do_request
+
+              response.status.should eq(400)
+              response_object['error'].should eq('unauthorized_client')
+            end
+          end
+          
+        end
+        context 'and token is found for the client' do
+          before {
+            issuer.should_receive(:call).with(expected_find_opts).and_return({:access_token => 'X'})
+          }
+
+          it 'responds with the found token' do
+            do_request
+
+            response.status.should eq(200)
+            response_object['access_token'].should eq('X')
+          end
+        end
+      end
+    end
+
+  end
+
+  context 'when client not authenticated' do
+    before { post '/' }
+
+    it 'responds with invalid_client' do
+      response.status.should eq(400)
+      response_object['error'].should eq('invalid_client')
+    end
+  end
+end

data/spec/oauth2/rack/authorization/password/access_token_issuer_spec.rb

@@ -0,0 +1,101 @@
+require 'spec_helper'
+
+describe OAuth2::Rack::Authorization::Password::AccessTokenIssuer do
+  let(:resource_owner) { double('resource_owner') }
+  let(:client) { double('client') }
+  let(:opts) { Hash.new }
+
+  def do_request
+    post '/', opts
+  end
+
+  context 'when resource_owner is authenticated' do
+    before { opts['oauth2.resource_owner'] = resource_owner }
+
+    context 'and grant_type is invalid' do
+      let(:params) { Hash[:grant_type => 'xpassword'] }
+      before { opts[:params] = params }
+
+      it 'responds with invalid_request' do
+        do_request
+
+        response.status.should eq(400)
+        response_object['error'].should eq('invalid_request')
+      end
+    end
+
+    context 'and grant_type is valid' do
+      let(:params) { Hash[:grant_type => 'password'] }
+      before { opts[:params] = params }
+
+      context 'and issuer is not specified' do
+        it 'responds with unauthorized_client' do
+          do_request
+
+          response.status.should eq(400)
+          response_object['error'].should eq('unauthorized_client')
+        end
+      end
+
+      context 'and issuer is specified' do
+        let(:issuer) { double('issuer') }
+        let(:expected_find_opts) {
+          Hash[:grant_type => 'password',
+               :resource_owner => resource_owner,
+               :client => nil,
+               :scope => nil]
+        }
+
+        app { OAuth2::Rack::Authorization::Password::AccessTokenIssuer.new(chained_app) { |opts| issuer.call(opts) } }
+
+        context 'but token is not found for the resource owner' do
+          context 'and error is returned' do
+            before {
+              issuer.should_receive(:call).with(expected_find_opts).and_return({'error' => 'customized_error'})
+            }
+            it 'responds with the that error' do
+              do_request
+
+              response.status.should eq(400)
+              response_object['error'].should eq('customized_error')
+            end
+          end
+          context 'and nothing is returned' do
+            before {
+              issuer.should_receive(:call).with(expected_find_opts).and_return(nil)
+            }
+            it 'responds with unauthorized_client' do
+              do_request
+
+              response.status.should eq(400)
+              response_object['error'].should eq('unauthorized_client')
+            end
+          end
+          
+        end
+        context 'and token is found for the client' do
+          before {
+            issuer.should_receive(:call).with(expected_find_opts).and_return({:access_token => 'X'})
+          }
+
+          it 'responds with the found token' do
+            do_request
+
+            response.status.should eq(200)
+            response_object['access_token'].should eq('X')
+          end
+        end
+      end
+    end
+
+  end
+
+  context 'when resource owner not authenticated' do
+    before { post '/' }
+
+    it 'responds with invalid_grant' do
+      response.status.should eq(400)
+      response_object['error'].should eq('invalid_grant')
+    end
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+$: << File.expand_path('../../lib', __FILE__)
+require 'oauth2/rack'
+require 'multi_json'
+
+# Requires supporting ruby files with custom matchers and macros, etc,
+# in spec/support/ and its subdirectories.
+Dir[File.expand_path("../support/**/*.rb", __FILE__)].each {|f| require f}
+
+RSpec.configure do |config|
+  config.mock_with :rspec
+end

data/spec/support/rake_test_helper.rb

@@ -0,0 +1,97 @@
+require 'rack/mock'
+require 'rack/utils'
+
+module RackTestHelper
+  def self.included(klass)
+    klass.extend ClassMethods
+  end
+
+  attr_accessor :response
+
+  def chained_app
+    if defined?(@original_chained_app)
+      @original_chained_app
+    else
+      @original_chained_app = instance_eval(&self.class.chained_app)
+    end
+  end
+  
+  def app
+    if defined?(@original_app)
+      @original_app
+    else
+      @original_app = instance_eval(&self.class.app)
+    end
+  end
+
+  def request
+    @request ||= Rack::MockRequest.new(app)
+  end
+
+  def response_object
+    return unless response
+
+    case response['Content-Type']
+    when %r{^application/json}
+      MultiJson::decode(response.body)
+    when %r{^application/x-www-form-urlencoded}
+      Rack::Utils.new.parse(response.body)
+    else
+      response.body
+    end
+  end
+
+  def get(uri, opts = {})
+    self.response = request.get(uri, opts)
+  end
+  def post(uri, opts = {})
+    self.response = request.post(uri, opts)
+  end
+  def put(uri, opts = {})
+    self.response = request.put(uri, opts)
+  end
+  def delete(uri, opts = {})
+    self.response = request.delete(uri, opts)
+  end
+
+  module ClassMethods
+    attr_reader :explicit_chained_app_block
+    def chained_app(&block)
+      block ? @explicit_chained_app_block = block : explicit_chained_app || implicit_chained_app
+    end
+
+    attr_reader :explicit_app_block
+    def app(&block)
+      block ? @explicit_app_block = block : explicit_app || implicit_app
+    end
+
+    def explicit_app
+      group = self
+      while group.respond_to?(:explicit_app_block)
+        return group.explicit_app_block if group.explicit_app_block
+        group = group.superclass
+      end
+    end
+
+    def implicit_app
+      described = describes || description
+      Class === described ? proc { described.new(chained_app) } : proc { described }
+    end
+
+    def explicit_chained_app
+      group = self
+      while group.respond_to?(:explicit_chained_app_block)
+        return group.explicit_chained_app_block if group.explicit_chained_app_block
+        group = group.superclass
+      end
+    end
+
+    def implicit_chained_app
+      proc { |env| [200, {"Content-Type" => 'text/html'}, ["<p>OK</p>"]] }
+    end
+  end
+end
+
+RSpec.configure do |config|
+  config.include RackTestHelper
+end

metadata

@@ -0,0 +1,167 @@
+--- !ruby/object:Gem::Specification
+name: oauth2-rack
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- Ian Yang
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2011-08-26 00:00:00.000000000Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: multi_json
+  requirement: &8610000 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *8610000
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: &8609580 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *8609580
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: &8609160 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8609160
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: &8608740 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8608740
+- !ruby/object:Gem::Dependency
+  name: yard
+  requirement: &8608320 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8608320
+- !ruby/object:Gem::Dependency
+  name: shotgun
+  requirement: &8607900 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8607900
+- !ruby/object:Gem::Dependency
+  name: guard-rspec
+  requirement: &8607480 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8607480
+- !ruby/object:Gem::Dependency
+  name: oauth2
+  requirement: &8607060 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: *8607060
+description: Rack middlewares for OAuth2 authorization server and resource server
+email:
+- me@iany.me
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- Gemfile
+- Guardfile
+- Rakefile
+- config.ru
+- examples/ruby-client/password_authorization.rb
+- lib/oauth2-rack.rb
+- lib/oauth2/rack.rb
+- lib/oauth2/rack/authentication.rb
+- lib/oauth2/rack/authentication/client.rb
+- lib/oauth2/rack/authentication/client/http_basic.rb
+- lib/oauth2/rack/authentication/client/request_params.rb
+- lib/oauth2/rack/authentication/resource_owner.rb
+- lib/oauth2/rack/authentication/resource_owner/request_params.rb
+- lib/oauth2/rack/authorization.rb
+- lib/oauth2/rack/authorization/client_credentials.rb
+- lib/oauth2/rack/authorization/client_credentials/access_token_issuer.rb
+- lib/oauth2/rack/authorization/password.rb
+- lib/oauth2/rack/authorization/password/access_token_issuer.rb
+- spec/oauth2/rack/authentication/client/http_basic_spec.rb
+- spec/oauth2/rack/authentication/client/request_params_spec.rb
+- spec/oauth2/rack/authentication/resource_owner/request_params_spec.rb
+- spec/oauth2/rack/authorization/client_credentials/access_token_issuer_spec.rb
+- spec/oauth2/rack/authorization/password/access_token_issuer_spec.rb
+- spec/spec_helper.rb
+- spec/support/rake_test_helper.rb
+homepage: https://github.com/doitian/oauth2-rack
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: oauth2-rack
+rubygems_version: 1.8.6
+signing_key: 
+specification_version: 3
+summary: Rack middlewares for OAuth2 authorization server and resource server
+test_files:
+- spec/oauth2/rack/authentication/client/http_basic_spec.rb
+- spec/oauth2/rack/authentication/client/request_params_spec.rb
+- spec/oauth2/rack/authentication/resource_owner/request_params_spec.rb
+- spec/oauth2/rack/authorization/client_credentials/access_token_issuer_spec.rb
+- spec/oauth2/rack/authorization/password/access_token_issuer_spec.rb
+- spec/spec_helper.rb
+- spec/support/rake_test_helper.rb