oauth2 1.4.0 → 1.4.5

data/Rakefile

@@ -0,0 +1,45 @@
+# encoding: utf-8
+
+# !/usr/bin/env rake
+
+require 'bundler/gem_tasks'
+
+begin
+  require 'wwtd/tasks'
+rescue LoadError
+  puts 'failed to load wwtd'
+end
+
+begin
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(:spec)
+rescue LoadError
+  task :spec do
+    warn 'rspec is disabled'
+  end
+end
+task :test => :spec
+
+begin
+  require 'rubocop/rake_task'
+  RuboCop::RakeTask.new do |task|
+    task.options = ['-D'] # Display the name of the failing cops
+  end
+rescue LoadError
+  task :rubocop do
+    warn 'RuboCop is disabled'
+  end
+end
+
+namespace :doc do
+  require 'rdoc/task'
+  require 'oauth2/version'
+  RDoc::Task.new do |rdoc|
+    rdoc.rdoc_dir = 'rdoc'
+    rdoc.title = "oauth2 #{OAuth2::Version}"
+    rdoc.main = 'README.md'
+    rdoc.rdoc_files.include('README.md', 'LICENSE.md', 'lib/**/*.rb')
+  end
+end
+
+task :default => [:test, :rubocop]

data/gemfiles/jruby_1.7.gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'json', '< 2.0'
+gem 'rack', '~> 1.2'
+gem 'rake', ['>= 10.0', '< 12']
+gem 'term-ansicolor', '< 1.4.0'
+gem 'tins', '< 1.7'
+
+gemspec :path => '../'

data/gemfiles/jruby_9.0.gemfile

@@ -0,0 +1,7 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'rake', ['>= 10.0', '< 12']
+
+gemspec :path => '../'

data/gemfiles/jruby_9.1.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/jruby_9.2.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/jruby_head.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/gemfiles/ruby_1.9.gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+
+gem 'json', '< 2.0'
+gem 'rack', '~> 1.2'
+gem 'rake', ['>= 10.0', '< 12']
+gem 'term-ansicolor', '< 1.4.0'
+gem 'tins', '< 1.7'
+
+gemspec :path => '../'

data/gemfiles/ruby_2.0.gemfile

@@ -0,0 +1,6 @@
+source 'https://rubygems.org'
+
+gem 'faraday', '~> 0.15.4'
+gem 'rack', '~> 1.2'
+
+gemspec :path => '../'

data/gemfiles/ruby_head.gemfile

@@ -0,0 +1,9 @@
+source 'https://rubygems.org'
+
+group :development do
+  gem 'byebug'
+  gem 'pry'
+  gem 'pry-byebug'
+end
+
+gemspec :path => '../'

data/gemfiles/truffleruby.gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+
+gemspec :path => '../'

data/lib/oauth2/access_token.rb

@@ -3,6 +3,7 @@ module OAuth2
     attr_reader :client, :token, :expires_in, :expires_at, :params
     attr_accessor :options, :refresh_token
 
+    # Should these methods be deprecated?
     class << self
       # Initializes an AccessToken from a Hash
       #
@@ -46,11 +47,11 @@ module OAuth2
       end
       @expires_in ||= opts.delete('expires')
       @expires_in &&= @expires_in.to_i
-      @expires_at &&= @expires_at.to_i
+      @expires_at &&= convert_expires_at(@expires_at)
       @expires_at ||= Time.now.to_i + @expires_in if @expires_in
-      @options = {:mode          => opts.delete(:mode) || :header,
+      @options = {:mode => opts.delete(:mode) || :header,
                   :header_format => opts.delete(:header_format) || 'Bearer %s',
-                  :param_name    => opts.delete(:param_name) || 'access_token'}
+                  :param_name => opts.delete(:param_name) || 'access_token'}
       @params = opts
     end
 
@@ -81,6 +82,7 @@ module OAuth2
     # @note options should be carried over to the new AccessToken
     def refresh!(params = {})
       raise('A refresh_token is not available') unless refresh_token
+
       params[:grant_type] = 'refresh_token'
       params[:refresh_token] = refresh_token
       new_token = @client.get_token(params)
@@ -149,7 +151,7 @@ module OAuth2
 
   private
 
-    def configure_authentication!(opts) # rubocop:disable MethodLength, Metrics/AbcSize
+    def configure_authentication!(opts) # rubocop:disable Metrics/AbcSize
       case options[:mode]
       when :header
         opts[:headers] ||= {}
@@ -169,5 +171,13 @@ module OAuth2
         raise("invalid :mode option of #{options[:mode]}")
       end
     end
+
+    def convert_expires_at(expires_at)
+      expires_at_i = expires_at.to_i
+      return expires_at_i if expires_at_i > Time.now.utc.to_i
+      return Time.parse(expires_at).to_i if expires_at.is_a?(String)
+
+      expires_at_i
+    end
   end
 end

data/lib/oauth2/authenticator.rb

@@ -25,6 +25,10 @@ module OAuth2
         apply_basic_auth(params)
       when :request_body
         apply_params_auth(params)
+      when :tls_client_auth
+        apply_client_id(params)
+      when :private_key_jwt
+        params
       else
         raise NotImplementedError
       end
@@ -42,6 +46,12 @@ module OAuth2
       {'client_id' => id, 'client_secret' => secret}.merge(params)
     end
 
+    # When using schemes that don't require the client_secret to be passed i.e TLS Client Auth,
+    # we don't want to send the secret
+    def apply_client_id(params)
+      {'client_id' => id}.merge(params)
+    end
+
     # Adds an `Authorization` header with Basic Auth credentials if and only if
     # it is not already set in the params.
     def apply_basic_auth(params)

data/lib/oauth2/client.rb

@@ -4,6 +4,8 @@ require 'logger'
 module OAuth2
   # The OAuth2::Client class
   class Client # rubocop:disable Metrics/ClassLength
+    RESERVED_PARAM_KEYS = %w[headers parse].freeze
+
     attr_reader :id, :secret, :site
     attr_accessor :options
     attr_writer :connection
@@ -23,8 +25,8 @@ module OAuth2
     # @option opts [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
     # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
     # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
-    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
-    #  on responses with 400+ status codes
+    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error on responses with 400+ status codes
+    # @option opts [Proc] :extract_access_token  proc that extracts the access token from the response
     # @yield [builder] The Faraday connection builder
     def initialize(client_id, client_secret, options = {}, &block)
       opts = options.dup
@@ -32,14 +34,18 @@ module OAuth2
       @secret = client_secret
       @site = opts.delete(:site)
       ssl = opts.delete(:ssl)
-      @options = {:authorize_url    => '/oauth/authorize',
-                  :token_url        => '/oauth/token',
-                  :token_method     => :post,
-                  :auth_scheme      => :request_body,
-                  :connection_opts  => {},
-                  :connection_build => block,
-                  :max_redirects    => 5,
-                  :raise_errors     => true}.merge(opts)
+
+      @options = {
+        :authorize_url => '/oauth/authorize',
+        :token_url => '/oauth/token',
+        :token_method => :post,
+        :auth_scheme => :request_body,
+        :connection_opts => {},
+        :connection_build => block,
+        :max_redirects => 5,
+        :raise_errors => true,
+        :extract_access_token => DEFAULT_EXTRACT_ACCESS_TOKEN,
+      }.merge(opts)
       @options[:connection_opts][:ssl] = ssl if ssl
     end
 
@@ -91,12 +97,13 @@ module OAuth2
     #   code response for this request.  Will default to client option
     # @option opts [Symbol] :parse @see Response::initialize
     # @yield [req] The Faraday request
-    def request(verb, url, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength, Metrics/AbcSize
+    def request(verb, url, opts = {}) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       connection.response :logger, ::Logger.new($stdout) if ENV['OAUTH_DEBUG'] == 'true'
 
-      url = connection.build_url(url, opts[:params]).to_s
+      url = connection.build_url(url).to_s
 
       response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+        req.params.update(opts[:params]) if opts[:params]
         yield(req) if block_given?
       end
       response = Response.new(response, :parse => opts[:parse])
@@ -106,6 +113,7 @@ module OAuth2
         opts[:redirect_count] ||= 0
         opts[:redirect_count] += 1
         return response if opts[:redirect_count] > options[:max_redirects]
+
         if response.status == 303
           verb = :get
           opts.delete(:body)
@@ -117,6 +125,7 @@ module OAuth2
       when 400..599
         error = Error.new(response)
         raise(error) if opts.fetch(:raise_errors, options[:raise_errors])
+
         response.error = error
         response
       else
@@ -130,8 +139,17 @@ module OAuth2
     # @param [Hash] params a Hash of params for the token endpoint
     # @param [Hash] access token options, to pass to the AccessToken object
     # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
-    # @return [AccessToken] the initalized AccessToken
-    def get_token(params, access_token_opts = {}, access_token_class = AccessToken) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    # @return [AccessToken] the initialized AccessToken
+    def get_token(params, access_token_opts = {}, extract_access_token = options[:extract_access_token]) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end
+      params = Hash[params]
+
       params = Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
       headers = params.delete(:headers) || {}
@@ -144,11 +162,18 @@ module OAuth2
       end
       opts[:headers].merge!(headers)
       response = request(options[:token_method], token_url, opts)
-      if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+
+      access_token = begin
+        build_access_token(response, access_token_opts, extract_access_token)
+      rescue StandardError
+        nil
+      end
+
+      if options[:raise_errors] && !access_token
         error = Error.new(response)
         raise(error)
       end
-      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
+      access_token
     end
 
     # The Authorization Code strategy
@@ -207,4 +232,26 @@ module OAuth2
       end
     end
   end
+
+  DEFAULT_EXTRACT_ACCESS_TOKEN = proc do |client, hash|
+    token = hash.delete('access_token') || hash.delete(:access_token)
+    token && AccessToken.new(client, token, hash)
+  end
+
+private
+
+  def build_access_token(response, access_token_opts, extract_access_token)
+    parsed_response = response.parsed.dup
+    return unless parsed_response.is_a?(Hash)
+
+    hash = parsed_response.merge(access_token_opts)
+
+    # Provide backwards compatibility for old AcessToken.form_hash pattern
+    # Should be deprecated in 2.x
+    if extract_access_token.is_a?(Class) && extract_access_token.respond_to?(:from_hash)
+      extract_access_token.from_hash(self, hash)
+    else
+      extract_access_token.call(self, hash)
+    end
+  end
 end

data/lib/oauth2/mac_token.rb

@@ -98,9 +98,17 @@ module OAuth2
       @algorithm = begin
         case alg.to_s
         when 'hmac-sha-1'
-          OpenSSL::Digest::SHA1.new
+          begin
+            OpenSSL::Digest('SHA1').new
+          rescue StandardError
+            OpenSSL::Digest.new('SHA1')
+          end
         when 'hmac-sha-256'
-          OpenSSL::Digest::SHA256.new
+          begin
+            OpenSSL::Digest('SHA256').new
+          rescue StandardError
+            OpenSSL::Digest.new('SHA256')
+          end
         else
           raise(ArgumentError, 'Unsupported algorithm')
         end
@@ -111,7 +119,7 @@ module OAuth2
 
     # No-op since we need the verb and path
     # and the MAC always goes in a header
-    def token=(_)
+    def token=(_noop)
     end
 
     # Base64.strict_encode64 is not available on Ruby 1.8.7

data/lib/oauth2/response.rb

@@ -11,9 +11,9 @@ module OAuth2
     # Procs that, when called, will parse a response body according
     # to the specified format.
     @@parsers = {
-      :json  => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable RescueModifier
+      :json => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable Style/RescueModifier
       :query => lambda { |body| Rack::Utils.parse_query(body) },
-      :text  => lambda { |body| body },
+      :text => lambda { |body| body },
     }
 
     # Content type assignments for various potential HTTP content types.
@@ -68,6 +68,7 @@ module OAuth2
     #   application/json Content-Type response bodies
     def parsed
       return nil unless @@parsers.key?(parser)
+
       @parsed ||= @@parsers[parser].call(body)
     end
 
@@ -79,11 +80,12 @@ module OAuth2
     # Determines the parser that will be used to supply the content of #parsed
     def parser
       return options[:parse].to_sym if @@parsers.key?(options[:parse])
+
       @@content_types[content_type]
     end
   end
 end
 
 OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml']) do |body|
-  MultiXml.parse(body) rescue body # rubocop:disable RescueModifier
+  MultiXml.parse(body) rescue body # rubocop:disable Style/RescueModifier
 end

data/lib/oauth2/strategy/assertion.rb

@@ -50,10 +50,10 @@ module OAuth2
       def build_request(params)
         assertion = build_assertion(params)
         {
-          :grant_type     => 'assertion',
+          :grant_type => 'assertion',
           :assertion_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-          :assertion      => assertion,
-          :scope          => params[:scope],
+          :assertion => assertion,
+          :scope => params[:scope],
         }
       end
 

data/lib/oauth2/strategy/password.rb

@@ -18,8 +18,8 @@ module OAuth2
       # @param [Hash] params additional params
       def get_token(username, password, params = {}, opts = {})
         params = {'grant_type' => 'password',
-                  'username'   => username,
-                  'password'   => password}.merge(params)
+                  'username' => username,
+                  'password' => password}.merge(params)
         @client.get_token(params, opts)
       end
     end

data/lib/oauth2/version.rb

@@ -1,5 +1,6 @@
 module OAuth2
   module Version
+    VERSION = to_s
   module_function
 
     # The major version
@@ -20,7 +21,7 @@ module OAuth2
     #
     # @return [Integer]
     def patch
-      0
+      5
     end
 
     # The pre-release version, if any