oauth2 1.4.0 → 1.4.8

data/lib/oauth2/client.rb

@@ -4,6 +4,8 @@ require 'logger'
 module OAuth2
   # The OAuth2::Client class
   class Client # rubocop:disable Metrics/ClassLength
+    RESERVED_PARAM_KEYS = %w[headers parse].freeze
+
     attr_reader :id, :secret, :site
     attr_accessor :options
     attr_writer :connection
@@ -23,8 +25,8 @@ module OAuth2
     # @option opts [Symbol] :auth_scheme (:basic_auth) HTTP method to use to authorize request (:basic_auth or :request_body)
     # @option opts [Hash] :connection_opts ({}) Hash of connection options to pass to initialize Faraday with
     # @option opts [FixNum] :max_redirects (5) maximum number of redirects to follow
-    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error
-    #  on responses with 400+ status codes
+    # @option opts [Boolean] :raise_errors (true) whether or not to raise an OAuth2::Error on responses with 400+ status codes
+    # @option opts [Proc] :extract_access_token  proc that extracts the access token from the response
     # @yield [builder] The Faraday connection builder
     def initialize(client_id, client_secret, options = {}, &block)
       opts = options.dup
@@ -32,14 +34,18 @@ module OAuth2
       @secret = client_secret
       @site = opts.delete(:site)
       ssl = opts.delete(:ssl)
-      @options = {:authorize_url    => '/oauth/authorize',
-                  :token_url        => '/oauth/token',
-                  :token_method     => :post,
-                  :auth_scheme      => :request_body,
-                  :connection_opts  => {},
-                  :connection_build => block,
-                  :max_redirects    => 5,
-                  :raise_errors     => true}.merge(opts)
+
+      @options = {
+        :authorize_url => '/oauth/authorize',
+        :token_url => '/oauth/token',
+        :token_method => :post,
+        :auth_scheme => :request_body,
+        :connection_opts => {},
+        :connection_build => block,
+        :max_redirects => 5,
+        :raise_errors => true,
+        :extract_access_token => DEFAULT_EXTRACT_ACCESS_TOKEN,
+      }.merge(opts)
       @options[:connection_opts][:ssl] = ssl if ssl
     end
 
@@ -53,15 +59,12 @@ module OAuth2
 
     # The Faraday connection object
     def connection
-      @connection ||= begin
-        conn = Faraday.new(site, options[:connection_opts])
-        if options[:connection_build]
-          conn.build do |b|
-            options[:connection_build].call(b)
+      @connection ||=
+        Faraday.new(site, options[:connection_opts]) do |builder|
+          if options[:connection_build]
+            options[:connection_build].call(builder)
           end
         end
-        conn
-      end
     end
 
     # The authorize endpoint URL of the OAuth2 provider
@@ -91,12 +94,13 @@ module OAuth2
     #   code response for this request.  Will default to client option
     # @option opts [Symbol] :parse @see Response::initialize
     # @yield [req] The Faraday request
-    def request(verb, url, opts = {}) # rubocop:disable CyclomaticComplexity, MethodLength, Metrics/AbcSize
+    def request(verb, url, opts = {}) # rubocop:disable Metrics/MethodLength, Metrics/AbcSize
       connection.response :logger, ::Logger.new($stdout) if ENV['OAUTH_DEBUG'] == 'true'
 
-      url = connection.build_url(url, opts[:params]).to_s
+      url = connection.build_url(url).to_s
 
       response = connection.run_request(verb, url, opts[:body], opts[:headers]) do |req|
+        req.params.update(opts[:params]) if opts[:params]
         yield(req) if block_given?
       end
       response = Response.new(response, :parse => opts[:parse])
@@ -106,6 +110,7 @@ module OAuth2
         opts[:redirect_count] ||= 0
         opts[:redirect_count] += 1
         return response if opts[:redirect_count] > options[:max_redirects]
+
         if response.status == 303
           verb = :get
           opts.delete(:body)
@@ -117,6 +122,7 @@ module OAuth2
       when 400..599
         error = Error.new(response)
         raise(error) if opts.fetch(:raise_errors, options[:raise_errors])
+
         response.error = error
         response
       else
@@ -130,8 +136,17 @@ module OAuth2
     # @param [Hash] params a Hash of params for the token endpoint
     # @param [Hash] access token options, to pass to the AccessToken object
     # @param [Class] class of access token for easier subclassing OAuth2::AccessToken
-    # @return [AccessToken] the initalized AccessToken
-    def get_token(params, access_token_opts = {}, access_token_class = AccessToken) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+    # @return [AccessToken] the initialized AccessToken
+    def get_token(params, access_token_opts = {}, extract_access_token = options[:extract_access_token]) # rubocop:disable Metrics/AbcSize, Metrics/MethodLength
+      params = params.map do |key, value|
+        if RESERVED_PARAM_KEYS.include?(key)
+          [key.to_sym, value]
+        else
+          [key, value]
+        end
+      end
+      params = Hash[params]
+
       params = Authenticator.new(id, secret, options[:auth_scheme]).apply(params)
       opts = {:raise_errors => options[:raise_errors], :parse => params.delete(:parse)}
       headers = params.delete(:headers) || {}
@@ -144,11 +159,18 @@ module OAuth2
       end
       opts[:headers].merge!(headers)
       response = request(options[:token_method], token_url, opts)
-      if options[:raise_errors] && !(response.parsed.is_a?(Hash) && response.parsed['access_token'])
+
+      access_token = begin
+        build_access_token(response, access_token_opts, extract_access_token)
+      rescue StandardError
+        nil
+      end
+
+      if options[:raise_errors] && !access_token
         error = Error.new(response)
         raise(error)
       end
-      access_token_class.from_hash(self, response.parsed.merge(access_token_opts))
+      access_token
     end
 
     # The Authorization Code strategy
@@ -206,5 +228,27 @@ module OAuth2
         {}
       end
     end
+
+    DEFAULT_EXTRACT_ACCESS_TOKEN = proc do |client, hash|
+      token = hash.delete('access_token') || hash.delete(:access_token)
+      token && AccessToken.new(client, token, hash)
+    end
+
+  private
+
+    def build_access_token(response, access_token_opts, extract_access_token)
+      parsed_response = response.parsed.dup
+      return unless parsed_response.is_a?(Hash)
+
+      hash = parsed_response.merge(access_token_opts)
+
+      # Provide backwards compatibility for old AcessToken.form_hash pattern
+      # Should be deprecated in 2.x
+      if extract_access_token.is_a?(Class) && extract_access_token.respond_to?(:from_hash)
+        extract_access_token.from_hash(self, hash)
+      else
+        extract_access_token.call(self, hash)
+      end
+    end
   end
 end

data/lib/oauth2/error.rb

@@ -23,7 +23,7 @@ module OAuth2
     def error_message(response_body, opts = {})
       message = []
 
-      opts[:error_description] && message << opts[:error_description]
+      opts[:error_description] && (message << opts[:error_description])
 
       error_message = if opts[:error_description] && opts[:error_description].respond_to?(:encoding)
                         script_encoding = opts[:error_description].encoding

data/lib/oauth2/mac_token.rb

@@ -95,23 +95,29 @@ module OAuth2
     #
     # @param [String] alg the algorithm to use (one of 'hmac-sha-1', 'hmac-sha-256')
     def algorithm=(alg)
-      @algorithm = begin
-        case alg.to_s
-        when 'hmac-sha-1'
-          OpenSSL::Digest::SHA1.new
-        when 'hmac-sha-256'
-          OpenSSL::Digest::SHA256.new
-        else
-          raise(ArgumentError, 'Unsupported algorithm')
-        end
-      end
+      @algorithm = case alg.to_s
+                   when 'hmac-sha-1'
+                     begin
+                       OpenSSL::Digest('SHA1').new
+                     rescue StandardError
+                       OpenSSL::Digest.new('SHA1')
+                     end
+                   when 'hmac-sha-256'
+                     begin
+                       OpenSSL::Digest('SHA256').new
+                     rescue StandardError
+                       OpenSSL::Digest.new('SHA256')
+                     end
+                   else
+                     raise(ArgumentError, 'Unsupported algorithm')
+                   end
     end
 
   private
 
     # No-op since we need the verb and path
     # and the MAC always goes in a header
-    def token=(_)
+    def token=(_noop)
     end
 
     # Base64.strict_encode64 is not available on Ruby 1.8.7

data/lib/oauth2/response.rb

@@ -11,9 +11,9 @@ module OAuth2
     # Procs that, when called, will parse a response body according
     # to the specified format.
     @@parsers = {
-      :json  => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable RescueModifier
+      :json => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable Style/RescueModifier
       :query => lambda { |body| Rack::Utils.parse_query(body) },
-      :text  => lambda { |body| body },
+      :text => lambda { |body| body },
     }
 
     # Content type assignments for various potential HTTP content types.
@@ -68,6 +68,7 @@ module OAuth2
     #   application/json Content-Type response bodies
     def parsed
       return nil unless @@parsers.key?(parser)
+
       @parsed ||= @@parsers[parser].call(body)
     end
 
@@ -79,11 +80,12 @@ module OAuth2
     # Determines the parser that will be used to supply the content of #parsed
     def parser
       return options[:parse].to_sym if @@parsers.key?(options[:parse])
+
       @@content_types[content_type]
     end
   end
 end
 
 OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml']) do |body|
-  MultiXml.parse(body) rescue body # rubocop:disable RescueModifier
+  MultiXml.parse(body) rescue body # rubocop:disable Style/RescueModifier
 end

data/lib/oauth2/strategy/assertion.rb

@@ -50,10 +50,10 @@ module OAuth2
       def build_request(params)
         assertion = build_assertion(params)
         {
-          :grant_type     => 'assertion',
+          :grant_type => 'assertion',
           :assertion_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-          :assertion      => assertion,
-          :scope          => params[:scope],
+          :assertion => assertion,
+          :scope => params[:scope],
         }
       end
 

data/lib/oauth2/strategy/password.rb

@@ -18,8 +18,8 @@ module OAuth2
       # @param [Hash] params additional params
       def get_token(username, password, params = {}, opts = {})
         params = {'grant_type' => 'password',
-                  'username'   => username,
-                  'password'   => password}.merge(params)
+                  'username' => username,
+                  'password' => password}.merge(params)
         @client.get_token(params, opts)
       end
     end

data/lib/oauth2/version.rb

@@ -1,5 +1,9 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Version
+    VERSION = to_s
+
   module_function
 
     # The major version
@@ -20,12 +24,12 @@ module OAuth2
     #
     # @return [Integer]
     def patch
-      0
+      8
     end
 
     # The pre-release version, if any
     #
-    # @return [Integer, NilClass]
+    # @return [String, NilClass]
     def pre
       nil
     end
@@ -53,7 +57,9 @@ module OAuth2
     #
     # @return [String]
     def to_s
-      to_a.join('.')
+      v = [major, minor, patch].compact.join('.')
+      v += "-#{pre}" if pre
+      v
     end
   end
 end

data/spec/helper.rb

@@ -0,0 +1,30 @@
+DEBUG = ENV['DEBUG'] == 'true'
+
+ruby_version = Gem::Version.new(RUBY_VERSION)
+minimum_version = ->(version) { ruby_version >= Gem::Version.new(version) && RUBY_ENGINE == 'ruby' }
+coverage = minimum_version.call('2.7')
+debug = minimum_version.call('2.5')
+
+require 'simplecov' if coverage
+require 'byebug' if DEBUG && debug
+
+require 'oauth2'
+require 'addressable/uri'
+require 'rspec'
+require 'rspec/stubbed_env'
+require 'rspec/pending_for'
+require 'silent_stream'
+
+RSpec.configure do |config|
+  config.expect_with :rspec do |c|
+    c.syntax = :expect
+  end
+end
+
+Faraday.default_adapter = :test
+
+RSpec.configure do |conf|
+  conf.include SilentStream
+end
+
+VERBS = [:get, :post, :put, :delete].freeze

data/spec/oauth2/access_token_spec.rb

@@ -0,0 +1,216 @@
+describe OAuth2::AccessToken do
+  subject { described_class.new(client, token) }
+
+  let(:token) { 'monkey' }
+  let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => 'refresh_bar') }
+  let(:client) do
+    OAuth2::Client.new('abc', 'def', :site => 'https://api.example.com') do |builder|
+      builder.request :url_encoded
+      builder.adapter :test do |stub|
+        VERBS.each do |verb|
+          stub.send(verb, '/token/header') { |env| [200, {}, env[:request_headers]['Authorization']] }
+          stub.send(verb, "/token/query?access_token=#{token}") { |env| [200, {}, Addressable::URI.parse(env[:url]).query_values['access_token']] }
+          stub.send(verb, '/token/query_string') { |env| [200, {}, CGI.unescape(Addressable::URI.parse(env[:url]).query)] }
+          stub.send(verb, '/token/body') { |env| [200, {}, env[:body]] }
+        end
+        stub.post('/oauth/token') { |env| [200, {'Content-Type' => 'application/json'}, refresh_body] }
+      end
+    end
+  end
+
+  describe '#initialize' do
+    it 'assigns client and token' do
+      expect(subject.client).to eq(client)
+      expect(subject.token).to eq(token)
+    end
+
+    it 'assigns extra params' do
+      target = described_class.new(client, token, 'foo' => 'bar')
+      expect(target.params).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    def assert_initialized_token(target) # rubocop:disable Metrics/AbcSize
+      expect(target.token).to eq(token)
+      expect(target).to be_expires
+      expect(target.params.keys).to include('foo')
+      expect(target.params['foo']).to eq('bar')
+    end
+
+    it 'initializes with a Hash' do
+      hash = {:access_token => token, :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      target = described_class.from_hash(client, hash)
+      assert_initialized_token(target)
+    end
+
+    it 'from_hash does not modify opts hash' do
+      hash = {:access_token => token, :expires_at => Time.now.to_i}
+      hash_before = hash.dup
+      described_class.from_hash(client, hash)
+      expect(hash).to eq(hash_before)
+    end
+
+    it 'initializes with a form-urlencoded key/value string' do
+      kvform = "access_token=#{token}&expires_at=#{Time.now.to_i + 200}&foo=bar"
+      target = described_class.from_kvform(client, kvform)
+      assert_initialized_token(target)
+    end
+
+    it 'sets options' do
+      target = described_class.new(client, token, :param_name => 'foo', :header_format => 'Bearer %', :mode => :body)
+      expect(target.options[:param_name]).to eq('foo')
+      expect(target.options[:header_format]).to eq('Bearer %')
+      expect(target.options[:mode]).to eq(:body)
+    end
+
+    it 'does not modify opts hash' do
+      opts = {:param_name => 'foo', :header_format => 'Bearer %', :mode => :body}
+      opts_before = opts.dup
+      described_class.new(client, token, opts)
+      expect(opts).to eq(opts_before)
+    end
+
+    describe 'expires_at' do
+      let(:expires_at) { 1_361_396_829 }
+      let(:hash) do
+        {
+          :access_token => token,
+          :expires_at => expires_at.to_s,
+          'foo' => 'bar',
+        }
+      end
+
+      it 'initializes with an integer timestamp expires_at' do
+        target = described_class.from_hash(client, hash.merge(:expires_at => expires_at))
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+
+      it 'initializes with a string timestamp expires_at' do
+        target = described_class.from_hash(client, hash)
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+
+      it 'initializes with a string time expires_at' do
+        target = described_class.from_hash(client, hash.merge(:expires_at => Time.at(expires_at).iso8601))
+        assert_initialized_token(target)
+        expect(target.expires_at).to eql(expires_at)
+      end
+    end
+  end
+
+  describe '#request' do
+    context 'with :mode => :header' do
+      before do
+        subject.options[:mode] = :header
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/header').body).to include(token)
+        end
+      end
+    end
+
+    context 'with :mode => :query' do
+      before do
+        subject.options[:mode] = :query
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/query').body).to eq(token)
+        end
+
+        it "sends a #{verb.to_s.upcase} request and options[:param_name] include [number]." do
+          subject.options[:param_name] = 'auth[1]'
+          expect(subject.__send__(verb, '/token/query_string').body).to include("auth[1]=#{token}")
+        end
+      end
+    end
+
+    context 'with :mode => :body' do
+      before do
+        subject.options[:mode] = :body
+      end
+
+      VERBS.each do |verb|
+        it "sends the token in the Authorization header for a #{verb.to_s.upcase} request" do
+          expect(subject.post('/token/body').body.split('=').last).to eq(token)
+        end
+      end
+    end
+
+    context 'params include [number]' do
+      VERBS.each do |verb|
+        it "sends #{verb.to_s.upcase} correct query" do
+          expect(subject.__send__(verb, '/token/query_string', :params => {'foo[bar][1]' => 'val'}).body).to include('foo[bar][1]=val')
+        end
+      end
+    end
+  end
+
+  describe '#expires?' do
+    it 'is false if there is no expires_at' do
+      expect(described_class.new(client, token)).not_to be_expires
+    end
+
+    it 'is true if there is an expires_in' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)).to be_expires
+    end
+
+    it 'is true if there is an expires_at' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => Time.now.getutc.to_i + 600)).to be_expires
+    end
+  end
+
+  describe '#expired?' do
+    it 'is false if there is no expires_in or expires_at' do
+      expect(described_class.new(client, token)).not_to be_expired
+    end
+
+    it 'is false if expires_in is in the future' do
+      expect(described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 10_800)).not_to be_expired
+    end
+
+    it 'is true if expires_at is in the past' do
+      access = described_class.new(client, token, :refresh_token => 'abaca', :expires_in => 600)
+      @now = Time.now + 10_800
+      allow(Time).to receive(:now).and_return(@now)
+      expect(access).to be_expired
+    end
+  end
+
+  describe '#refresh!' do
+    let(:access) do
+      described_class.new(client, token, :refresh_token => 'abaca',
+                                         :expires_in => 600,
+                                         :param_name => 'o_param')
+    end
+
+    it 'returns a refresh token with appropriate values carried over' do
+      refreshed = access.refresh!
+      expect(access.client).to eq(refreshed.client)
+      expect(access.options[:param_name]).to eq(refreshed.options[:param_name])
+    end
+
+    context 'with a nil refresh_token in the response' do
+      let(:refresh_body) { MultiJson.encode(:access_token => 'refreshed_foo', :expires_in => 600, :refresh_token => nil) }
+
+      it 'copies the refresh_token from the original token' do
+        refreshed = access.refresh!
+
+        expect(refreshed.refresh_token).to eq(access.refresh_token)
+      end
+    end
+  end
+
+  describe '#to_hash' do
+    it 'return a hash equals to the hash used to initialize access token' do
+      hash = {:access_token => token, :refresh_token => 'foobar', :expires_at => Time.now.to_i + 200, 'foo' => 'bar'}
+      access_token = described_class.from_hash(client, hash.clone)
+      expect(access_token.to_hash).to eq(hash)
+    end
+  end
+end

data/spec/oauth2/authenticator_spec.rb

@@ -0,0 +1,84 @@
+describe OAuth2::Authenticator do
+  subject do
+    described_class.new(client_id, client_secret, mode)
+  end
+
+  let(:client_id) { 'foo' }
+  let(:client_secret) { 'bar' }
+  let(:mode) { :undefined }
+
+  it 'raises NotImplementedError for unknown authentication mode' do
+    expect { subject.apply({}) }.to raise_error(NotImplementedError)
+  end
+
+  describe '#apply' do
+    context 'with parameter-based authentication' do
+      let(:mode) { :request_body }
+
+      it 'adds client_id and client_secret to params' do
+        output = subject.apply({})
+        expect(output).to eq('client_id' => 'foo', 'client_secret' => 'bar')
+      end
+
+      it 'does not overwrite existing credentials' do
+        input = {'client_secret' => 's3cr3t'}
+        output = subject.apply(input)
+        expect(output).to eq('client_id' => 'foo', 'client_secret' => 's3cr3t')
+      end
+
+      it 'preserves other parameters' do
+        input = {'state' => '42', :headers => {'A' => 'b'}}
+        output = subject.apply(input)
+        expect(output).to eq(
+          'client_id' => 'foo',
+          'client_secret' => 'bar',
+          'state' => '42',
+          :headers => {'A' => 'b'}
+        )
+      end
+
+      context 'using tls client authentication' do
+        let(:mode) { :tls_client_auth }
+
+        it 'does not add client_secret' do
+          output = subject.apply({})
+          expect(output).to eq('client_id' => 'foo')
+        end
+      end
+
+      context 'using private key jwt authentication' do
+        let(:mode) { :private_key_jwt }
+
+        it 'does not add client_secret or client_id' do
+          output = subject.apply({})
+          expect(output).to eq({})
+        end
+      end
+    end
+
+    context 'with Basic authentication' do
+      let(:mode) { :basic_auth }
+      let(:header) { 'Basic ' + Base64.encode64("#{client_id}:#{client_secret}").delete("\n") }
+
+      it 'encodes credentials in headers' do
+        output = subject.apply({})
+        expect(output).to eq(:headers => {'Authorization' => header})
+      end
+
+      it 'does not overwrite existing credentials' do
+        input = {:headers => {'Authorization' => 'Bearer abc123'}}
+        output = subject.apply(input)
+        expect(output).to eq(:headers => {'Authorization' => 'Bearer abc123'})
+      end
+
+      it 'does not overwrite existing params or headers' do
+        input = {'state' => '42', :headers => {'A' => 'b'}}
+        output = subject.apply(input)
+        expect(output).to eq(
+          'state' => '42',
+          :headers => {'A' => 'b', 'Authorization' => header}
+        )
+      end
+    end
+  end
+end