oauth2 1.4.0 → 2.0.0

data/lib/oauth2/response.rb

@@ -1,4 +1,6 @@
-require 'multi_json'
+# frozen_string_literal: true
+
+require 'json'
 require 'multi_xml'
 require 'rack'
 
@@ -6,20 +8,17 @@ module OAuth2
   # OAuth2::Response class
   class Response
     attr_reader :response
-    attr_accessor :error, :options
+    attr_accessor :options
 
     # Procs that, when called, will parse a response body according
     # to the specified format.
     @@parsers = {
-      :json  => lambda { |body| MultiJson.load(body) rescue body }, # rubocop:disable RescueModifier
-      :query => lambda { |body| Rack::Utils.parse_query(body) },
-      :text  => lambda { |body| body },
+      query: ->(body) { Rack::Utils.parse_query(body) },
+      text: ->(body) { body },
     }
 
     # Content type assignments for various potential HTTP content types.
     @@content_types = {
-      'application/json' => :json,
-      'text/javascript' => :json,
       'application/x-www-form-urlencoded' => :query,
       'text/plain' => :text,
     }
@@ -45,7 +44,7 @@ module OAuth2
     #   :json, or :automatic (determined by Content-Type response header)
     def initialize(response, opts = {})
       @response = response
-      @options = {:parse => :automatic}.merge(opts)
+      @options = {parse: :automatic}.merge(opts)
     end
 
     # The HTTP response headers
@@ -63,27 +62,74 @@ module OAuth2
       response.body || ''
     end
 
-    # The parsed response body.
-    #   Will attempt to parse application/x-www-form-urlencoded and
-    #   application/json Content-Type response bodies
+    # The {#response} {#body} as parsed by {#parser}.
+    #
+    # @return [Object] As returned by {#parser} if it is #call-able.
+    # @return [nil] If the {#parser} is not #call-able.
     def parsed
-      return nil unless @@parsers.key?(parser)
-      @parsed ||= @@parsers[parser].call(body)
+      return @parsed if defined?(@parsed)
+
+      @parsed =
+        if parser.respond_to?(:call)
+          case parser.arity
+          when 0
+            parser.call
+          when 1
+            parser.call(body)
+          else
+            parser.call(body, response)
+          end
+        end
+
+      @parsed = OAuth2::SnakyHash.new(@parsed) if @parsed.is_a?(Hash)
+
+      @parsed
     end
 
     # Attempts to determine the content type of the response.
     def content_type
-      ((response.headers.values_at('content-type', 'Content-Type').compact.first || '').split(';').first || '').strip
+      return nil unless response.headers
+
+      ((response.headers.values_at('content-type', 'Content-Type').compact.first || '').split(';').first || '').strip.downcase
     end
 
-    # Determines the parser that will be used to supply the content of #parsed
+    # Determines the parser (a Proc or other Object which responds to #call)
+    # that will be passed the {#body} (and optional {#response}) to supply
+    # {#parsed}.
+    #
+    # The parser can be supplied as the +:parse+ option in the form of a Proc
+    # (or other Object responding to #call) or a Symbol. In the latter case,
+    # the actual parser will be looked up in {@@parsers} by the supplied Symbol.
+    #
+    # If no +:parse+ option is supplied, the lookup Symbol will be determined
+    # by looking up {#content_type} in {@@content_types}.
+    #
+    # If {#parser} is a Proc, it will be called with no arguments, just
+    # {#body}, or {#body} and {#response}, depending on the Proc's arity.
+    #
+    # @return [Proc, #call] If a parser was found.
+    # @return [nil] If no parser was found.
     def parser
-      return options[:parse].to_sym if @@parsers.key?(options[:parse])
-      @@content_types[content_type]
+      return @parser if defined?(@parser)
+
+      @parser =
+        if options[:parse].respond_to?(:call)
+          options[:parse]
+        elsif options[:parse]
+          @@parsers[options[:parse].to_sym]
+        end
+
+      @parser ||= @@parsers[@@content_types[content_type]]
     end
   end
 end
 
-OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml']) do |body|
-  MultiXml.parse(body) rescue body # rubocop:disable RescueModifier
+OAuth2::Response.register_parser(:xml, ['text/xml', 'application/rss+xml', 'application/rdf+xml', 'application/atom+xml', 'application/xml']) do |body|
+  MultiXml.parse(body)
+end
+
+OAuth2::Response.register_parser(:json, ['application/json', 'text/javascript', 'application/hal+json', 'application/vnd.collection+json', 'application/vnd.api+json', 'application/problem+json']) do |body|
+  body = body.dup.force_encoding(::Encoding::ASCII_8BIT) if body.respond_to?(:force_encoding)
+
+  ::JSON.parse(body)
 end

data/lib/oauth2/snaky_hash.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+module OAuth2
+  # Hash which allow assign string key in camel case
+  # and query on both camel and snake case
+  class SnakyHash < ::Hashie::Mash::Rash
+  end
+end

data/lib/oauth2/strategy/assertion.rb

@@ -1,22 +1,31 @@
+# frozen_string_literal: true
+
 require 'jwt'
 
 module OAuth2
   module Strategy
     # The Client Assertion Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10#section-4.1.3
+    # @see https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-10#section-4.1.3
     #
     # Sample usage:
     #   client = OAuth2::Client.new(client_id, client_secret,
-    #                               :site => 'http://localhost:8080')
+    #                               :site => 'http://localhost:8080',
+    #                               :auth_scheme => :request_body)
+    #
+    #   claim_set = {
+    #     :iss => "http://localhost:3001",
+    #     :aud => "http://localhost:8080/oauth2/token"
+    #     :sub => "me@example.com",
+    #     :exp => Time.now.utc.to_i + 3600,
+    #   }
     #
-    #   params = {:hmac_secret => "some secret",
-    #             # or :private_key => "private key string",
-    #             :iss => "http://localhost:3001",
-    #             :prn => "me@here.com",
-    #             :exp => Time.now.utc.to_i + 3600}
+    #   encoding = {
+    #     :algorithm => 'HS256',
+    #     :key => 'secret_key',
+    #   }
     #
-    #   access = client.assertion.get_token(params)
+    #   access = client.assertion.get_token(claim_set, encoding)
     #   access.token                 # actual access_token string
     #   access.get("/api/stuff")     # making api calls with access token in header
     #
@@ -30,45 +39,63 @@ module OAuth2
 
       # Retrieve an access token given the specified client.
       #
-      # @param [Hash] params assertion params
-      # pass either :hmac_secret or :private_key, but not both.
+      # @param [Hash] claims the hash representation of the claims that should be encoded as a JWT (JSON Web Token)
+      #
+      # For reading on JWT and claim keys:
+      #   @see https://github.com/jwt/ruby-jwt
+      #   @see https://datatracker.ietf.org/doc/html/rfc7519#section-4.1
+      #   @see https://datatracker.ietf.org/doc/html/rfc7523#section-3
+      #   @see https://www.iana.org/assignments/jwt/jwt.xhtml
+      #
+      # There are many possible claim keys, and applications may ask for their own custom keys.
+      # Some typically required ones:
+      #   :iss (issuer)
+      #   :aud (audience)
+      #   :sub (subject) -- formerly :prn https://datatracker.ietf.org/doc/html/draft-ietf-oauth-json-web-token-06#appendix-F
+      #   :exp, (expiration time) -- in seconds, e.g. Time.now.utc.to_i + 3600
+      #
+      # Note that this method does *not* validate presence of those four claim keys indicated as required by RFC 7523.
+      # There are endpoints that may not conform with this RFC, and this gem should still work for those use cases.
+      #
+      # @param [Hash] encoding_opts a hash containing instructions on how the JWT should be encoded
+      # @option algorithm [String] the algorithm with which you would like the JWT to be encoded
+      # @option key [Object] the key with which you would like to encode the JWT
       #
-      #   params :hmac_secret, secret string.
-      #   params :private_key, private key string.
+      # These two options are passed directly to `JWT.encode`.  For supported encoding arguments:
+      #   @see https://github.com/jwt/ruby-jwt#algorithms-and-usage
+      #   @see https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
       #
-      #   params :iss, issuer
-      #   params :aud, audience, optional
-      #   params :prn, principal, current user
-      #   params :exp, expired at, in seconds, like Time.now.utc.to_i + 3600
+      # The object type of `:key` may depend on the value of `:algorithm`.  Sample arguments:
+      #   get_token(claim_set, {:algorithm => 'HS256', :key => 'secret_key'})
+      #   get_token(claim_set, {:algorithm => 'RS256', :key => OpenSSL::PKCS12.new(File.read('my_key.p12'), 'not_secret')})
       #
-      # @param [Hash] opts options
-      def get_token(params = {}, opts = {})
-        hash = build_request(params)
-        @client.get_token(hash, opts.merge('refresh_token' => nil))
+      # @param [Hash] request_opts options that will be used to assemble the request
+      # @option request_opts [String] :scope the url parameter `scope` that may be required by some endpoints
+      #   @see https://datatracker.ietf.org/doc/html/rfc7521#section-4.1
+      #
+      # @param [Hash] response_opts this will be merged with the token response to create the AccessToken object
+      #   @see the access_token_opts argument to Client#get_token
+
+      def get_token(claims, encoding_opts, request_opts = {}, response_opts = {})
+        assertion = build_assertion(claims, encoding_opts)
+        params = build_request(assertion, request_opts)
+
+        @client.get_token(params, response_opts.merge('refresh_token' => nil))
       end
 
-      def build_request(params)
-        assertion = build_assertion(params)
+    private
+
+      def build_request(assertion, request_opts = {})
         {
-          :grant_type     => 'assertion',
-          :assertion_type => 'urn:ietf:params:oauth:grant-type:jwt-bearer',
-          :assertion      => assertion,
-          :scope          => params[:scope],
-        }
+          grant_type: 'urn:ietf:params:oauth:grant-type:jwt-bearer',
+          assertion: assertion,
+        }.merge(request_opts)
       end
 
-      def build_assertion(params)
-        claims = {
-          :iss => params[:iss],
-          :aud => params[:aud],
-          :prn => params[:prn],
-          :exp => params[:exp],
-        }
-        if params[:hmac_secret]
-          JWT.encode(claims, params[:hmac_secret], 'HS256')
-        elsif params[:private_key]
-          JWT.encode(claims, params[:private_key], 'RS256')
-        end
+      def build_assertion(claims, encoding_opts)
+        raise ArgumentError.new(message: 'Please provide an encoding_opts hash with :algorithm and :key') if !encoding_opts.is_a?(Hash) || (%i[algorithm key] - encoding_opts.keys).any?
+
+        JWT.encode(claims, encoding_opts[:key], encoding_opts[:algorithm])
       end
     end
   end

data/lib/oauth2/strategy/auth_code.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Authorization Code Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.1
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.1
     class AuthCode < Base
       # The required query parameters for the authorize URL
       #
@@ -15,6 +17,7 @@ module OAuth2
       #
       # @param [Hash] params additional query parameters for the URL
       def authorize_url(params = {})
+        assert_valid_params(params)
         @client.authorize_url(authorize_params.merge(params))
       end
 
@@ -26,8 +29,18 @@ module OAuth2
       # @note that you must also provide a :redirect_uri with most OAuth 2.0 providers
       def get_token(code, params = {}, opts = {})
         params = {'grant_type' => 'authorization_code', 'code' => code}.merge(@client.redirection_params).merge(params)
+        params_dup = params.dup
+        params.each_key do |key|
+          params_dup[key.to_s] = params_dup.delete(key) if key.is_a?(Symbol)
+        end
+
+        @client.get_token(params_dup, opts)
+      end
+
+    private
 
-        @client.get_token(params, opts)
+      def assert_valid_params(params)
+        raise(ArgumentError, 'client_secret is not allowed in authorize URL query params') if params.key?(:client_secret) || params.key?('client_secret')
       end
     end
   end

data/lib/oauth2/strategy/base.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     class Base

data/lib/oauth2/strategy/client_credentials.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Client Credentials Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.4
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.4
     class ClientCredentials < Base
       # Not used for this strategy
       #

data/lib/oauth2/strategy/implicit.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Implicit Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-26#section-4.2
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-26#section-4.2
     class Implicit < Base
       # The required query parameters for the authorize URL
       #
@@ -15,6 +17,7 @@ module OAuth2
       #
       # @param [Hash] params additional query parameters for the URL
       def authorize_url(params = {})
+        assert_valid_params(params)
         @client.authorize_url(authorize_params.merge(params))
       end
 
@@ -24,6 +27,12 @@ module OAuth2
       def get_token(*)
         raise(NotImplementedError, 'The token is accessed differently in this strategy')
       end
+
+    private
+
+      def assert_valid_params(params)
+        raise(ArgumentError, 'client_secret is not allowed in authorize URL query params') if params.key?(:client_secret) || params.key?('client_secret')
+      end
     end
   end
 end

data/lib/oauth2/strategy/password.rb

@@ -1,8 +1,10 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Strategy
     # The Resource Owner Password Credentials Authorization Strategy
     #
-    # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-15#section-4.3
+    # @see http://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-15#section-4.3
     class Password < Base
       # Not used for this strategy
       #
@@ -18,8 +20,8 @@ module OAuth2
       # @param [Hash] params additional params
       def get_token(username, password, params = {}, opts = {})
         params = {'grant_type' => 'password',
-                  'username'   => username,
-                  'password'   => password}.merge(params)
+                  'username' => username,
+                  'password' => password}.merge(params)
         @client.get_token(params, opts)
       end
     end

data/lib/oauth2/version.rb

@@ -1,59 +1,7 @@
+# frozen_string_literal: true
+
 module OAuth2
   module Version
-  module_function
-
-    # The major version
-    #
-    # @return [Integer]
-    def major
-      1
-    end
-
-    # The minor version
-    #
-    # @return [Integer]
-    def minor
-      4
-    end
-
-    # The patch version
-    #
-    # @return [Integer]
-    def patch
-      0
-    end
-
-    # The pre-release version, if any
-    #
-    # @return [Integer, NilClass]
-    def pre
-      nil
-    end
-
-    # The version number as a hash
-    #
-    # @return [Hash]
-    def to_h
-      {
-        :major => major,
-        :minor => minor,
-        :patch => patch,
-        :pre => pre,
-      }
-    end
-
-    # The version number as an array
-    #
-    # @return [Array]
-    def to_a
-      [major, minor, patch, pre].compact
-    end
-
-    # The version number as a string
-    #
-    # @return [String]
-    def to_s
-      to_a.join('.')
-    end
+    VERSION = '2.0.0'.freeze
   end
 end

data/lib/oauth2.rb

@@ -1,4 +1,17 @@
+# frozen_string_literal: true
+
+# includes modules from stdlib
+require 'cgi'
+require 'time'
+
+# third party gems
+require 'rash'
+require 'version_gem'
+
+# includes gem files
+require 'oauth2/version'
 require 'oauth2/error'
+require 'oauth2/snaky_hash'
 require 'oauth2/authenticator'
 require 'oauth2/client'
 require 'oauth2/strategy/base'
@@ -8,5 +21,12 @@ require 'oauth2/strategy/password'
 require 'oauth2/strategy/client_credentials'
 require 'oauth2/strategy/assertion'
 require 'oauth2/access_token'
-require 'oauth2/mac_token'
 require 'oauth2/response'
+
+# The namespace of this library
+module OAuth2
+end
+
+OAuth2::Version.class_eval do
+  extend VersionGem::Basic
+end