oauth2_provider_engine 0.0.1

data/app/controllers/oauth2_provider/accesses_controller.rb

@@ -0,0 +1,39 @@
+class Oauth2Provider::AccessesController < Oauth2Provider::ApplicationController
+
+  before_filter :_oauth_provider_find_access, except: :index
+
+  def index
+    @accesses = Oauth2Provider::OauthAccess.to_adapter.find_all(resource_owner_uri: user_url(current_user))
+  end
+
+  def show
+  end
+
+  def block
+    @access.block!
+    redirect_to oauth2_provider_engine.oauth2_provider_accesses_url
+  end
+
+  def unblock
+    @access.unblock!
+    redirect_to oauth2_provider_engine.oauth2_provider_accesses_url
+  end
+
+
+  private
+  def _oauth_provider_find_access
+    @access = Oauth2Provider::OauthAccess.to_adapter.find_first(resource_owner_uri: user_url(current_user), id: params[:id])
+    unless @access
+      redirect_to root_path, alert: "Resource not found."
+    end
+  end
+
+  # TODO: change this behavior with a simple redirect
+  def resource_not_found
+    flash.now.alert = "notifications.document.not_found"
+    @info = { id: params[:id] }
+    render "shared/html/404" and return
+  end
+
+end
+

data/app/controllers/oauth2_provider/application_controller.rb

@@ -0,0 +1,17 @@
+module Oauth2Provider
+  class ApplicationController < ::ApplicationController
+    (::ApplicationController._process_action_callbacks - ActionController::Base._process_action_callbacks).each{|callback|skip_before_filter callback.filter if callback.kind == :before}
+
+    before_filter :_oauth_provider_authenticate
+
+    include ControllerMixin
+    layout 'oauth2_provider/application'
+    def _oauth_provider_admin?
+      unless current_user.admin?
+        flash.alert = "Unauthorized access."
+        redirect_to root_path
+        return false
+      end
+    end
+  end
+end

data/app/controllers/oauth2_provider/authorize_controller.rb

@@ -0,0 +1,141 @@
+class Oauth2Provider::AuthorizeController < Oauth2Provider::ApplicationController
+
+  before_filter :_oauth_provider_authenticate
+  before_filter :_oauth_provider_normalize_scope
+  before_filter :_oauth_provider_find_client
+  before_filter :_oauth_provider_check_scope          # check if the access is authorized
+  before_filter :_oauth_provider_client_blocked?      # check if the client is blocked
+  before_filter :_oauth_provider_access_blocked?      # check if user has blocked the client
+
+  before_filter :_oauth_provider_token_blocked?, only: :show   # check for an existing token
+  before_filter :_oauth_provider_refresh_token,  only: :show   # create a new token
+
+
+  def show
+    render "shared/authorize" and return
+  end
+
+  def create
+    @client.granted!
+
+    # section 4.1.1 - authorization code flow
+    if params[:response_type] == "code"
+      @authorization = Oauth2Provider::OauthAuthorization.create(client_uri: @client.uri, resource_owner_uri: user_url(current_user), scope: params[:scope])
+      redirect_to authorization_redirect_uri(@client, @authorization, params[:state])
+    end
+
+    # section 4.2.1 - implicit grant flow
+    if params[:response_type] == "token"
+      @token = Oauth2Provider::OauthToken.create(client_uri: @client.uri, resource_owner_uri: user_url(current_user), scope: params[:scope])
+      redirect_to implicit_redirect_uri(@client, @token, params[:state])
+    end
+  end
+
+  def destroy
+    @client.revoked!
+    redirect_to deny_redirect_uri(@client, params[:response_type], params[:state])
+  end
+
+
+  private
+
+    def _oauth_provider_normalize_scope
+      params[:scope] = Oauth2Provider.normalize_scope(params[:scope])
+    end
+
+
+    def _oauth_provider_find_client
+      @client = Oauth2Provider::Client.to_adapter.find_first(uri: params[:client_id], redirect_uri: params[:redirect_uri])
+      client_not_found unless @client
+    end
+
+    def _oauth_provider_check_scope
+      debugger
+      Oauth2Provider::Client.where_uri(params[:client_id], params[:redirect_uri]).where_scope(params[:scope]).first
+      @client = Array(params[:scope]).detect do |s|
+        Oauth2Provider::Client.to_adapter.find_first(uri: params[:client_id], redirect_uri: params[:redirect_uri], scope: s)
+      end
+      scope_not_valid unless @client
+    end
+
+    def _oauth_provider_client_blocked?
+      client_blocked if @client.blocked?
+    end
+
+    def _oauth_provider_access_blocked?
+      access = Oauth2Provider::OauthAccess.find_or_create_by(:client_uri => @client.uri, resource_owner_uri: user_url(current_user))
+      access_blocked if access.blocked?
+    end
+
+    def _oauth_provider_token_blocked?
+      if params[:response_type] == "token"
+        @token = Oauth2Provider::OauthToken.exist(@client.uri, user_url(current_user), params[:scope]).first
+        token_blocked if @token and @token.blocked?
+      end
+    end
+
+    # @only refresh token for implicit flow
+    def _oauth_provider_refresh_token
+      if @token
+        @token = Oauth2Provider::OauthToken.create(client_uri: @client.uri, resource_owner_uri: user_url(current_user), scope: params[:scope])
+        redirect_to implicit_redirect_uri(@client, @token, params[:state]) and return
+      end
+    end
+
+
+    # helper methods
+
+    def client_not_found
+      flash.now.alert = I18n.t "notifications.oauth.client.not_found"
+      @info = { client_id: params[:client_id], redirect_uri: params[:redirect_uri] }
+      render "shared/authorize" and return
+    end
+
+    def scope_not_valid
+      flash.now.alert = I18n.t "notifications.oauth.client.not_authorized"
+      @info = { scope: params[:scope] }
+      render "shared/authorize" and return
+    end
+
+    def client_blocked
+      flash.now.alert = I18n.t "notifications.oauth.client.blocked"
+      @info = { client_id: params[:client_id] }
+      render "shared/authorize" and return
+    end
+
+    def access_blocked
+      flash.now.alert = I18n.t "notifications.oauth.resource_owner.blocked_client"
+      @info = { client_id: params[:client_id] }
+      render "shared/authorize" and return
+    end
+
+    def token_blocked
+      flash.now.alert = I18n.t "notifications.oauth.token.blocked_token"
+      @info = { client_id: params[:client_id], token: @token.token }
+      render "shared/authorize" and return
+    end
+
+    def authorization_redirect_uri(client, authorization, state)
+      uri  = client.redirect_uri
+      uri += "?code="  + authorization.code
+      uri += "&state=" + state if state
+      return uri
+    end
+
+    def implicit_redirect_uri(client, token, state)
+      uri  = client.redirect_uri
+      uri += "#token=" + token.token
+      uri += "&expires_in=" + Oauth2Provider.settings["token_expires_in"]
+      uri += "&state=" + state if state
+      return uri
+    end
+
+    def deny_redirect_uri(client, response_type, state)
+      uri = client.redirect_uri
+      uri += (response_type == "code") ? "?" : "#"
+      uri += "error=access_denied"
+      uri += "&state=" + state if state
+      return uri
+    end
+
+end

data/app/controllers/oauth2_provider/clients_controller.rb

@@ -0,0 +1,85 @@
+module Oauth2Provider
+  class ClientsController < Oauth2Provider::ApplicationController
+    before_filter :_oauth_provider_find_clients
+    before_filter :_oauth_provider_find_client, only: ["show", "edit", "update", "destroy", "block", "unblock"]
+    before_filter :_oauth_provider_normalize_scope, only: ["create", "update"]
+    before_filter :_oauth_provider_admin?, only: ["block", "unblock"]
+
+    def index
+    end
+
+    def show
+    end
+
+    def new
+      @client = Client.new
+      @client.scope = ["all"]
+    end
+
+    def create
+      @client = Client.new(params[:client])
+      @client.created_from = user_url(current_user)
+      @client.uri          = @client.base_uri(request)
+      @client.scope_values = Oauth2Provider.normalize_scope(params[:client][:scope].clone)
+
+      if @client.save
+        redirect_to oauth2_provider_engine.oauth2_provider_client_path( @client ), notice: "Resource was successfully created."
+      else
+        render "new"
+      end
+    end
+
+    def edit
+    end
+
+    def update
+      @client.scope = params[:client][:scope]
+      @client.scope_values = Oauth2Provider.normalize_scope(params[:client][:scope].clone)
+
+      if @client.update_attributes(params[:client])
+        flash.now.notice = "Resource was successfully updated."
+        render "show"
+      else
+        render action: "edit"
+      end
+    end
+
+    def destroy
+      @client.destroy
+      redirect_to(clients_url, notice: "Resource was successfully destroyed.")
+    end
+
+    # TODO: this is not REST way
+    def block
+      @client.block!
+      redirect_to oauth2_provider_engine.oauth2_provider_clients_url
+    end
+
+    def unblock
+      @client.unblock!
+      redirect_to oauth2_provider_engine.oauth2_provider_clients_url
+    end
+
+    private
+
+    def _oauth_provider_find_clients
+      if current_user.admin?
+        @clients = Oauth2Provider::Client.criteria
+      else
+        @clients = Oauth2Provider::Client.where(created_from: user_url(current_user))
+      end
+    end
+
+    def _oauth_provider_find_client
+      @client = @clients.where(_id: params[:id]).first
+      unless @client
+        redirect_to root_path, alert: "Resource not found."
+      end
+    end
+
+    def _oauth_provider_normalize_scope
+      params[:client][:scope] = params[:client][:scope].split(Oauth2Provider.settings["scope_separator"])
+    end
+
+  end
+end

data/app/controllers/oauth2_provider/scopes_controller.rb

@@ -0,0 +1,63 @@
+class Oauth2Provider::ScopesController < Oauth2Provider::ApplicationController
+
+  before_filter :_oauth_provider_admin?
+  before_filter :_oauth_provider_find_resource, only: ["show", "edit", "update", "destroy"]
+  after_filter  :_oauth_provider_sync_existing_scopes, only: ["update", "destroy"]
+
+  def index
+    @scopes = Oauth2Provider::Scope.all
+  end
+
+  def show
+  end
+
+  def new
+    @scope = Oauth2Provider::Scope.new
+  end
+
+  def create
+    @scope        = Oauth2Provider::Scope.new(params[:scope])
+    @scope.uri    = @scope.base_uri(request)
+    @scope.values = @scope.normalize(params[:scope][:values])
+
+    if @scope.save
+      redirect_to(oauth2_provider_engine.oauth2_provider_scope_path(@scope), notice: "Resource was successfully created.")
+    else
+      render action: "new"
+    end
+  end
+
+  def edit
+  end
+
+  def update
+    @scope.values = @scope.normalize(params[:scope][:values])
+
+    if @scope.update_attributes(params[:scope])
+      render("show", notice: "Resource was successfully updated.")
+    else
+      render action: "edit"
+    end
+  end
+
+  def destroy
+    @scope.destroy
+    redirect_to(scopes_url, notice: "Resource was successfully destroyed.")
+  end
+
+
+  private
+
+    def _oauth_provider_find_resource
+      @scope = Oauth2Provider::Scope.where(_id: params[:id]).first
+      unless @scope
+        redirect_to root_path, alert: "Resource not found."
+      end
+    end
+
+    # TODO: put into a background process
+    def _oauth_provider_sync_existing_scopes
+      Oauth2Provider::Client.sync_clients_with_scope(@scope.name)
+    end
+
+end

data/app/controllers/oauth2_provider/token_controller.rb

@@ -0,0 +1,187 @@
+class Oauth2Provider::TokenController < Oauth2Provider::ApplicationController
+  include ActionView::Helpers::DateHelper
+
+  skip_before_filter :_oauth_provider_authenticate
+  before_filter      :_oauth_provider_json_body
+
+  # authorization code flow
+  before_filter :_oauth_provider_client_where_secret_and_redirect
+  before_filter :_oauth_provider_find_authorization
+  before_filter :_oauth_provider_find_authorization_expired
+
+  # password credential flow
+  before_filter :_oauth_provider_normalize_scope
+  before_filter :_oauth_provider_client_where_secret
+  before_filter :_oauth_provider_check_scope
+  before_filter :_oauth_provider_find_resource_owner
+
+  # refresh token flow
+  before_filter :_oauth_provider_find_refresh_token
+  before_filter :_oauth_provider_find_expired_token
+  before_filter :_oauth_provider_token_blocked?
+
+  before_filter :_oauth_provider_client_blocked?, only: "create"  # check if the client is blocked
+  before_filter :_oauth_provider_access_blocked?, only: "create"  # check if user has blocked the client
+
+
+  def create
+    # section 4.1.3 - authorization code flow
+    if @body[:grant_type] == "authorization_code"
+      @token = Oauth2Provider::OauthToken.create(client_uri: @client.uri, resource_owner_uri: @authorization.resource_owner_uri, scope: @authorization.scope)
+      @refresh_token = Oauth2Provider::OauthRefreshToken.create(access_token: @token.token)
+      render "/shared/token" and return
+    end
+
+    # section 4.3.1 (password credentials flow)
+    if @body[:grant_type] == "password"
+      @token = Oauth2Provider::OauthToken.create(client_uri: @client.uri, resource_owner_uri: user_url(@resource_owner), scope: @body[:scope])
+      @refresh_token = Oauth2Provider::OauthRefreshToken.create(access_token: @token.token)
+      render "/shared/token" and return
+    end
+
+    # section 6.0 (refresh token)
+    if @body[:grant_type] == "refresh_token"
+      @token = Oauth2Provider::OauthToken.create(client_uri: @expired_token.client_uri, resource_owner_uri: @expired_token.resource_owner_uri, scope: @expired_token.scope)
+      render "/shared/token" and return
+    end
+  end
+
+  # simulate a logout blocking the token
+  # TODO: refactoring
+  def destroy
+    token = Oauth2Provider::OauthToken.where(token: params[:id]).first
+    if token
+      token.block!
+      return head 200
+    else
+      return head 404
+    end
+  end
+
+
+  private
+
+  # filters for section 4.1.3 - authorization code flow
+  def _oauth_provider_client_where_secret_and_redirect
+    if @body[:grant_type] == "authorization_code"
+      @client = Oauth2Provider::Client.where_secret(@body[:client_secret], @body[:client_id]).where(redirect_uri: @body[:redirect_uri]).first
+      message = "notifications.oauth.client.not_found"
+      info = { client_secret: @body[:client_secret], client_id: @body[:client_id], redirect_uri: @body[:redirect_uri] }
+      render_422 message, info unless @client
+    end
+  end
+
+  def _oauth_provider_find_authorization
+    if @body[:grant_type] == "authorization_code"
+      @authorization = Oauth2Provider::OauthAuthorization.where_code_and_client_uri(@body[:code], @client.uri).first
+      @resource_owner_uri = @authorization.resource_owner_uri if @authorization
+      message = "notifications.oauth.authorization.not_found"
+      info = { code: @body[:code], client_id: @client.uri }
+      render_422 message, info unless @authorization
+    end
+  end
+
+  def _oauth_provider_find_authorization_expired
+    if @body[:grant_type] == "authorization_code"
+      message = "notifications.oauth.authorization.expired"
+      info = { expired_at: @authorization.expire_at, description: distance_of_time_in_words(@authorization.expire_at, Time.now, true) }
+      render_422 message, info if @authorization.expired?
+    end
+  end
+
+
+  # filters for section 4.3.1 (password credentials flow)
+  def _oauth_provider_normalize_scope
+    if @body[:grant_type] == "password"
+      @body[:scope] ||= ""
+      @body[:scope] = Oauth2Provider.normalize_scope(@body[:scope])
+    end
+  end
+
+  def _oauth_provider_client_where_secret
+    if @body[:grant_type] == "password" or @body[:grant_type] == "refresh_token"
+      @client = Oauth2Provider::Client.where_secret(@body[:client_secret], @body[:client_id])
+      message = "notifications.oauth.client.not_found"
+      info = { client_secret: @body[:client_secret], client_id: @body[:client_id] }
+      render_422 message, info unless @client.first
+    end
+  end
+
+  def _oauth_provider_check_scope
+    if @body[:grant_type] == "password"
+      @client = @client.where_scope(@body[:scope]).first
+      message = "notifications.oauth.client.not_authorized"
+      info = { scope: @body[:scope] }
+      render_422 message, info unless @client
+    end
+  end
+
+  def _oauth_provider_find_resource_owner
+    if @body[:grant_type] == "password"
+      @resource_owner = User.authenticate(@body[:username], @body[:password])
+      @resource_owner_uri = user_url(@resource_owner) if @resource_owner
+      message = "notifications.oauth.resource_owner.not_found"
+      info = { username: @body[:username] }
+      render_422 message, info unless @resource_owner
+    end
+  end
+
+
+  # filters for refresh token (section 6.0)
+  def _oauth_provider_find_refresh_token
+    if @body[:grant_type] == "refresh_token"
+      @client = @client.first
+      @refresh_token = Oauth2Provider::OauthRefreshToken.where(refresh_token: @body[:refresh_token]).first
+      message = "notifications.oauth.refresh_token.not_found"
+      info = { refresh_token: @body[:refresh_token] }
+      render_422 message, info unless @refresh_token
+    end
+  end
+
+  def _oauth_provider_find_expired_token
+    if @body[:grant_type] == "refresh_token"
+      @expired_token = Oauth2Provider::OauthToken.where(token: @refresh_token.access_token).first
+      @resource_owner_uri = @expired_token.resource_owner_uri
+      message = "notifications.oauth.token.not_found"
+      info = { token: @refresh_token.access_token }
+      render_422 message, info unless @refresh_token
+    end
+  end
+
+  def _oauth_provider_token_blocked?
+    if @body[:grant_type] == "refresh_token"
+      message = "notifications.oauth.token.blocked_token"
+      info = { token: @refresh_token.access_token }
+      render_422 message, info if @expired_token.blocked?
+    end
+  end
+
+
+  # shared
+  def _oauth_provider_client_blocked?
+    message = "notifications.oauth.client.blocked"
+    info = { client_id: @body[:client_id] }
+    render_422 message, info if @client.blocked?
+  end
+
+  def _oauth_provider_access_blocked?
+    access = Oauth2Provider::OauthAccess.find_or_create_by(:client_uri => @client.uri, resource_owner_uri: @resource_owner_uri)
+    message =  "notifications.oauth.resource_owner.blocked_client"
+    info = { client_id: @body[:client_id] }
+    render_422 message, info if access.blocked
+  end
+
+  # visualization
+  def render_404(message, info)
+    @message = I18n.t message
+    @info    = info.to_s
+    render "shared/404", status: 404 and return
+  end
+
+  def render_422(message, info)
+    @message = I18n.t message
+    @info    = info.to_json
+    render "shared/422", status: 422 and return
+  end
+
+end