oauth2_provider_engine 0.0.1

data/app/helpers/clients_helper.rb

@@ -0,0 +1,5 @@
+module ClientsHelper
+  def authorization_uri(client, scope)
+    "/oauth/authorize?response_type=code&scope=#{scope}&client_id=#{client.uri}&redirect_uri=#{client.redirect_uri}"
+  end
+end

data/app/helpers/oauth2_provider/application_helper.rb

@@ -0,0 +1,4 @@
+module Oauth2Provider
+  module ApplicationHelper
+  end
+end

data/app/models/oauth2_provider/client.rb

@@ -0,0 +1,129 @@
+# Application making protected resource requests on behalf of
+# the resource owner and with its authorization
+
+module Oauth2Provider
+class Client
+  include Mongoid::Document
+  include Mongoid::Timestamps
+  include Document::Base
+
+  field :uri                                       # client identifier (internal)
+  field :name                                      # client name
+  field :created_from                              # user who created the client
+  field :secret                                    # client secret
+  field :site_uri                                  # client website
+  field :redirect_uri                              # page called after authorization
+  field :scope, type: Array, default: []           # raw scope with keywords
+  field :scope_values, type: Array, default: []    # scope parsed as array of allowed actions
+  field :info                                      # client additional info
+  field :granted_times, type: Integer, default: 0  # tokens granted in the authorization step
+  field :revoked_times, type: Integer, default: 0  # tokens revoked in the authorization step
+  field :blocked, type: Time, default: nil         # blocks any request from the client
+
+  attr_accessible :name, :site_uri, :redirect_uri, :info, :scope
+
+  before_create  :random_secret
+  before_destroy :clean
+
+  validates :name, presence: true
+  validates :uri, presence: true, url: true
+  validates :created_from, presence: true, url: true
+  validates :redirect_uri, presence: true, url: true
+
+
+  # Block the client
+  def block!
+    self.blocked = Time.now
+    self.save
+    OauthToken.block_client!(self.uri)
+    OauthAuthorization.block_client!(self.uri)
+  end
+
+  # Unblock the client
+  def unblock!
+    self.blocked = nil
+    self.save
+  end
+
+  # Check if the status is or is not blocked
+  def blocked?
+    !self.blocked.nil?
+  end
+
+  # Increase the counter of resource owners granting the access
+  # to the client
+  def granted!
+    self.granted_times += 1
+    self.save
+  end
+
+  # Increase the counter of resource owners revoking the access
+  # to the client
+  def revoked!
+    self.revoked_times += 1
+    self.save
+  end
+
+  def scope_pretty
+    separator = Oauth2Provider.settings["scope_separator"]
+    scope.join(separator)
+  end
+
+  def scope_values_pretty
+    separator = Oauth2Provider.settings["scope_separator"]
+    scope_values.join(separator)
+  end
+
+  class << self
+
+    # Filter to the client uri (internal identifier) and the
+    # redirect uri
+    def where_uri(client_uri, redirect_uri)
+      where(uri: client_uri, redirect_uri: redirect_uri)
+    end
+
+    # Filter to the client secret and the redirect uri
+    def where_secret(secret, client_uri)
+      where(secret: secret, uri: client_uri)
+    end
+
+    # Filter to the client scope
+    def where_scope(scope)
+      all_in(scope_values: scope)
+    end
+
+    # Sync all clients with the correct exploded scope when a
+    # scope is modified (changed or removed)
+    def sync_clients_with_scope(scope)
+      Client.all.each do |client|
+        scope_string = client.scope.join(Oauth2Provider.settings["scope_separator"])
+        client.scope_values = Oauth2Provider.normalize_scope(scope_string)
+        client.save
+      end
+    end
+  end
+
+
+  private
+
+    # TODO: use atomic updates
+    # https://github.com/mongoid/mongoid/commit/aa2c388c71529bf4d987b286acfd861eaac530ce
+    def block_tokens!
+      OauthToken.where(client_uri: uri).map(&:block!)
+    end
+
+    def block_authorizations!
+      OauthAuthorization.where(client_uri: uri).map(&:block!)
+    end
+
+    def random_secret
+      self.secret = SecureRandom.hex(Oauth2Provider.settings["random_length"])
+    end
+
+    def clean
+      OauthToken.where(client_uri: uri).destroy_all
+      OauthAuthorization.where(client_uri: uri).destroy_all
+    end
+
+end
+end

data/app/models/oauth2_provider/document.rb

@@ -0,0 +1,15 @@
+module Oauth2Provider
+  module Document
+    module Base
+
+      def base_uri(request)
+        protocol = request.protocol
+        host = request.host_with_port
+        name = self.class.name.underscore.pluralize.split('/').last
+        id   = self.id.as_json
+        uri  = protocol + host + "/oauth/" + name + "/" +  id
+      end
+
+    end
+  end
+end

data/app/models/oauth2_provider/oauth_access.rb

@@ -0,0 +1,80 @@
+# Access info related to a resource owner using a specific
+# client (block and statistics)
+
+module Oauth2Provider
+class OauthAccess
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :client_uri                           # client identifier (internal)
+  field :resource_owner_uri                   # resource owner identifier
+  field :blocked, type: Time, default: nil    # authorization block (a user block a single client)
+
+  embeds_many :oauth_daily_requests, class_name: 'Oauth2Provider::OauthDailyRequest'           # daily requests (one record per day)
+
+  validates :client_uri, presence: true
+  validates :resource_owner_uri, presence: true
+
+
+  # Block the resource owner delegation to a specific client
+  def block!
+    self.blocked = Time.now
+    self.save
+    OauthToken.block_access!(client_uri, resource_owner_uri)
+    OauthAuthorization.block_access!(client_uri, resource_owner_uri)
+  end
+
+  # Unblock the resource owner delegation to a specific client
+  def unblock!
+    self.blocked = nil
+    self.save
+  end
+
+  # Check if the status is or is not blocked
+  def blocked?
+    !self.blocked.nil?
+  end
+
+  # Increment the daily accesses
+  def accessed!
+    daily_requests.increment!
+  end
+
+  # A daily requests record (there is one per day)
+  #
+  #   @params [String] time we want to find the requests record
+  #   @return [OauthDailyRequest] requests record
+  def daily_requests(time = Time.now)
+    find_or_create_daily_requests(time)
+  end
+
+  # Give back the last days in a friendly format.It is used to
+  # generate graph for statistics
+  def chart_days
+    daily_requests = self.oauth_daily_requests.limit(10)
+    days = daily_requests.map(&:created_at)
+    days.map { |d| d.strftime("%b %e") }
+  end
+
+  # Give the number of accesses for the last days. It is used
+  # to generate graph for statistics
+  def chart_times
+    access_times = self.oauth_daily_requests.limit(10)
+    access_times.map(&:times)
+  end
+
+
+  private
+
+    def find_or_create_daily_requests(time)
+      daily_requests = oauth_daily_requests.find_day(time).first
+      daily_requests = oauth_daily_requests.create(created_at: time) unless daily_requests
+      return daily_requests
+    end
+
+    def daily_id(time)
+      time.year + time.month + time.day
+    end
+
+end
+end

data/app/models/oauth2_provider/oauth_authorization.rb

@@ -0,0 +1,70 @@
+# Authorization grant which represents the authorization
+# provided by the resource owner
+
+module Oauth2Provider
+class OauthAuthorization
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :client_uri                           # client identifier
+  field :resource_owner_uri                   # resource owner identifier
+  field :code                                 # authorization code
+  field :scope, type: Array                   # scope accessible with request
+  field :expire_at, type: Time                # authorization expiration (security reasons)
+  field :blocked, type: Time, default: nil    # authorization block (if client is blocked)
+
+  validates :client_uri, presence: true, url: true
+  validates :resource_owner_uri, presence: true, url: true
+
+  before_create :random_code
+  before_create :create_expiration
+
+  # Block the authorization (when resource owner blocks a client)
+  def block!
+    self.blocked = Time.now
+    self.save
+  end
+
+  # Block tokens used from a client
+  def self.block_client!(client_uri)
+    self.where(client_uri: client_uri).map(&:block!)
+  end
+
+  # Block tokens used from a client in behalf of a resource owner
+  def self.block_access!(client_uri, resource_owner_uri)
+    self.where(client_uri: client_uri, resource_owner_uri: resource_owner_uri).map(&:block!)
+  end
+
+  # Check if the status is or is not blocked
+  def blocked?
+    !self.blocked.nil?
+  end
+
+  # Check if the authorization is expired
+  def expired?
+    self.expire_at < Time.now
+  end
+
+  # Find the authorization based on the client uri and the
+  # authorization code
+  class << self
+    def where_code_and_client_uri(code, client_id)
+      where(code: code).where(client_uri: client_id)
+    end
+  end
+
+
+  private
+
+    # random authorization code
+    def random_code
+      self.code = SecureRandom.hex(Oauth2Provider.settings["random_length"])
+    end
+
+    # expiration time
+    def create_expiration
+      self.expire_at = Chronic.parse("in #{Oauth2Provider.settings["authorization_expires_in"]} seconds")
+    end
+
+end
+end

data/app/models/oauth2_provider/oauth_daily_request.rb

@@ -0,0 +1,54 @@
+# Daily requests of a Resource Owner on a specific client
+
+module Oauth2Provider
+class OauthDailyRequest
+
+  include Mongoid::Document
+
+  field :created_at, type: Time                       # creation time
+  field :time_id                                      # unique key for the day
+  field :day                                          # request day
+  field :month                                        # request month
+  field :year                                         # request year
+  field :times, type: Integer, default: 0             # daily request times
+
+  # resource owner's client access
+  embedded_in :oauth_access, inverse_of: :oauth_daily_requests
+
+  after_create :init_times
+
+  # Increment the times counter that track the number of
+  # requests a client have made in behalf of a resource
+  # owner in a specific day
+  def increment!
+    self.times += 1
+    self.save
+  end
+
+  class << self
+
+    # Find a daily requests record
+    def find_day(time)
+      time_id = time_id(time)
+      where(time_id: time_id)
+    end
+
+    # Define an identifier for a specific day
+    def time_id(time)
+      time.strftime("%Y%m%d")
+    end
+  end
+
+  private
+
+    # Add statistical informations
+    def init_times
+      self.day     = self.created_at.strftime("%d")
+      self.month   = self.created_at.strftime("%m")
+      self.year    = self.created_at.strftime("%Y")
+      self.time_id = self.class.time_id(created_at)
+      self.save
+    end
+
+end
+end

data/app/models/oauth2_provider/oauth_refresh_token.rb

@@ -0,0 +1,20 @@
+module Oauth2Provider
+class OauthRefreshToken
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :refresh_token
+  field :access_token
+
+  validates :access_token, presence: true
+
+  before_create :random_refresh_token
+
+  private
+
+    def random_refresh_token
+      self.refresh_token = SecureRandom.hex(Oauth2Provider.settings["random_length"])
+    end
+
+end
+end

data/app/models/oauth2_provider/oauth_token.rb

@@ -0,0 +1,78 @@
+# Access token used from the client to request resource
+# owner resouces
+
+module Oauth2Provider
+class OauthToken
+  include Mongoid::Document
+  include Mongoid::Timestamps
+
+  field :client_uri                           # client identifier (internal)
+  field :resource_owner_uri                   # resource owner identifier
+  field :token                                # access token
+  field :refresh_token                        # refresh token
+  field :scope, type: Array                   # scope accessible with token
+  field :expire_at, type: Time, default: nil  # token expiration
+  field :blocked, type: Time, default: nil    # access token block (if client is blocked)
+
+  before_create :random_token
+  before_create :random_refresh_token
+  before_create :create_expiration
+
+  validates :client_uri, presence: true, url: true
+  validates :resource_owner_uri, presence: true, url: true
+
+
+  # Block the resource owner delegation to a specific client
+  def block!
+    self.blocked = Time.now
+    self.save
+  end
+
+  # Block tokens used from a client
+  def self.block_client!(client_uri)
+    self.where(client_uri: client_uri).map(&:block!)
+  end
+
+  # Block tokens used from a client in behalf of a resource owner
+  def self.block_access!(client_uri, resource_owner_uri)
+    self.where(client_uri: client_uri, resource_owner_uri: resource_owner_uri).map(&:block!)
+  end
+
+  def self.exist(client_uri, resource_owner_uri, scope)
+    self.where(client_uri: client_uri).
+         where(resource_owner_uri: resource_owner_uri).
+         all_in(scope: scope)
+  end
+
+  # Check if the status is or is not blocked
+  def blocked?
+    !self.blocked.nil?
+  end
+
+  # Last time the resource owner have used the token
+  def last_access
+    self.updated_at
+  end
+
+  # Token is expired or not
+  def expired?
+    self.expire_at < Time.now
+  end
+
+
+  private
+
+    def random_token
+      self.token = SecureRandom.hex(Oauth2Provider.settings["random_length"])
+    end
+
+    def random_refresh_token
+      self.refresh_token = SecureRandom.hex(Oauth2Provider.settings["random_length"])
+    end
+
+    def create_expiration
+      self.expire_at = Chronic.parse("in #{Oauth2Provider.settings["token_expires_in"]} seconds")
+    end
+
+end
+end