oauth2c 0.1.0

data/lib/oauth2c/agent.rb

@@ -0,0 +1,92 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "uri"
+require "http"
+require "json"
+
+module OAuth2c
+  class Agent
+    using Refinements
+
+    ConfigError = Class.new(StandardError)
+
+    def initialize(authz_url: nil, token_url:, client_id:, client_secret: nil, redirect_uri: nil)
+      @authz_url     = authz_url && authz_url.chomp("/")
+      @token_url     = token_url && token_url.chomp("/")
+      @client_id     = client_id
+      @client_secret = client_secret
+      @redirect_uri  = redirect_uri
+
+      @http_client = HTTP.nodelay
+        .basic_auth(user: @client_id, pass: @client_secret)
+        .accept("application/json")
+        .headers("Content-Type": "application/x-www-form-urlencoded; encoding=UTF-8")
+    end
+
+    def authz_url(response_type:, state:, scope: [], **params)
+      if @authz_url.nil?
+        raise ConfigError, "authz_url not informed for client"
+      end
+
+      if @redirect_uri.nil?
+        raise ConfigError, "redirect_uri not informed for client"
+      end
+
+      params = {
+        client_id: @client_id,
+        redirect_uri: @redirect_uri,
+        response_type: response_type,
+        state: state,
+        scope: normalize_scope(scope),
+        **params
+      }
+
+      url = URI.parse(@authz_url)
+      url.query = URI.encode_www_form(params.to_a)
+      url.to_s
+    end
+
+    def token(grant_type:, scope: [], include_redirect_uri: false, **params)
+      params = {
+        grant_type: grant_type,
+        scope: normalize_scope(scope),
+        **params,
+      }
+
+      if include_redirect_uri
+        params[:redirect_uri] = @redirect_uri
+      end
+
+      response = @http_client.post(@token_url, body: URI.encode_www_form(params))
+
+      [ response.status.success?, JSON.parse(response.body) ]
+    end
+
+    private
+
+    def normalize_scope(scope)
+      case scope
+      when "", [], NilClass
+        nil
+      when String
+        scope
+      when Array
+        scope.join(" ")
+      else
+        raise ArgumentError, "invalid scope: #{scope.inspect}"
+      end
+    end
+  end
+end

data/lib/oauth2c/cache/backends/in_memory_lru.rb

@@ -0,0 +1,46 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "thread"
+
+module OAuth2c
+  module Cache
+    module Backends
+      class InMemoryLRU
+        def initialize(max_size)
+          @max_size = max_size
+          @store = {}
+          @mtx = Mutex.new
+        end
+
+        def lookup(key)
+          @mtx.synchronize do
+            return nil unless @store.has_key?(key)
+            @store[key] = @store.delete(key)
+          end
+        end
+
+        def store(key, bucket)
+          @mtx.synchronize do
+            @store[key] = bucket
+
+            if @store.size > @max_size
+              @store.shift
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oauth2c/cache/backends/null.rb

@@ -0,0 +1,31 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "thread"
+
+module OAuth2c
+  module Cache
+    module Backends
+      class Null
+        def lookup(key)
+          nil
+        end
+
+        def store(key, bucket)
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/oauth2c/cache/backends/redis.rb

@@ -0,0 +1,56 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "json"
+
+module OAuth2c
+  module Cache
+    module Backends
+      class Redis
+        using Refinements
+
+        def initialize(redis, namespace = nil)
+          @redis = redis
+          @namespace = namespace
+        end
+
+        def lookup(key)
+          access_token_data, scope_data = @redis.mget("#{fq_key(key)}:access_token", "#{fq_key(key)}:scope")
+          return if access_token_data.nil? || scope_data.nil?
+
+          access_token = AccessToken.new(**JSON.load(access_token_data).symbolize_keys)
+          Store::Bucket.new(access_token, JSON.load(scope_data))
+        end
+
+        def store(key, bucket)
+          access_token = bucket.access_token
+
+          @redis.mset(
+            "#{fq_key(key)}:access_token", JSON.dump(access_token.attributes),
+            "#{fq_key(key)}:scope", JSON.dump(bucket.scope),
+          )
+
+          @redis.expire("#{fq_key(key)}:access_token", access_token.expires_in)
+          @redis.expire("#{fq_key(key)}:scope", access_token.expires_in)
+        end
+
+        private
+
+        def fq_key(key)
+          @namespace ? "#{@namespace}:#{key}" : key
+        end
+      end
+    end
+  end
+end

data/lib/oauth2c/cache/backends.rb

@@ -0,0 +1,23 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Cache
+    module Backends
+      autoload :Null,        "oauth2c/cache/backends/null"
+      autoload :InMemoryLRU, "oauth2c/cache/backends/in_memory_lru"
+      autoload :Redis,       "oauth2c/cache/backends/redis"
+    end
+  end
+end

data/lib/oauth2c/cache/manager.rb

@@ -0,0 +1,54 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "forwardable"
+
+module OAuth2c
+  module Cache
+    class Manager
+      extend Forwardable
+
+      def initialize(client, cache_backend)
+        @client = client
+        @cache  = Cache::Store.new(cache_backend)
+      end
+
+      def_delegators :@cache, :cached?, :cached
+
+      def method_missing(name, key, *args, **opts)
+        grant = @client.public_send(name, *args, **opts)
+        CacheProxy.new(@cache, key, grant)
+      end
+
+      class CacheProxy < BasicObject
+        def initialize(cache, key, grant)
+          @cache = cache
+          @key   = key
+          @grant = grant
+        end
+
+        def method_missing(name, *args)
+          @grant.public_send(name, *args)
+        end
+
+        def token(*args)
+          @cache.issue(@key, scope: @grant.scope) do |new_scope|
+            @grant.update_scope(new_scope)
+            @grant.token(*args)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/oauth2c/cache/store.rb

@@ -0,0 +1,48 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Cache
+    class Store
+      Bucket = Struct.new(:access_token, :scope)
+
+      def initialize(backend)
+        @backend = backend
+      end
+
+      def cached?(key, scope: [])
+        cached(key, scope: scope) ? true : false
+      end
+
+      def cached(key, scope: [])
+        cache = @backend.lookup(key)
+        return false if cache.nil?
+        return false unless scope.all? { |s| cache.scope.include?(s) }
+
+        if cache.access_token.expires_at >= Time.now
+          cache.access_token
+        end
+      end
+
+      def issue(key, scope:, &block)
+        cached = @backend.lookup(key)
+        scope  = cached[:scope] | scope if cached
+
+        access_token = block.call(scope)
+        @backend.store(key, Bucket.new(access_token, scope))
+        access_token
+      end
+    end
+  end
+end

data/lib/oauth2c/cache.rb

@@ -0,0 +1,21 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Cache
+    autoload :Backends, "oauth2c/cache/backends"
+    autoload :Manager,  "oauth2c/cache/manager"
+    autoload :Store,    "oauth2c/cache/store"
+  end
+end

data/lib/oauth2c/client.rb

@@ -0,0 +1,51 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  class Client
+    using Refinements
+
+    attr_reader(
+      :authz_url,
+      :token_url,
+      :client_id,
+      :client_secret,
+      :redirect_uri,
+    )
+
+    def initialize(authz_url: nil, token_url:, client_id:, client_secret: nil, redirect_uri: nil)
+      @authz_url     = authz_url
+      @token_url     = token_url
+      @client_id     = client_id
+      @client_secret = client_secret
+      @redirect_uri  = redirect_uri
+    end
+
+    def method_missing(name, *_, **opts)
+      Grants.const_get(name.to_s.camelize).new(build_agent, **opts)
+    end
+
+    private
+
+    def build_agent
+      Agent.new(
+        authz_url: @authz_url,
+        token_url: @token_url,
+        client_id: @client_id,
+        client_secret: @client_secret,
+        redirect_uri: @redirect_uri,
+      )
+    end
+  end
+end

data/lib/oauth2c/error.rb

@@ -0,0 +1,28 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  class Error < StandardError
+    attr_accessor(
+      :error,
+      :error_description,
+    )
+
+    def initialize(error, error_description)
+      @error             = error
+      @error_description = error_description
+      super("#{error}: #{error_description}")
+    end
+  end
+end

data/lib/oauth2c/grants/assertion.rb

@@ -0,0 +1,80 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+require "securerandom"
+require "jwt"
+
+module OAuth2c
+  module Grants
+    class Assertion < OAuth2c::TwoLegged::Base
+      class JWTProfile
+        def initialize(alg, key,
+            iss:,
+            aud:,
+            sub:,
+            jti: SecureRandom.uuid,
+            exp: Time.now + (5 * 60),
+            nbf: Time.now,
+            iat: Time.now,
+            **other_claims
+        )
+          @alg = alg
+          @key = key
+
+          @iss = iss
+          @aud = aud
+          @sub = sub
+          @jti = jti
+          @exp = exp
+          @nbf = nbf
+          @iat = iat
+
+          @other_claims = other_claims
+        end
+
+        def grant_type
+          "urn:ietf:params:oauth:grant-type:jwt-bearer"
+        end
+
+        def assertion
+          JWT.encode(claims, @key, @alg)
+        end
+
+        def claims
+          {
+            iss: @iss,
+            sub: @sub,
+            aud: @aud,
+            jti: @jti,
+            exp: @exp && @exp.utc.to_i,
+            nbf: @nbf && @nbf.utc.to_i,
+            iat: @iat && @iat.utc.to_i,
+            **@other_claims,
+          }
+        end
+      end
+
+      def initialize(agent, profile:, **opts)
+        super(agent, **opts)
+        @profile = profile
+      end
+
+      protected
+
+      def token_params
+        { grant_type: @profile.grant_type, assertion: @profile.assertion }
+      end
+    end
+  end
+end

data/lib/oauth2c/grants/authorization_code.rb

@@ -0,0 +1,29 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Grants
+    class AuthorizationCode < ThreeLegged::Base
+      protected
+
+      def authz_params
+        { response_type: "code" }
+      end
+
+      def token_params(code:, **_)
+        { grant_type: "authorization_code", code: code }
+      end
+    end
+  end
+end

data/lib/oauth2c/grants/client_credentials.rb

@@ -0,0 +1,25 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Grants
+    class ClientCredentials < OAuth2c::TwoLegged::Base
+      protected
+
+      def token_params
+        { grant_type: "client_credentials" }
+      end
+    end
+  end
+end

data/lib/oauth2c/grants/implicit.rb

@@ -0,0 +1,33 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Grants
+    class Implicit < OAuth2c::ThreeLegged::Base
+      using Refinements
+
+      def token(callback_url)
+        super(callback_url) do |_, fragment_params|
+          AccessToken.new(**fragment_params)
+        end
+      end
+
+      protected
+
+      def authz_params
+        { response_type: "token" }
+      end
+    end
+  end
+end

data/lib/oauth2c/grants/refresh_token.rb

@@ -0,0 +1,30 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Grants
+    class RefreshToken < OAuth2c::TwoLegged::Base
+      def initialize(agent, refresh_token:)
+        super(agent)
+        @refresh_token = refresh_token
+      end
+
+      protected
+
+      def token_params
+        { grant_type: "refresh_token", refresh_token: @refresh_token }
+      end
+    end
+  end
+end

data/lib/oauth2c/grants/resource_owner_credentials.rb

@@ -0,0 +1,31 @@
+# Copyright 2017 Doximity, Inc. <support@doximity.com>
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+module OAuth2c
+  module Grants
+    class ResourceOwnerCredentials < OAuth2c::TwoLegged::Base
+      def initialize(agent, username:, password:)
+        super(agent)
+        @username = username
+        @password = password
+      end
+
+      protected
+
+      def token_params
+        { grant_type: "password", username: @username, password: @password }
+      end
+    end
+  end
+end