oauthenticator 0.1.4 → 1.0.0

data/lib/oauthenticator/signed_request.rb

@@ -1,4 +1,5 @@
-require 'simple_oauth'
+require 'oauthenticator/signable_request'
+require 'oauthenticator/parse_authorization'
 
 module OAuthenticator
   # this class represents an OAuth signed request. its primary user-facing method is {#errors}, which returns 
@@ -26,26 +27,27 @@ module OAuthenticator
       end
     end
 
-    ATTRIBUTE_KEYS = %w(request_method url body media_type authorization).map(&:freeze).freeze
-    OAUTH_ATTRIBUTE_KEYS = %w(consumer_key token timestamp nonce version signature_method signature).map(&:to_sym).freeze
+    # attributes of a SignedRequest
+    ATTRIBUTE_KEYS = %w(request_method uri body media_type authorization).map(&:freeze).freeze
+
+    # oauth attributes parsed from the request authorization
+    OAUTH_ATTRIBUTE_KEYS = (SignableRequest::PROTOCOL_PARAM_KEYS + %w(signature body_hash)).freeze
 
     # readers 
     ATTRIBUTE_KEYS.each { |attribute_key| define_method(attribute_key) { @attributes[attribute_key] } }
 
     # readers for oauth header parameters 
-    OAUTH_ATTRIBUTE_KEYS.each { |key| define_method(key) { oauth_header_params[key] } }
+    OAUTH_ATTRIBUTE_KEYS.each { |key| define_method(key) { oauth_header_params["oauth_#{key}"] } }
 
     # question methods to indicate whether oauth header parameters were included with a non-blank value in 
     # the Authorization header
     OAUTH_ATTRIBUTE_KEYS.each do |key|
       define_method("#{key}?") do
-        value = oauth_header_params[key]
+        value = oauth_header_params["oauth_#{key}"]
         value.is_a?(String) ? !value.empty? : !!value
       end
     end
 
-    VALID_SIGNATURE_METHODS = %w(HMAC-SHA1 RSA-SHA1 PLAINTEXT).map(&:freeze).freeze
-
     class << self
       # instantiates a `OAuthenticator::SignedRequest` (subclass thereof, more precisely) representing a 
       # request given as a Rack::Request.
@@ -57,7 +59,7 @@ module OAuthenticator
       def from_rack_request(request)
         new({
           :request_method => request.request_method,
-          :url => request.url,
+          :uri => request.url,
           :body => request.body,
           :media_type => request.media_type,
           :authorization => request.env['HTTP_AUTHORIZATION'],
@@ -87,105 +89,134 @@ module OAuthenticator
     #
     # @return [nil, Hash<String, Array<String>>] either nil or a hash of errors
     def errors
-      @errors ||= begin
+      return @errors if instance_variables.any? { |ivar| ivar.to_s == '@errors' }
+      @errors = catch(:errors) do
         if authorization.nil?
-          {'Authorization' => ["Authorization header is missing"]}
+          throw(:errors, {'Authorization' => ["Authorization header is missing"]})
         elsif authorization !~ /\S/
-          {'Authorization' => ["Authorization header is blank"]}
-        elsif authorization !~ /\Aoauth\s/i
-          {'Authorization' => ["Authorization scheme is not OAuth; received Authorization: #{authorization}"]}
+          throw(:errors, {'Authorization' => ["Authorization header is blank"]})
+        end
+
+        begin
+          oauth_header_params
+        rescue OAuthenticator::Error => parse_exception
+          throw(:errors, parse_exception.errors)
+        end
+
+        errors = Hash.new { |h,k| h[k] = [] }
+
+        # timestamp
+        if !timestamp?
+          unless signature_method == 'PLAINTEXT'
+            errors['Authorization oauth_timestamp'] << "is missing"
+          end
+        elsif timestamp !~ /\A\s*\d+\s*\z/
+          errors['Authorization oauth_timestamp'] << "is not an integer - got: #{timestamp}"
         else
-          to_rescue = SimpleOAuth.const_defined?(:ParseError) ? SimpleOAuth::ParseError : StandardError
-          begin
-            oauth_header_params
-          rescue to_rescue
-            parse_exception = $!
+          timestamp_i = timestamp.to_i
+          if timestamp_i < Time.now.to_i - timestamp_valid_past
+            errors['Authorization oauth_timestamp'] << "is too old: #{timestamp}"
+          elsif timestamp_i > Time.now.to_i + timestamp_valid_future
+            errors['Authorization oauth_timestamp'] << "is too far in the future: #{timestamp}"
           end
-          if parse_exception
-            if parse_exception.class.name == 'SimpleOAuth::ParseError'
-              message = parse_exception.message
-            else
-              message = "Authorization header is not a properly-formed OAuth 1.0 header."
-            end
-            {'Authorization' => [message]}
-          else
-            errors = Hash.new { |h,k| h[k] = [] }
+        end
 
-            # timestamp
-            if !timestamp?
-              errors['Authorization oauth_timestamp'] << "is missing"
-            elsif timestamp !~ /\A\s*\d+\s*\z/
-              errors['Authorization oauth_timestamp'] << "is not an integer - got: #{timestamp}"
-            else
-              timestamp_i = timestamp.to_i
-              if timestamp_i < Time.now.to_i - timestamp_valid_past
-                errors['Authorization oauth_timestamp'] << "is too old: #{timestamp}"
-              elsif timestamp_i > Time.now.to_i + timestamp_valid_future
-                errors['Authorization oauth_timestamp'] << "is too far in the future: #{timestamp}"
-              end
-            end
+        # oauth version
+        if version? && version != '1.0'
+          errors['Authorization oauth_version'] << "must be 1.0; got: #{version}"
+        end
 
-            # oauth version
-            if version? && version != '1.0'
-              errors['Authorization oauth_version'] << "must be 1.0; got: #{version}"
-            end
+        # she's filled with secrets
+        secrets = {}
 
-            # she's filled with secrets
-            secrets = {}
+        # consumer / client application
+        if !consumer_key?
+          errors['Authorization oauth_consumer_key'] << "is missing"
+        else
+          secrets[:consumer_secret] = consumer_secret
+          if !secrets[:consumer_secret]
+            errors['Authorization oauth_consumer_key'] << 'is invalid'
+          end
+        end
 
-            # consumer / client application
-            if !consumer_key?
-              errors['Authorization oauth_consumer_key'] << "is missing"
-            else
-              secrets[:consumer_secret] = consumer_secret
-              if !secrets[:consumer_secret]
-                errors['Authorization oauth_consumer_key'] << 'is invalid'
-              end
-            end
+        # token
+        if token?
+          secrets[:token_secret] = token_secret
+          if !secrets[:token_secret]
+            errors['Authorization oauth_token'] << 'is invalid'
+          elsif !token_belongs_to_consumer?
+            errors['Authorization oauth_token'] << 'does not belong to the specified consumer'
+          end
+        end
 
-            # access token
-            if token?
-              secrets[:token_secret] = access_token_secret
-              if !secrets[:token_secret]
-                errors['Authorization oauth_token'] << 'is invalid'
-              elsif !access_token_belongs_to_consumer?
-                errors['Authorization oauth_token'] << 'does not belong to the specified consumer'
-              end
-            end
+        # nonce
+        if !nonce?
+          unless signature_method == 'PLAINTEXT'
+            errors['Authorization oauth_nonce'] << "is missing"
+          end
+        elsif nonce_used?
+          errors['Authorization oauth_nonce'] << "has already been used"
+        end
 
-            # nonce
-            if !nonce?
-              errors['Authorization oauth_nonce'] << "is missing"
-            elsif nonce_used?
-              errors['Authorization oauth_nonce'] << "has already been used"
-            end
+        # signature method
+        if !signature_method?
+          errors['Authorization oauth_signature_method'] << "is missing"
+        elsif !allowed_signature_methods.any? { |sm| signature_method.downcase == sm.downcase }
+          errors['Authorization oauth_signature_method'] << "must be one of " +
+            "#{allowed_signature_methods.join(', ')}; got: #{signature_method}"
+        end
 
-            # signature method
-            if !signature_method?
-              errors['Authorization oauth_signature_method'] << "is missing"
-            elsif !allowed_signature_methods.any? { |sm| signature_method.downcase == sm.downcase }
-              errors['Authorization oauth_signature_method'] << "must be one of " +
-                "#{allowed_signature_methods.join(', ')}; got: #{signature_method}"
-            end
+        # signature
+        if !signature?
+          errors['Authorization oauth_signature'] << "is missing"
+        end
 
-            # signature
-            if !signature?
-              errors['Authorization oauth_signature'] << "is missing"
-            end
+        signable_request = SignableRequest.new(@attributes.merge(secrets).merge('authorization' => oauth_header_params))
 
-            if errors.any?
-              errors
-            else
-              # proceed to check signature
-              if !simple_oauth_header.valid?(secrets)
-                {'Authorization oauth_signature' => ['is invalid']}
+        # body hash
+
+        # present?
+        if body_hash?
+          # allowed?
+          if !signable_request.form_encoded?
+            # applicable?
+            if SignableRequest::BODY_HASH_METHODS.key?(signature_method)
+              # correct?
+              if body_hash == signable_request.body_hash
+                # all good
               else
-                use_nonce!
-                nil
+                errors['Authorization oauth_body_hash'] << "is invalid"
               end
+            else
+              # received a body hash with plaintext. weird situation - we will ignore it; signature will not 
+              # be verified but it will be a part of the signature. 
+            end
+          else
+            errors['Authorization oauth_body_hash'] << "must not be included with form-encoded requests"
+          end
+        else
+          # allowed?
+          if !signable_request.form_encoded?
+            # required?
+            if body_hash_required?
+              errors['Authorization oauth_body_hash'] << "is required (on non-form-encoded requests)"
+            else
+              # okay - not supported by client, but allowed
             end
+          else
+            # all good
           end
         end
+
+        throw(:errors, errors) if errors.any?
+
+        # proceed to check signature
+        unless self.signature == signable_request.signature
+          throw(:errors, {'Authorization oauth_signature' => ['is invalid']})
+        end
+
+        use_nonce!
+        nil
       end
     end
 
@@ -196,36 +227,16 @@ module OAuthenticator
 
     # hash of header params. keys should be a subset of OAUTH_ATTRIBUTE_KEYS.
     def oauth_header_params
-      @oauth_header_params ||= SimpleOAuth::Header.parse(authorization)
-    end
-
-    # reads the request body, be it String or IO 
-    def read_body
-      if body.is_a?(String)
-        body
-      elsif body.respond_to?(:read) && body.respond_to?(:rewind)
-        body.rewind
-        body.read.tap do
-          body.rewind
-        end
-      else
-        raise NotImplementedError, "body = #{body.inspect}"
-      end
-    end
-
-    # SimpleOAuth::Header for this request
-    def simple_oauth_header
-      params = media_type == "application/x-www-form-urlencoded" ? CGI.parse(read_body).map{|k,vs| vs.map{|v| [k,v] } }.inject([], &:+) : nil
-      simple_oauth_header = SimpleOAuth::Header.new(request_method, url, params, authorization)
+      @oauth_header_params ||= OAuthenticator.parse_authorization(authorization)
     end
 
     # raise a nice error message for a method that needs to be implemented on a module of config methods 
     def config_method_not_implemented
       caller_name = caller[0].match(%r(in `(.*?)'))[1]
-      using_middleware = caller.any? { |l| l =~ %r(oauthenticator/middleware.rb:.*`call') }
+      using_middleware = caller.any? { |l| l =~ %r(oauthenticator/rack_authenticator.rb:.*`call') }
       message = "method \##{caller_name} must be implemented on a module of oauth config methods, which is " + begin
         if using_middleware
-          "passed to OAuthenticator::Middleware using the option :config_methods."
+          "passed to OAuthenticator::RackAuthenticator using the option :config_methods."
         else
           "included in a subclass of OAuthenticator::SignedRequest, typically by passing it to OAuthenticator::SignedRequest.including_config(your_module)."
         end

data/lib/oauthenticator/version.rb

@@ -1,3 +1,5 @@
+# OAuthenticator 
 module OAuthenticator
-  VERSION = "0.1.4"
+  # OAuthenticator::VERSION
+  VERSION = "1.0.0"
 end

data/test/config_methods_test.rb

@@ -3,7 +3,7 @@ proc { |p| $:.unshift(p) unless $:.any? { |lp| File.expand_path(lp) == p } }.cal
 require 'helper'
 
 describe OAuthenticator::SignedRequest do
-  %w(timestamp_valid_period consumer_secret access_token_secret nonce_used? use_nonce! access_token_belongs_to_consumer?).each do |method_without_default|
+  %w(timestamp_valid_period consumer_secret token_secret nonce_used? use_nonce! token_belongs_to_consumer?).each do |method_without_default|
     it "complains when #{method_without_default} is not implemented" do
       exc = assert_raises(NotImplementedError) do
         OAuthenticator::SignedRequest.new({}).public_send(method_without_default)
@@ -17,15 +17,15 @@ describe OAuthenticator::SignedRequest do
       assert called
     end
   end
-  it "complains when a method without a default is not implemented, using middleware" do
+  it "complains when a method without a default is not implemented, using RackAuthenticator" do
     exc = assert_raises(NotImplementedError) do
-      OAuthenticator::Middleware.new(proc {}, {:config_methods => Module.new}).call({'HTTP_AUTHORIZATION' => %q(OAuth oauth_timestamp="1")})
+      OAuthenticator::RackAuthenticator.new(proc {}, {:config_methods => Module.new}).call({'HTTP_AUTHORIZATION' => %q(OAuth oauth_timestamp="1")})
     end
-    assert_match /passed to OAuthenticator::Middleware using the option :config_methods./, exc.message
+    assert_match /passed to OAuthenticator::RackAuthenticator using the option :config_methods./, exc.message
   end
-  it "complains middleware is not given config methods" do
+  it "complains RackAuthenticator is not given config methods" do
     assert_raises(ArgumentError) do
-      OAuthenticator::Middleware.new(proc {})
+      OAuthenticator::RackAuthenticator.new(proc {})
     end
   end
   it 'uses timestamp_valid_period if that is implemented but timestamp_valid_past or timestamp_valid_future is not' do
@@ -36,6 +36,9 @@ describe OAuthenticator::SignedRequest do
     assert_equal 2, called
   end
   it 'uses the default value for allowed signature methods' do
-    assert_equal OAuthenticator::SignedRequest::VALID_SIGNATURE_METHODS, OAuthenticator::SignedRequest.new({}).allowed_signature_methods
+    assert_equal %w(RSA-SHA1 HMAC-SHA1 PLAINTEXT), OAuthenticator::SignedRequest.new({}).allowed_signature_methods
+  end
+  it 'uses default value for body_hash_required?' do
+    assert_equal false, OAuthenticator::SignedRequest.new({}).body_hash_required?
   end
 end

data/test/faraday_signer_test.rb

@@ -0,0 +1,65 @@
+# encoding: utf-8
+proc { |p| $:.unshift(p) unless $:.any? { |lp| File.expand_path(lp) == p } }.call(File.expand_path('.', File.dirname(__FILE__)))
+require 'helper'
+
+# not going to test a ton here, since the Faraday middleware mostly just calls to SignableRequest which is 
+# rather well-tested 
+describe OAuthenticator::FaradaySigner do
+  def assert_response(expected_status, expected_body, faraday_response)
+    assert_equal expected_status.to_i, faraday_response.status.to_i, "Expected status to be #{expected_status.inspect}" +
+      "; got #{faraday_response.status.inspect}. body was: #{faraday_response.body}"
+    assert expected_body === faraday_response.body, "Expected match for #{expected_body}; got #{faraday_response.body}"
+  end
+
+  it 'succeeds' do
+    signing_options = {
+      :signature_method => 'PLAINTEXT',
+      :consumer_key => consumer_key,
+      :consumer_secret => consumer_secret,
+      :token => token,
+      :token_secret => token_secret,
+    }
+
+    connection = Faraday.new(:url => 'http://example.com') do |faraday|
+      faraday.request :oauthenticator_signer, signing_options
+      faraday.adapter :rack, oapp
+    end
+    response = connection.get '/'
+    assert_response 200, '☺', response
+  end
+
+  it 'succeeds with form-encoded with HMAC' do
+    signing_options = {
+      :signature_method => 'HMAC-SHA1',
+      :consumer_key => consumer_key,
+      :consumer_secret => consumer_secret,
+      :token => token,
+      :token_secret => token_secret,
+    }
+
+    connection = Faraday.new(:url => 'http://example.com') do |faraday|
+      faraday.request :url_encoded
+      faraday.request :oauthenticator_signer, signing_options
+      faraday.adapter :rack, oapp
+    end
+    response = connection.put('/', :foo => {:bar => :baz})
+    assert_response 200, '☺', response
+  end
+
+  it 'is unauthorized' do
+    signing_options = {
+      :signature_method => 'PLAINTEXT',
+      :consumer_key => consumer_key,
+      :consumer_secret => 'nope',
+      :token => token,
+      :token_secret => 'definitelynot',
+    }
+
+    connection = Faraday.new(:url => 'http://example.com') do |faraday|
+      faraday.request :oauthenticator_signer, signing_options
+      faraday.adapter :rack, oapp
+    end
+    response = connection.get '/'
+    assert_response 401, /Authorization oauth_signature.*is invalid/m, response
+  end
+end

data/test/helper.rb

@@ -2,11 +2,10 @@ proc { |p| $:.unshift(p) unless $:.any? { |lp| File.expand_path(lp) == p } }.cal
 
 require 'simplecov'
 
-require 'debugger'
-Debugger.start
+require 'byebug'
 
 # NO EXPECTATIONS 
-ENV["MT_NO_EXPECTATIONS"]
+ENV["MT_NO_EXPECTATIONS"] = ''
 
 require 'minitest/autorun'
 require 'minitest/reporters'
@@ -16,3 +15,16 @@ require 'rack/test'
 require 'timecop'
 
 require 'oauthenticator'
+
+require 'test_config_methods'
+
+class OAuthenticatorConfigSpec < Minitest::Spec
+  after do
+    Timecop.return
+  end
+
+  include TestHelperMethods
+end
+
+# register this to be the base class for specs instead of Minitest::Spec
+Minitest::Spec.register_spec_type(//, OAuthenticatorConfigSpec)