oo_auth 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e5200d37778ac2220a1003d8551caf8c12d69fbd
+  data.tar.gz: 5a10c0b125e737c49ca54ae444f9205bb06671e3
+SHA512:
+  metadata.gz: d4f0c1423e3e41f26ff2bce7acdb83cb42a7b623732385d7259a0cb88f722eb8b8779b2481aded7f454c197e2f47c94d4b00ef88fa39b83ade09323e1399a6ea
+  data.tar.gz: 32d8a1dc341e408ca95fcb50fec6fa58a7621309ea7c95de0286c9a64013b08e5b0315ac5f4f236e6e007e9567fbf6b7e941d93867d306932070dd85d6fd9444

data/CHANGELOG

@@ -0,0 +1,3 @@
+0.0.1 - 2013-11-06
+
+* First release

data/LICENSE

@@ -0,0 +1,20 @@
+The MIT License (MIT)
+
+Copyright (c) 2013 Matthias Grosser
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the "Software"), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,95 @@
+[![Gem Version](https://badge.fury.io/rb/oo_auth.png)](http://badge.fury.io/rb/oo_auth) [![Code Climate](https://codeclimate.com/github/mtgrosser/oo_auth.png)](https://codeclimate.com/github/mtgrosser/oo_auth)
+
+# oo_auth
+
+OAuth Out Of Band - Sign, verify and authorize OAuth requests
+
+OoAuth is a stripped-down implementation of the OAuth 1.0a protocol.
+
+It only cares for signing and verifying OAuth requests, supporting both
+```Net::HTTP``` and  ```ActionDispatch::Request```.
+
+OoAuth does not include any models or controllers dealing with token and
+secret exchange, storage or lookup. Instead, it offers a simplistic API
+where you can hook your own implementations as desired.
+
+OoAuth comes with optional Redis support for short-time high performance storage
+of OAuth nonces.
+
+It can be used for implementing OAuth consumers as well as providers.
+
+## Install
+
+In your Gemfile:
+
+```ruby
+gem 'oo_auth'
+```
+
+## Prerequisites
+
+OoAuth requires your application to provide stores for authorization tokens 
+and OAuth nonces.
+
+OoAuth stores can be simple lambdas or regular ruby objects.
+
+### Authorization store
+
+The authorization store should return an instance of ```OoAuth::Credentials```.
+It can either be a lambda or an object implementing the `authorization` method.
+
+```ruby
+# your own implementation in SomeClass model
+OoAuth.authorization_store = lambda { |consumer_key, token| SomeClass.find_by_tokens(consumer_key, token) }
+```
+```ruby
+# direct lookup
+OoAuth.authorization_store = User
+```
+### Nonce store
+```ruby
+require 'oo_auth/nonce/redis_store'
+
+OoAuth.nonce_store = OoAuth::Nonce::RedisStore.new(namespace: 'foobar')
+```
+## Use
+
+### OAuth consumer
+
+```ruby
+http = Net::HTTP.new('photos.example.net', Net::HTTP.http_default_port)
+request = Net::HTTP::Get.new('/photos?file=vacation.jpg&size=original')
+
+credentials = OoAuth::Credentials.new('consumer_key',
+                                      'consumer_secret',
+                                      'access_token',
+                                      'access_token_secret')
+
+OoAuth.sign!(http, request, credentials)
+
+request['Authorization']
+=> "OAuth oauth_version=\"1.0\", oauth_nonce=\"ly9V24IvFMhEGSlGW1tPniUVnVzQkWvn4W6Bwtmc4\", oauth_timestamp=\"1384116351\", oauth_signature_method=\"HMAC-SHA1\", oauth_consumer_key=\"consumer_key\", oauth_token=\"access_token\", oauth_signature=\"5G1ktyWhicZGnSu2AKkjok9%2BMPo%3D\""
+```
+
+### OAuth provider
+
+```ruby
+class FoobarController < ApplicationController
+
+  before_filter :oauth_required
+
+  private
+  
+  def oauth_required
+    if authorization = OoAuth.authorize!(request)
+      self.current_user = authorization.user
+    else
+      render nothing: true, status: 401
+    end
+  end
+```
+
+
+## TODO
+
+* Support POST body signing

data/lib/oo_auth/configuration_error.rb

@@ -0,0 +1,3 @@
+module OoAuth
+  class ConfigurationError < StandardError; end
+end

data/lib/oo_auth/constants.rb

@@ -0,0 +1,19 @@
+module OoAuth
+  
+  # request tokens are passed between the consumer and the provider out of
+  # band (i.e. callbacks cannot be used), per section 6.1.1
+  OUT_OF_BAND = 'oob'
+
+  # FIXME: ordering
+  # required parameters, per sections 6.1.1, 6.3.1, and 7
+  PARAMETERS = %w(oauth_callback oauth_consumer_key oauth_token oauth_signature_method oauth_timestamp oauth_nonce oauth_verifier oauth_version oauth_signature oauth_body_hash)
+
+  # reserved character regexp, per section 5.1
+  RESERVED_CHARACTERS = /[^a-zA-Z0-9\-\.\_\~]/
+  
+  # OoAuth only supports HMAC-SHA1
+  SIGNATURE_METHOD = 'HMAC-SHA1'
+  
+  MAX_TIMESTAMP_DEVIATION = 5 * 60
+  
+end

data/lib/oo_auth/credentials.rb

@@ -0,0 +1,22 @@
+module OoAuth
+  class Credentials
+    AUTH_ATTRIBUTES = [:consumer_key, :consumer_secret, :token, :token_secret] 
+  
+    attr_reader *AUTH_ATTRIBUTES
+    
+    class << self
+      def generate
+        new(*4.times.collect { OoAuth.generate_key })
+      end
+    end
+
+    def initialize(consumer_key, consumer_secret, token, token_secret)
+      @consumer_key, @consumer_secret, @token, @token_secret = consumer_key, consumer_secret, token, token_secret
+    end
+    
+    def attributes
+      AUTH_ATTRIBUTES.inject({}) { |hsh, attr| hsh.update(attr => send(attr)) }
+    end
+    
+  end
+end

data/lib/oo_auth/nonce/abstract_store.rb

@@ -0,0 +1,13 @@
+module OoAuth
+  class Nonce
+    class AbstractStore
+  
+      class << self
+        def create(nonce)
+          #
+        end  
+      end
+      
+    end
+  end
+end

data/lib/oo_auth/nonce/redis_store.rb

@@ -0,0 +1,28 @@
+module OoAuth
+  class Nonce
+    class RedisStore < AbstractStore
+      attr_reader :redis, :namespace, :ttl
+
+      def initialize(options = {})
+        options.symbolize_keys!
+        @namespace = options.delete(:namespace)
+        @ttl = options.delete(:ttl) || 15.minutes
+        @redis = Redis.new(options)
+      end
+
+      def create(nonce)
+        return nonce if @redis.set(key(nonce), '1', { nx: true, ex: ttl })
+        false
+      rescue Errno::ECONNREFUSED
+        false
+      end
+      
+      protected
+
+      def key(nonce)
+        "#{@namespace}:oo_auth_nonce:#{nonce.timestamp}:#{nonce.value}"
+      end      
+      
+    end
+  end
+end

data/lib/oo_auth/nonce.rb

@@ -0,0 +1,48 @@
+module OoAuth
+  class Nonce
+    MAX_LENGTH = 255
+    
+    attr_reader :value, :timestamp, :errors
+    
+    class << self
+      def store
+        OoAuth.nonce_store || fail(ConfigurationError, 'no nonce store set')
+      end
+
+      def create(nonce)
+        if store.respond_to?(:call)
+          store.call(nonce)
+        elsif store.respond_to?(:create)
+          store.create(nonce)
+        else
+          fail ConfigurationError, 'nonce store not callable'
+        end
+      end
+
+      def remember(value, timestamp)
+        new(value, timestamp).save
+      end
+            
+      def generate
+        new(OoAuth.generate_nonce, Time.now.utc.to_i)
+      end
+    end
+    
+    def initialize(value, timestamp)
+      @value, @timestamp = value, timestamp.to_i
+    end
+    
+    def valid?
+      @errors = []
+      @errors << 'nonce value cannot be blank' if value.to_s == ''
+      @errors << 'nonce value too big' if value.size > MAX_LENGTH
+      @errors << 'illegal nonce timestamp' if timestamp <= 0
+      @errors.empty?
+    end
+    
+    def save
+      !!(valid? && self.class.create(self))
+    end
+    
+  end
+end

data/lib/oo_auth/request_proxy.rb

@@ -0,0 +1,135 @@
+module OoAuth
+  class RequestProxy
+
+    attr_reader :port, :ssl, :host, :path, :headers, :method, :body
+
+    class << self
+      
+      
+      # Parse an Authorization / WWW-Authenticate header into a hash. Takes care of unescaping and
+      # removing surrounding quotes. Raises a OAuth::Problem if the header is not parsable into a
+      # valid hash. Does not validate the keys or values.
+      #
+      #   hash = parse(headers['Authorization'] || headers['WWW-Authenticate'])
+      #   hash['oauth_timestamp']
+      #     #=>"1234567890"
+      #
+      def parse(header)
+        header = header.to_s
+        return unless header.start_with?('OAuth ')
+        # decompose
+        params = header[6, header.length].split(',').inject({}) do |hsh, str|
+          key, value = str.split('=').map { |s| OoAuth.unescape(s.strip) }
+          if PARAMETERS.include?(key)
+            hsh[key] = value.sub(/^\"(.*)\"$/, '\1')
+          end
+          hsh
+        end
+      end
+    end
+  
+    def initialize(*args)
+      case args.size
+      when 1 # ActionDispatch request
+        request = args[0]
+        @port = request.port
+        @ssl = request.ssl?
+        @path = request.fullpath
+        @host = request.host
+        @headers = request.headers
+      when 2 # Net:HTTP request
+        http, request = args[0], args[1]
+        @port = http.port
+        @ssl = http.use_ssl?
+        @path = request.path
+        @host = http.address
+        @headers = request
+      else
+        raise ArgumentError, 'wrong number of arguments'
+      end
+      @method = request.method
+      @body = request.body
+    end
+    
+    def normalized_request_uri
+      if self.port == Net::HTTP.default_port
+        scheme, port = :http, nil
+      elsif self.port == Net::HTTP.https_default_port
+        scheme, port = :https, nil
+      elsif ssl
+        scheme, port = :https, self.port
+      else
+        scheme, port = :http, self.port
+      end
+
+      uri = "#{scheme}://#{host.downcase}"
+      uri += ":#{port}" if port
+      uri += path.split('?').first
+      uri
+    end
+    
+    def oauth_params
+      self.class.parse(authorization)
+    end
+    
+    def oauth_params_without_signature
+      params = oauth_params
+      params.delete('oauth_signature')
+      params
+    end
+    
+    def authorization
+      headers['Authorization']
+    end
+    
+    def authorization=(header)
+      headers['Authorization'] = header
+    end
+    
+    PARAMETERS.each do |parameter|
+      define_method "#{parameter[6..-1]}" do
+        oauth_params[parameter]
+      end
+    end
+    
+    def post?
+      'POST' == method
+    end
+    
+    def signature_base_string(params = {})
+      encoded_params = params_encode(params_array(self) + params_array(params))
+      OoAuth.encode(method, normalized_request_uri, encoded_params)
+    end
+
+    # FIXME: cf nested params implementation in oauth gem
+    # TODO: support oauth body signature for non-formencoded content types
+    def params_array(object)
+      case object
+      when Array then object
+      when Hash then object.to_a
+      when RequestProxy
+        tmp = object.path.split('?')
+        params = tmp[1] ? params_decode(tmp[1]) : []
+        if object.post? && object.headers['Content-Type'].to_s.start_with?('application/x-www-form-urlencoded')
+          params.concat params_decode(object.body)
+        end
+        params
+      else
+        raise "error: cannot convert #{object.class} object to params array"
+      end
+    end
+
+    def params_decode(string)
+      string.split('&').each_with_object([]) do |param, array|
+        k, v = *param.split('=')
+        array << [OoAuth.unescape(k), v && OoAuth.unescape(v)]
+      end
+    end
+
+    # cf. http://tools.ietf.org/html/rfc5849#section-3.4.1.3.2
+    def params_encode(params)
+      params.map { |k, v| [OoAuth.escape(k), OoAuth.escape(v)] }.sort.map { |k, v| "#{k}=#{v}" }.join('&')
+    end
+
+  end
+end

data/lib/oo_auth/signature.rb

@@ -0,0 +1,55 @@
+module OoAuth
+  module Signature
+
+    class << self
+      def hmac_sha1_signature(base_string, consumer_secret, token_secret)
+        Base64.strict_encode64(OpenSSL::HMAC.digest(OpenSSL::Digest::SHA1.new, OoAuth.encode(consumer_secret, token_secret), base_string))
+      end
+
+      def calculate_signature(proxy, credentials, params)
+        hmac_sha1_signature(proxy.signature_base_string(params), credentials.consumer_secret, credentials.token_secret)
+      end
+
+      def sign!(proxy, credentials)
+        params = {
+          oauth_version: '1.0',
+          oauth_nonce: OoAuth.generate_nonce,
+          oauth_timestamp: OoAuth.timestamp,
+          oauth_signature_method: SIGNATURE_METHOD,
+          oauth_consumer_key: credentials.consumer_key,
+          oauth_token: credentials.token
+        }
+      
+        params[:oauth_signature] = calculate_signature(proxy, credentials, params)
+
+        proxy.authorization = authorization_header(params)
+      end
+      
+      # Check signature validity without remembering nonce - DO NOT use to authorize actual requests
+      def valid?(proxy, credentials)
+        verify_timestamp!(proxy) &&
+        calculate_signature(proxy, credentials, proxy.oauth_params_without_signature) == proxy.signature
+      end
+      
+      # Verify signature and remember nonce - use this to authorize actual requests
+      def verify!(proxy, credentials)
+        valid?(proxy, credentials) && remember_nonce!(proxy)
+      end
+      
+      private
+      
+      def verify_timestamp!(proxy)
+        (OoAuth.timestamp - proxy.timestamp.to_i).abs < MAX_TIMESTAMP_DEVIATION
+      end
+
+      def remember_nonce!(proxy)
+        Nonce.remember(proxy.nonce, proxy.timestamp)
+      end
+      
+      def authorization_header(params)
+        'OAuth ' + params.map { |k, v| "#{OoAuth.escape(k)}=\"#{OoAuth.escape(v)}\"" }.join(', ')
+      end
+      
+    end
+  end
+end

data/lib/oo_auth/version.rb

@@ -0,0 +1,3 @@
+module OoAuth
+  VERSION = '0.0.1'
+end

data/lib/oo_auth.rb

@@ -0,0 +1,94 @@
+require 'openssl'
+require 'uri'
+require 'net/http'
+require 'base64'
+
+require 'oo_auth/version'
+require 'oo_auth/constants'
+require 'oo_auth/configuration_error'
+require 'oo_auth/nonce'
+require 'oo_auth/nonce/abstract_store'
+require 'oo_auth/request_proxy'
+require 'oo_auth/credentials'
+require 'oo_auth/signature'
+
+module OoAuth
+  
+  class << self
+  # Initialize with instance of store
+  # OoAuth.nonce_store = OoAuth::Nonce::RedisStore.new(namespace: 'foo')
+    attr_accessor :nonce_store
+
+  
+    # Define a lookup method for access token verification
+    # It should be callable (proc) or provide an +authorization+ method,
+    # with the argument being the consumer key and token.
+    # The proc or method call should return
+    # - if the consumer key/token combination exists:
+    #   an object which responding to +credentials+ with an 
+    #   initialized instance of 
+    #   OoAuth::Credentials
+    # - nil otherwise.
+    attr_accessor :authorization_store
+    
+    # Generate a random key of up to +size+ bytes. The value returned is Base64 encoded with non-word
+    # characters removed.
+    def generate_key(size = 32)
+      Base64.encode64(OpenSSL::Random.random_bytes(size)).gsub(/\W/, '')
+    end
+
+    alias_method :generate_nonce, :generate_key
+    
+    # Escape +value+ by URL encoding all non-reserved character.
+    #
+    # See Also: {OAuth core spec version 1.0, section 5.1}[http://oauth.net/core/1.0#rfc.section.5.1]
+    def escape(value)
+      URI.escape(value.to_s, RESERVED_CHARACTERS)
+    rescue ArgumentError
+      URI.escape(value.to_s.force_encoding(Encoding::UTF_8), RESERVED_CHARACTERS)
+    end
+
+    def unescape(value)
+      URI.unescape(value.gsub('+', '%2B'))
+    end
+    
+    # cf. http://tools.ietf.org/html/rfc5849#section-3.4.1.1
+    # cf. http://tools.ietf.org/html/rfc5849#section-3.4.4
+    def encode(*components)
+      components.map { |component| OoAuth.escape(component) }.join('&')
+    end
+    
+    # Current UTC timestamp
+    def timestamp
+      Time.now.utc.to_i
+    end
+    
+    def authorization(consumer_key, token)
+      if authorization_store.respond_to?(:call)
+        authorization_store.call(consumer_key, token)
+      elsif authorization_store.respond_to?(:authorization)
+        authorization_store.authorization(consumer_key, token)
+      else
+        fail ConfigurationError, 'authorization store not callable'
+      end
+    end
+    
+    # Use this to sign Net::HTTP or ActionDispatch requests
+    def sign!(*args)
+      credentials = args.pop
+      proxy = RequestProxy.new(*args)
+      Signature.sign!(proxy, credentials)
+    end      
+    
+    # Use this in your controllers to verify the OAuth signature
+    # of a request.
+    def authorize!(*args)
+      proxy = RequestProxy.new(*args)
+      return unless authorization = self.authorization(proxy.consumer_key, proxy.token)
+      return unless Signature.verify!(proxy, authorization.credentials)
+      authorization
+    end
+    
+  end
+  
+end

metadata

@@ -0,0 +1,126 @@
+--- !ruby/object:Gem::Specification
+name: oo_auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Matthias Grosser
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2013-11-04 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: byebug
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.8.7
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: 0.8.7
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '4.7'
+- !ruby/object:Gem::Dependency
+  name: timecop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 0.6.3
+description: Out Of Band OAuth
+email: mtgrosser@gmx.net
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/oo_auth/configuration_error.rb
+- lib/oo_auth/constants.rb
+- lib/oo_auth/credentials.rb
+- lib/oo_auth/nonce/abstract_store.rb
+- lib/oo_auth/nonce/redis_store.rb
+- lib/oo_auth/nonce.rb
+- lib/oo_auth/request_proxy.rb
+- lib/oo_auth/signature.rb
+- lib/oo_auth/version.rb
+- lib/oo_auth.rb
+- LICENSE
+- README.md
+- CHANGELOG
+homepage: http://github.com/mtgrosser/oo_auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.0.3
+signing_key: 
+specification_version: 4
+summary: OAuth without the callbacks
+test_files: []