rack-oauth2-server 1.0.beta

data/Rakefile

@@ -0,0 +1,60 @@
+require "rake/testtask"
+require "yard"
+
+spec = Gem::Specification.load(Dir["*.gemspec"].first)
+
+desc "Build the Gem"
+task :build do
+  sh "gem build #{spec.name}.gemspec"
+end
+
+desc "Install #{spec.name} locally"
+task :install=>:build do
+  sudo = "sudo" unless File.writable?( Gem::ConfigMap[:bindir])
+  sh "#{sudo} gem install #{spec.name}-#{spec.version}.gem"
+end
+
+desc "Push new release to gemcutter and git tag"
+task :push=>["test:all", "build"] do
+  sh "git push"
+  puts "Tagging version #{spec.version} .."
+  sh "git tag v#{spec.version}"
+  sh "git push --tag"
+  puts "Building and pushing gem .."
+  sh "gem push #{spec.name}-#{spec.version}.gem"
+end
+
+desc "Run all tests"
+Rake::TestTask.new do |task|
+  task.test_files = FileList['test/*_test.rb']
+  if Rake.application.options.trace
+    #task.warning = true
+    task.verbose = true
+  elsif Rake.application.options.silent
+    task.ruby_opts << "-W0"
+  else
+    task.verbose = true
+  end
+    task.ruby_opts << "-I."
+end
+
+namespace :test do
+  task :all=>["test:sinatra", "test:rails2"]
+  desc "Run all tests against Sinatra"
+  task :sinatra do
+    sh "rake test FRAMEWORK=sinatra"
+  end
+  desc "Run all tests against Rails 2.3.x"
+  task :rails2 do
+    sh "rake test FRAMEWORK=rails2"
+  end
+end
+task :default=>"test:all"
+
+YARD::Rake::YardocTask.new do |doc|
+  doc.files = FileList["lib/**/*.rb"]
+end
+
+task :clobber do
+  rm_rf %w{doc .yardoc *.gem}
+end

data/lib/rack-oauth2-server.rb

@@ -0,0 +1 @@
+require "rack/oauth2/server"

data/lib/rack/oauth2/models.rb

@@ -0,0 +1,37 @@
+require "mongo"
+require "openssl"
+
+
+require "rack/oauth2/models/client"
+require "rack/oauth2/models/auth_request"
+require "rack/oauth2/models/access_grant"
+require "rack/oauth2/models/access_token"
+
+module Rack
+  module OAuth2
+    class Server
+
+      class << self
+        # A Mongo::DB object.
+        attr_accessor :database
+        
+        # Create new instance of the klass and populate its attributes.
+        def new_instance(klass, fields)
+          return unless fields
+          instance = klass.new
+          fields.each do |name, value|
+            instance.instance_variable_set :"@#{name}", value
+          end
+          instance
+        end
+
+        # Long, random and hexy.
+        def secure_random
+          OpenSSL::Random.random_bytes(32).unpack("H*")[0]
+        end
+
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/models/access_grant.rb

@@ -0,0 +1,75 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # The access grant is a nonce, new grant created each time we need it and
+      # good for redeeming one access token.
+      class AccessGrant
+        class << self
+          # Find AccessGrant from authentication code.
+          def from_code(code)
+            Server.new_instance self, collection.find_one({ :_id=>code, :revoked=>nil })
+          end
+
+          # Create a new access grant.
+          def create(resource, scope, client_id, redirect_uri)
+            fields = { :_id=>Server.secure_random, :resource=>resource, :scope=>scope, :client_id=>client_id, :redirect_uri=>redirect_uri,
+                       :created_at=>Time.now.utc, :granted_at=>nil, :access_token=>nil, :revoked=>nil }
+            collection.insert fields
+            Server.new_instance self, fields
+          end
+
+          def collection
+            Server.database["oauth2.access_grants"]
+          end
+        end
+
+        # Authorization code. We are nothing without it.
+        attr_reader :_id
+        alias :code :_id
+        # The resource we authorized access to.
+        attr_reader :resource
+        # Client that was granted this access token.
+        attr_reader :client_id
+        # Redirect URI for this grant.
+        attr_reader :redirect_uri
+        # The scope granted in this token.
+        attr_reader :scope
+        # Does what it says on the label.
+        attr_reader :created_at
+        # Tells us when (and if) access token was created.
+        attr_accessor :granted_at
+        # Access token created from this grant. Set and spent.
+        attr_accessor :access_token
+        # Timestamp if revoked.
+        attr_accessor :revoked
+
+        # Authorize access and return new access token.
+        #
+        # Access grant can only be redeemed once, but client can make multiple
+        # requests to obtain it, so we need to make sure only first request is
+        # successful in returning access token, futher requests raise
+        # InvalidGrantError.
+        def authorize!
+          raise InvalidGrantError if self.access_token || self.revoked
+          access_token = AccessToken.get_token_for(resource, scope, client_id)
+          self.access_token = access_token.token
+          self.granted_at = Time.now.utc
+          self.class.collection.update({ :_id=>code, :access_token=>nil, :revoked=>nil }, { :$set=>{ :granted_at=>granted_at, :access_token=>access_token.token } }, :safe=>true)
+          reload = self.class.collection.find_one({ :_id=>code, :revoked=>nil }, { :fields=>%w{access_token} })
+          raise InvalidGrantError unless reload && reload["access_token"] == access_token.token
+          return access_token
+        end
+
+        def revoke!
+          self.class.collection.update({ :_id=>code, :revoked=>nil }, { :$set=>{ :revoked=>Time.now.utc } })
+        end
+
+        # Allows us to kill all pending grants on behalf of client/resource.
+        #collection.create_index [[:client_id, Mongo::ASCENDING]]
+        #collection.create_index [[:resource, Mongo::ASCENDING]]
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/models/access_token.rb

@@ -0,0 +1,65 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Access token. This is what clients use to access resources.
+      #
+      # An access token is a unique code, associated with a client, a resource
+      # and scope. It may be revoked, or expire after a certain period.
+      class AccessToken
+        class << self
+          # Find AccessToken from token. Does not return revoked tokens.
+          def from_token(token)
+            Server.new_instance self, collection.find_one({ :_id=>token, :revoked=>nil })
+          end
+
+          # Get an access token (create new one if necessary).
+          def get_token_for(resource, scope, client_id)
+            unless token = collection.find_one({ :resource=>resource, :scope=>scope, :client_id=>client_id })
+              token = { :_id=>Server.secure_random, :resource=>resource, :scope=>scope, :client_id=>client_id,
+                        :created_at=>Time.now.utc, :expires_at=>nil, :revoked=>nil }
+              collection.insert token
+            end
+            Server.new_instance self, token
+          end
+
+          # Find all AccessTokens for a resource.
+          def from_resource(resource)
+            collection.find({ :resource=>resource }).map { |fields| Server.new_instance self, fields }
+          end
+
+          def collection
+            Server.database["oauth2.access_tokens"]
+          end
+        end
+
+        # Access token. As unique as they come.
+        attr_reader :_id
+        alias :token :_id
+        # The resource we authorized access to.
+        attr_reader :resource
+        # Client that was granted this access token.
+        attr_reader :client_id
+        # The scope granted in this token.
+        attr_reader :scope
+        # When token was granted.
+        attr_reader :created_at
+        # When token expires for good.
+        attr_reader :expires_at
+        # Timestamp if revoked.
+        attr_accessor :revoked
+
+        # Revokes this access token.
+        def revoke!
+          self.revoked = Time.now.utc
+          AccessToken.collection.update({ :_id=>token }, { :$set=>{ :revoked=>revoked } })
+        end
+        
+        # Allows us to kill all pending grants on behalf of client/resource.
+        #collection.create_index [[:client_id, Mongo::ASCENDING]]
+        #collection.create_index [[:resource, Mongo::ASCENDING]]
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/models/auth_request.rb

@@ -0,0 +1,88 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Authorization request. Represents request on behalf of client to access
+      # particular scope. Use this to keep state from incoming authorization
+      # request to grant/deny redirect.
+      class AuthRequest
+        class << self
+          # Find AuthRequest from identifier.
+          def find(request_id)
+            id = BSON::ObjectId(request_id.to_s)
+            Server.new_instance self, collection.find_one(id)
+          end
+
+          # Create a new authorization request. This holds state, so in addition
+          # to client ID and scope, we need to know the URL to redirect back to
+          # and any state value to pass back in that redirect.
+          def create(client_id, scope, redirect_uri, response_type, state)
+            fields = { :client_id=>client_id, :scope=>scope, :redirect_uri=>redirect_uri, :state=>state,
+                       :response_type=>response_type, :created_at=>Time.now.utc, :grant_code=>nil, :authorized_at=>nil, :revoked=>nil }
+            fields[:_id] = collection.insert(fields)
+            Server.new_instance self, fields
+          end
+
+          def collection
+            Server.database["oauth2.auth_requests"]
+          end
+        end
+
+        # Request identifier. We let the database pick this one out.
+        attr_reader :_id
+        alias :id :_id
+        # Client making this request.
+        attr_reader :client_id
+        # Scope of this request: array of names.
+        attr_reader :scope
+        # Redirect back to this URL.
+        attr_reader :redirect_uri
+        # Client requested we return state on redirect.
+        attr_reader :state
+        # Does what it says on the label.
+        attr_reader :created_at
+        # Response type: either code or token.
+        attr_reader :response_type
+        # If granted, the access grant code.
+        attr_accessor :grant_code
+        # If granted, the access token.
+        attr_accessor :access_token
+        # Keeping track of things.
+        attr_accessor :authorized_at
+        # Timestamp if revoked.
+        attr_accessor :revoked
+
+        # Grant access to the specified resource.
+        def grant!(resource)
+          raise ArgumentError, "Must supply a resource" unless resource
+          return if revoked
+          self.authorized_at = Time.now.utc
+          if response_type == "code" # Requested authorization code
+            unless self.grant_code
+              access_grant = AccessGrant.create(resource, scope, client_id, redirect_uri)
+              self.grant_code = access_grant.code
+              self.class.collection.update({ :_id=>id, :revoked=>nil }, { :$set=>{ :grant_code=>access_grant.code, :authorized_at=>authorized_at } })
+            end
+          else # Requested access token
+            unless self.access_token
+              access_token = AccessToken.get_token_for(resource, scope, client_id)
+              self.access_token = access_token.token
+              self.class.collection.update({ :_id=>id, :revoked=>nil, :access_token=>nil }, { :$set=>{ :access_token=>access_token.token, :authorized_at=>authorized_at } })
+            end
+          end
+          true
+        end
+
+        # Deny access.
+        def deny!
+          self.authorized_at = Time.now.utc
+          self.class.collection.update({ :_id=>id }, { :$set=>{ :authorized_at=>authorized_at } })
+        end
+
+        # Allows us to kill all pending request on behalf of client.
+        #collection.create_index [[:client_id, Mongo::ASCENDING]]
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/models/client.rb

@@ -0,0 +1,73 @@
+module Rack
+  module OAuth2
+    class Server
+
+      class Client
+
+        class << self
+          # Authenticate a client request. This method takes three arguments,
+          # Find Client from client identifier.
+          def find(client_id)
+            id = BSON::ObjectId(client_id.to_s)
+            Server.new_instance self, collection.find_one(id)
+          end
+
+          # Create a new client. Client provides the following properties:
+          # # :display_name -- Name to show (e.g. UberClient)
+          # # :link -- Link to client Web site (e.g. http://uberclient.dot)
+          # # :image_url -- URL of image to show alongside display name
+          # # :redirect_uri -- Registered redirect URI.
+          # 
+          # This method does not validate any of these fields, in fact, you're
+          # not required to set them, use them, or use them as suggested. Using
+          # them as suggested would result in better user experience.  Don't ask
+          # how we learned that.
+          def create(args)
+            redirect_uri = Server::Utils.parse_redirect_uri(args[:redirect_uri]).to_s if args[:redirect_uri]
+            fields =  { :secret=>Server.secure_random, :display_name=>args[:display_name], :link=>args[:link],
+                        :image_url=>args[:image_url], :redirect_uri=>redirect_uri, :created_at=>Time.now.utc, :revoked=>nil }
+            fields[:_id] = collection.insert(fields)
+            Server.new_instance self, fields
+          end
+
+          def collection
+            Server.database["oauth2.clients"]
+          end
+        end
+
+        # Client identifier.
+        attr_reader :_id
+        alias :id :_id
+        # Client secret: random, long, and hexy.
+        attr_reader :secret
+        # User see this.
+        attr_reader :display_name
+        # Link to client's Web site.
+        attr_reader :link
+        # Preferred image URL for this icon.
+        attr_reader :image_url
+        # Redirect URL. Supplied by the client if they want to restrict redirect
+        # URLs (better security).
+        attr_reader :redirect_uri
+        # Does what it says on the label.
+        attr_reader :created_at
+        # Timestamp if revoked.
+        attr_accessor :revoked
+
+        # Revoke all authorization requests, access grants and access tokens for
+        # this client. Ward off the evil.
+        def revoke!
+          self.revoked = Time.now.utc
+          Client.collection.update({ :_id=>id }, { :$set=>{ :revoked=>revoked } })
+          AuthRequest.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
+          AccessGrant.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
+          AccessToken.collection.update({ :client_id=>id }, { :$set=>{ :revoked=>revoked } })
+        end
+
+        #collection.create_index [[:display_name, Mongo::ASCENDING]]
+        #collection.create_index [[:link, Mongo::ASCENDING]]
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/rails.rb

@@ -0,0 +1,105 @@
+require "rack/oauth2/server"
+
+module Rack
+  module OAuth2
+
+    # Rails support.
+    #
+    # Adds oauth instance method that returns Rack::OAuth2::Helper, see there for
+    # more details.
+    #
+    # Adds oauth_required filter method. Use this filter with actions that require
+    # authentication, and with actions that require client to have a specific
+    # access scope.
+    #
+    # Adds oauth setting you can use to configure the module (e.g. setting
+    # available scopes, see example).
+    #
+    # @example config/environment.rb
+    #   require "rack/oauth2/rails"
+    #
+    #   Rails::Initializer.run do |config|
+    #     config.oauth[:scopes] = %w{read write}
+    #     config.oauth[:authenticator] = lambda do |username, password|
+    #       User.authenticated username, password
+    #     end
+    #     . . .
+    #   end
+    #
+    # @example app/controllers/my_controller.rb
+    #   class MyController < ApplicationController
+    #
+    #     oauth_required :only=>:show
+    #     oauth_required :only=>:update, :scope=>"write"
+    #
+    #     . . .
+    #
+    #   protected 
+    #     def current_user
+    #       @current_user ||= User.find(oauth.resource) if oauth.authenticated?
+    #     end
+    #   end
+    #
+    # @see Helpers
+    # @see Filters
+    # @see Configuration
+    module Rails
+
+      # Helper methods available to controller instance and views.
+      module Helpers
+        # Returns the OAuth helper.
+        #
+        # @return [Server::Helper]
+        def oauth
+          @oauth ||= Rack::OAuth2::Server::Helper.new(request, response)
+        end
+      end
+
+      # Filter methods available in controller.
+      module Filters
+        
+        # Adds before filter to require authentication on all the listed paths.
+        # Use the :scope option if client must also have access to that scope.
+        #
+        # @param [Hash] options Accepts before_filter options like :only and
+        # :except, and the :scope option.
+        def oauth_required(options = {})
+          scope = options.delete(:scope)
+          before_filter options do |controller|
+            if controller.oauth.authenticated?
+              if scope && !controller.oauth.scope.include?(scope)
+                controller.send :head, controller.oauth.no_scope!(scope)
+              end
+            else
+              controller.send :head, controller.oauth.no_access!
+            end
+          end
+        end
+      end
+
+      # Configuration methods available in config/environment.rb.
+      module Configuration
+
+        # Rack module settings.
+        #
+        # @return [Hash] Settings
+        def oauth
+          @oauth ||= { :logger=>::Rails.logger }
+        end
+      end
+
+    end
+
+  end
+end
+
+class Rails::Configuration
+  include Rack::OAuth2::Rails::Configuration
+end
+class ActionController::Base
+  helper Rack::OAuth2::Rails::Helpers
+  include Rack::OAuth2::Rails::Helpers
+  extend Rack::OAuth2::Rails::Filters
+end
+# Add middleware now, but load configuration as late as possible.
+ActionController::Dispatcher.middleware.use Rack::OAuth2::Server, lambda { Rails.configuration.oauth }