rack-oauth2-server 1.0.beta

data/lib/rack/oauth2/server.rb

@@ -0,0 +1,312 @@
+require "rack/oauth2/models"
+require "rack/oauth2/server/errors"
+require "rack/oauth2/server/utils"
+require "rack/oauth2/server/helper"
+require "rack/oauth2/server/version"
+
+
+module Rack
+  module OAuth2
+
+    # Implements an OAuth 2 Authorization Server, based on http://tools.ietf.org/html/draft-ietf-oauth-v2-10
+    class Server
+
+      class << self
+        # Return AuthRequest from authorization request handle.
+        def get_auth_request(authorization)
+          AuthRequest.find(authorization)
+        end
+
+        # Returns Client from client identifier.
+        def get_client(client_id)
+          Client.find(client_id)
+        end
+
+        # Returns AccessToken from token.
+        def get_access_token(token)
+          AccessToken.from_token(token)
+        end
+
+        # Returns all AccessTokens for a resource.
+        def list_access_tokens(resource)
+          AccessToken.from_resource(resource)
+        end
+      end
+
+      def initialize(app, options = {}, &authenticator)
+        @app = app
+        @options = options
+        @options[:authenticator] ||= authenticator
+        @options[:access_token_path] ||= "/oauth/access_token"
+        @options[:authorize_path] ||= "/oauth/authorize"
+        @options[:authorization_types] ||=  %w{code token}
+      end
+
+      # Options are:
+      # - :access_token_path -- Path for requesting access token. By convention
+      #   defaults to /oauth/access_token.
+      # - :authenticator -- For username/password authorization. A block that
+      #   receives the credentials and returns resource string (e.g. user ID) or
+      #   nil.
+      # - :authorization_types -- Array of supported authorization types.
+      #   Defaults to ["code", "token"], and you can change it to just one of
+      #   these names.
+      # - :authorize_path --  Path for requesting end-user authorization. By
+      #   convention defaults to /oauth/authorize.
+      # - :database -- Mongo::DB instance.
+      # - :realm -- Authorization realm that will show up in 401 responses.
+      #   Defaults to use the request host name.
+      # - :scopes -- Array listing all supported scopes, e.g. %w{read write}.
+      # - :logger -- The logger to use. Under Rails, defaults to use the Rails
+      #   logger.  Will use Rack::Logger if available.
+      attr_reader :options
+
+      def call(env)
+        # Use options[:database] if specified.
+        org_database, Server.database = Server.database, options[:database] || Server.database
+        logger = options[:logger] || env["rack.logger"]
+        request = OAuthRequest.new(env)
+
+        # 3.  Obtaining End-User Authorization
+        # Flow starts here.
+        return request_authorization(request, logger) if request.path == options[:authorize_path]
+        # 4.  Obtaining an Access Token
+        return respond_with_access_token(request, logger) if request.path == options[:access_token_path]
+
+        # 5.  Accessing a Protected Resource
+        if request.authorization
+          # 5.1.1.  The Authorization Request Header Field
+          token = request.credentials if request.oauth?
+        else
+          # 5.1.2.  URI Query Parameter
+          # 5.1.3.  Form-Encoded Body Parameter
+          token = request.GET["oauth_token"] || request.POST["oauth_token"]
+        end
+
+        if token
+          begin
+            access_token = AccessToken.from_token(token)
+            raise InvalidTokenError if access_token.nil? || access_token.revoked
+            raise ExpiredTokenError if access_token.expires_at && access_token.expires_at <= Time.now.utc
+            request.env["oauth.access_token"] = token
+            request.env["oauth.resource"] = access_token.resource
+            logger.info "Authorized #{access_token.resource}" if logger
+          rescue Error=>error
+            # 5.2.  The WWW-Authenticate Response Header Field
+            logger.info "HTTP authorization failed #{error.code}" if logger
+            return unauthorized(request, error)
+          rescue =>ex
+            logger.info "HTTP authorization failed #{ex.message}" if logger
+            return unauthorized(request)
+          end
+
+          # We expect application to use 403 if request has insufficient scope,
+          # and return appropriate WWW-Authenticate header.
+          response = @app.call(env)
+          if response[0] == 403
+            scope = response[1]["oauth.no_scope"] || ""
+            scope = scope.join(" ") if scope.respond_to?(:join)
+            challenge = 'OAuth realm="%s", error="insufficient_scope", scope="%s"' % [(options[:realm] || request.host), scope]
+            return [403, { "WWW-Authenticate"=>challenge }, []]
+          else
+            return response
+          end
+        else
+          response = @app.call(env)
+          if response[1] && response[1]["oauth.no_access"]
+            # OAuth access required.
+            return unauthorized(request)
+          elsif response[1] && response[1]["oauth.authorization"]
+            # 3.  Obtaining End-User Authorization
+            # Flow ends here.
+            return authorization_response(response, logger)
+          else
+            return response
+          end
+        end
+      ensure
+        Server.database = org_database
+      end
+
+    protected
+
+      # Get here for authorization request. Check the request parameters and
+      # redirect with an error if we find any issue. Otherwise, create a new
+      # authorization request, set in oauth.request and pass control to the
+      # application.
+      def request_authorization(request, logger)
+        # 3.  Obtaining End-User Authorization
+        begin
+          redirect_uri = Utils.parse_redirect_uri(request.GET["redirect_uri"])
+        rescue InvalidRequestError=>error
+          logger.error "Authorization request with invalid redirect_uri: #{request.GET["redirect_uri"]} #{error.message}" if logger
+          return bad_request(error.message)
+        end
+        state = request.GET["state"]
+
+        begin
+          # 3. Obtaining End-User Authorization
+          client = get_client(request)
+          raise RedirectUriMismatchError unless client.redirect_uri.nil? || client.redirect_uri == redirect_uri.to_s
+          requested_scope = request.GET["scope"].to_s.split.uniq.join(" ")
+          response_type = request.GET["response_type"].to_s
+          raise UnsupportedResponseTypeError unless options[:authorization_types].include?(response_type)
+          if scopes = options[:scopes]
+            allowed_scope = scopes.respond_to?(:all?) ? scopes : scopes.split
+            raise InvalidScopeError unless requested_scope.split.all? { |v| allowed_scope.include?(v) }
+          end
+          # Create object to track authorization request and let application
+          # handle the rest.
+          auth_request = AuthRequest.create(client.id, requested_scope, redirect_uri.to_s, response_type, state)
+          request.env["oauth.authorization"] = auth_request.id.to_s
+          logger.info "Request #{auth_request.id}: Client #{client.display_name} requested #{response_type} with scope #{requested_scope}" if logger
+          return @app.call(request.env)
+        rescue Error=>error
+          logger.error "Authorization request error: #{error.code} #{error.message}" if logger
+          params = Rack::Utils.parse_query(redirect_uri.query).merge(:error=>error.code, :error_description=>error.message, :state=>state)
+          redirect_uri.query = Rack::Utils.build_query(params)
+          return redirect_to(redirect_uri)
+        end
+      end
+
+      # Get here on completion of the authorization. Authorization response in
+      # oauth.response either grants or denies authroization. In either case, we
+      # redirect back with the proper response.
+      def authorization_response(response, logger)
+        status, headers, body = response
+        auth_request = self.class.get_auth_request(headers["oauth.authorization"])
+        redirect_uri = URI.parse(auth_request.redirect_uri)
+        if status == 401
+          auth_request.deny!
+        else
+          auth_request.grant! headers["oauth.resource"]
+        end
+        # 3.1.  Authorization Response
+        if auth_request.response_type == "code" && auth_request.grant_code
+          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access code #{auth_request.grant_code}" if logger
+          params = { :code=>auth_request.grant_code, :scope=>auth_request.scope, :state=>auth_request.state }
+          params = Rack::Utils.parse_query(redirect_uri.query).merge(params)
+          redirect_uri.query = Rack::Utils.build_query(params)
+          return redirect_to(redirect_uri)
+        elsif auth_request.response_type == "token" && auth_request.access_token
+          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} granted access token #{auth_request.access_token}" if logger
+          params = { :access_token=>auth_request.access_token, :scope=>auth_request.scope, :state=>auth_request.state }
+          redirect_uri.fragment = Rack::Utils.build_query(params)
+          return redirect_to(redirect_uri)
+        else
+          logger.info "Request #{auth_request.id}: Client #{auth_request.client_id} denied authorization" if logger
+          params = Rack::Utils.parse_query(redirect_uri.query).merge(:error=>:access_denied, :state=>auth_request.state)
+          redirect_uri.query = Rack::Utils.build_query(params)
+          return redirect_to(redirect_uri)
+        end
+      end
+
+      # 4.  Obtaining an Access Token
+      def respond_with_access_token(request, logger)
+        return [405, { "Content-Type"=>"application/json" }, ["POST only"]] unless request.post?
+        # 4.2.  Access Token Response
+        begin
+          client = get_client(request)
+          case request.POST["grant_type"]
+          when "authorization_code"
+            # 4.1.1.  Authorization Code
+            grant = AccessGrant.from_code(request.POST["code"])
+            raise InvalidGrantError unless grant && client.id == grant.client_id
+            raise InvalidGrantError unless grant.redirect_uri.nil? || grant.redirect_uri == Utils.parse_redirect_uri(request.POST["redirect_uri"]).to_s
+            access_token = grant.authorize!
+          when "password"
+            raise UnsupportedGrantType unless options[:authenticator]
+            # 4.1.2.  Resource Owner Password Credentials
+            username, password = request.POST.values_at("username", "password")
+            requested_scope = request.POST["scope"].to_s.split.uniq.join(" ")
+            raise InvalidGrantError unless username && password
+            resource = options[:authenticator].call(username, password)
+            raise InvalidGrantError unless resource
+            if scopes = options[:scopes]
+              allowed_scope = scopes.respond_to?(:all?) ? scopes : scopes.split
+              raise InvalidScopeError unless requested_scope.split.all? { |v| allowed_scope.include?(v) }
+            end
+            access_token = AccessToken.get_token_for(resource, requested_scope.to_s, client.id)
+          else raise UnsupportedGrantType
+          end
+          logger.info "Access token #{access_token.token} granted to client #{client.display_name}, resource #{access_token.resource}" if logger
+          response = { :access_token=>access_token.token }
+          response[:scope] = access_token.scope unless access_token.scope.empty?
+          return [200, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, response.to_json]
+          # 4.3.  Error Response
+        rescue Error=>error
+          logger.error "Access token request error: #{error.code} #{error.message}" if logger
+          return unauthorized(request, error) if InvalidClientError === error && request.basic?
+          return [400, { "Content-Type"=>"application/json", "Cache-Control"=>"no-store" }, 
+                  { :error=>error.code, :error_description=>error.message }.to_json]
+        end
+      end
+
+      # Returns client from request based on credentials. Raises
+      # InvalidClientError if client doesn't exist or secret doesn't match.
+      def get_client(request)
+        # 2.1  Client Password Credentials
+        if request.basic?
+          client_id, client_secret = request.credentials
+        elsif request.form_data?
+          client_id, client_secret = request.POST.values_at("client_id", "client_secret")
+        else
+          client_id, client_secret = request.GET.values_at("client_id", "client_secret")
+        end
+        client = self.class.get_client(client_id)
+        raise InvalidClientError unless client && client.secret == client_secret
+        raise InvalidClientError if client.revoked
+        return client
+      rescue BSON::InvalidObjectId
+        raise InvalidClientError
+      end
+
+      # Rack redirect response. The argument is typically a URI object.
+      def redirect_to(uri)
+        return [302, { "Location"=>uri.to_s }, []]
+      end
+
+      def bad_request(message)
+        return [400, { "Content-Type"=>"text/plain" }, [message]]
+      end
+
+      # Returns WWW-Authenticate header.
+      def unauthorized(request, error = nil)
+        challenge = 'OAuth realm="%s"' % (options[:realm] || request.host)
+        challenge << ', error="%s", error_description="%s"' % [error.code, error.message] if error
+        return [401, { "WWW-Authenticate"=>challenge }, []]
+      end
+
+      # Wraps Rack::Request to expose Basic and OAuth authentication
+      # credentials.
+      class OAuthRequest < Rack::Request
+
+        AUTHORIZATION_KEYS = %w{HTTP_AUTHORIZATION X-HTTP_AUTHORIZATION X_HTTP_AUTHORIZATION}
+
+        # Returns authorization header.
+        def authorization
+          @authorization ||= AUTHORIZATION_KEYS.inject(nil) { |auth, key| auth || @env[key] }
+        end
+
+        # True if authentication scheme is OAuth.
+        def oauth?
+          authorization[/^oauth/i] if authorization
+        end
+
+        # True if authentication scheme is Basic.
+        def basic?
+          authorization[/^basic/i] if authorization
+        end
+
+        # If Basic auth, returns username/password, if OAuth, returns access
+        # token.
+        def credentials
+          basic? ? authorization.gsub(/\n/, "").split[1].unpack("m*").first.split(/:/, 2) :
+          oauth? ? authorization.gsub(/\n/, "").split[1] : nil
+        end
+      end
+
+    end
+
+  end
+end

data/lib/rack/oauth2/server/errors.rb

@@ -0,0 +1,97 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Base class for all OAuth errors. These map to error codes in the spec.
+      class Error < StandardError
+
+        def initialize(code, message)
+          super message
+          @code = code.to_sym
+        end
+
+        # The OAuth error code.
+        attr_reader :code
+      end
+
+      # Access token expired, client expected to request new one using refresh
+      # token.
+      class ExpiredTokenError < Error
+        def initialize
+          super :expired_token, "The access token has expired."
+        end
+      end
+
+      # The client identifier provided is invalid, the client failed to
+      # authenticate, the client did not include its credentials, provided
+      # multiple client credentials, or used unsupported credentials type.
+      class InvalidClientError < Error
+        def initialize
+          super :invalid_client, "Client ID and client secret do not match."
+        end
+      end
+     
+      # The provided access grant is invalid, expired, or revoked (e.g.  invalid
+      # assertion, expired authorization token, bad end-user password credentials,
+      # or mismatching authorization code and redirection URI).
+      class InvalidGrantError < Error
+        def initialize
+          super :invalid_grant, "This access grant is no longer valid."
+        end
+      end
+
+      # Invalid_request, the request is missing a required parameter, includes an
+      # unsupported parameter or parameter value, repeats the same parameter, uses
+      # more than one method for including an access token, or is otherwise
+      # malformed.
+      class InvalidRequestError < Error
+        def initialize(message)
+          super :invalid_request, message || "The request has the wrong parameters."
+        end
+      end
+
+      # The requested scope is invalid, unknown, or malformed.
+      class InvalidScopeError < Error
+        def initialize
+          super :invalid_scope, "The requested scope is not supported."
+        end
+      end
+
+      # Access token expired, client cannot refresh and needs new authorization.
+      class InvalidTokenError < Error
+        def initialize
+          super :invalid_token, "The access token is no longer valid."
+        end
+      end
+
+      # The redirection URI provided does not match a pre-registered value.
+      class RedirectUriMismatchError < Error
+        def initialize
+          super :redirect_uri_mismatch, "Must use the same redirect URI you registered with us."
+        end
+      end
+
+      # The authenticated client is not authorized to use the access grant type provided.
+      class UnauthorizedClientError < Error
+        def initialize
+          super :unauthorized_client, "You are not allowed to access this resource."
+        end
+      end
+
+      # This access grant type is not supported by this server.
+      class UnsupportedGrantType < Error
+        def initialize
+          super :unsupported_grant_type, "This access grant type is not supported by this server."
+        end
+      end
+
+      # The requested response type is not supported by the authorization server.
+      class UnsupportedResponseTypeError < Error
+        def initialize
+          super :unsupported_response_type, "The requested response type is not supported."
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/server/helper.rb

@@ -0,0 +1,142 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Helper methods that provide access to the OAuth state during the
+      # authorization flow, and from authenticated requests. For example:
+      #
+      #   def show
+      #     logger.info "#{oauth.client.display_name} accessing #{oauth.scope}"
+      #   end
+      class Helper
+
+        def initialize(request, response)
+          @request, @response = request, response
+        end
+
+        # Returns the access token. Only applies if client authenticated.
+        #
+        # @return [String, nil] Access token, if authenticated
+        def access_token
+          @access_token ||= @request.env["oauth.access_token"]
+        end
+
+        # True if client authenticated.
+        #
+        # @return [true, false] True if authenticated
+        def authenticated?
+          !!access_token
+        end
+
+        # Returns the authenticated resource. Only applies if client
+        # authenticated.
+        #
+        # @return [String, nil] Resource, if authenticated
+        def resource
+          @resource ||= @request.env["oauth.resource"]
+        end
+
+        # Returns the Client object associated with this request. Available if
+        # client authenticated, or while processing authorization request.
+        #
+        # @return [Client, nil] Client if authenticated, or while authorizing
+        def client
+          if access_token
+            @client ||= Server.get_client(Server.get_access_token(access_token).client_id)
+          elsif authorization
+            @client ||= Server.get_client(Server.get_auth_request(authorization).client_id)
+          end
+        end
+
+        # Returns scope associated with this request. Available if client
+        # authenticated, or while processing authorization request.
+        #
+        # @return [Array<String>, nil] Scope names, e.g ["read, "write"]
+        def scope
+          if access_token
+            @scope ||= Server.get_access_token(access_token).scope.split
+          elsif authorization
+            @scope ||= Server.get_auth_request(authorization).scope.split
+          end
+        end
+
+        # Rejects the request and returns 401 (Unauthorized). You can just
+        # return 401, but this also sets the WWW-Authenticate header the right
+        # value.
+        #
+        # @return 401
+        def no_access!
+          @response["oauth.no_access"] = true
+          @response.status = 401
+        end
+        
+        # Rejects the request and returns 403 (Forbidden). You can just
+        # return 403, but this also sets the WWW-Authenticate header the right
+        # value. Indicates which scope the client needs to make this request.
+        #
+        # @param [String] scope The missing scope, e.g. "read"
+        # @return 403
+        def no_scope!(scope)
+          @response["oauth.no_scope"] = scope
+          @response.status = 403
+        end
+
+        # Returns the authorization request handle. Available when starting an
+        # authorization request (i.e. /oauth/authorize).
+        #
+        # @return [String] Authorization handle
+        def authorization
+          @request_id ||= @request.env["oauth.authorization"]
+        end
+
+        # Sets the authorization request handle. Use this during the
+        # authorization flow.
+        #
+        # @param [String] authorization handle
+        def authorization=(authorization)
+          @scope, @client = nil
+          @request_id = authorization
+        end
+
+        # Grant authorization request. Call this at the end of the authorization
+        # flow to signal that the user has authorized the client to access the
+        # specified resource. Don't render anything else.
+        #
+        # @param [String] authorization Authorization handle
+        # @param [String] resource Resource string
+        # @return 200
+        def grant!(authorization, resource)
+          @response["oauth.authorization"] = authorization
+          @response["oauth.resource"] = resource.to_s
+          @response.status = 200
+        end
+
+        # Deny authorization request. Call this at the end of the authorization
+        # flow to signal that the user has not authorized the client. Don't
+        # render anything else.
+        #
+        # @param [String] authorization Authorization handle
+        # @return 401
+        def deny!(authorization)
+          @response["oauth.authorization"] = authorization
+          @response.status = 401
+        end
+
+        # Returns all access tokens associated with this resource.
+        #
+        # @param [String] resource Resource string
+        # @return [Array<AccessToken>]
+        def list_access_tokens(resource)
+          Rack::OAuth2::Server.list_access_tokens(resource)
+        end
+
+        def inspect
+          authorization ? "Authorization request for #{scope.join(",")} on behalf of #{client.display_name}" :
+          authenticated? ? "Authenticated as #{resource}" : nil
+        end
+
+      end
+
+    end
+  end
+end