rack-oauth2-server 1.0.beta

data/lib/rack/oauth2/server/utils.rb

@@ -0,0 +1,24 @@
+module Rack
+  module OAuth2
+    class Server
+
+      module Utils
+        module_function
+
+        # Parses the redirect URL, normalizes it and returns a URI object.
+        #
+        # Raises InvalidRequestError if not an absolute HTTP/S URL.
+        def parse_redirect_uri(redirect_uri)
+          uri = URI.parse(redirect_uri).normalize
+          raise InvalidRequestError, "Redirect URL must be absolute URL" unless uri.absolute? && uri.host
+          raise InvalidRequestError, "Redirect URL must point to HTTP/S location" unless uri.scheme == "http" || uri.scheme == "https"
+          uri
+        rescue
+          raise InvalidRequestError, "Redirect URL looks fishy to me"
+        end
+
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/server/version.rb

@@ -0,0 +1,9 @@
+module Rack
+  module OAuth2
+    class Server
+
+      VERSION = "1.0.beta"
+
+    end
+  end
+end

data/lib/rack/oauth2/sinatra.rb

@@ -0,0 +1,71 @@
+require "rack/oauth2/server"
+
+module Rack
+  module OAuth2
+
+    # Sinatra support.
+    #
+    # Adds oauth instance method that returns Rack::OAuth2::Helper, see there for
+    # more details.
+    #
+    # Adds oauth_required class method. Use this filter with paths that require
+    # authentication, and with paths that require client to have a specific
+    # access scope.
+    #
+    # Adds oauth setting you can use to configure the module (e.g. setting
+    # available scopes, see example).
+    #
+    # @example
+    #   require "rack/oauth2/sinatra"
+    #   class MyApp < Sinatra::Base
+    #     register Rack::OAuth2::Sinatra
+    #     oauth[:scopes] = %w{read write}
+    #
+    #     oauth_required "/api"
+    #     oauth_required "/api/edit", :scope=>"write"
+    #
+    #     before { @user = User.find(oauth.resource) if oauth.authenticated? }
+    #   end
+    #
+    # @see Helpers
+    module Sinatra
+
+      # Adds before filter to require authentication on all the listed paths.
+      # Use the :scope option if client must also have access to that scope.
+      #
+      # @param [String, ...] path One or more paths that require authentication
+      # @param [optional, Hash] options Currently only :scope is supported.
+      def oauth_required(*args)
+        options = args.pop if Hash === args.last
+        scope = options[:scope] if options
+        args.each do |path|
+          before path do
+            if oauth.authenticated?
+              if scope && !oauth.scope.include?(scope)
+                oauth.no_scope! scope
+              end
+            else
+              oauth.no_access!
+            end
+          end
+        end
+      end
+
+      module Helpers
+        # Returns the OAuth helper.
+        #
+        # @return [Server::Helper]
+        def oauth
+          @oauth ||= Rack::OAuth2::Server::Helper.new(request, response)
+        end
+      end
+
+      def self.registered(base)
+        base.helpers Helpers
+        base.set :oauth, {}
+        base.use Rack::OAuth2::Server, base.settings.oauth
+      end
+
+    end
+  end
+end

data/rack-oauth2-server.gemspec

@@ -0,0 +1,25 @@
+$: << File.dirname(__FILE__) + "/lib"
+require "rack/oauth2/server/version"
+
+Gem::Specification.new do |spec|
+  spec.name           = "rack-oauth2-server"
+  spec.version        = Rack::OAuth2::Server::VERSION
+  spec.author         = "Assaf Arkin"
+  spec.email          = "assaf@labnotes.org"
+  spec.homepage       = "http://github.com/assaf/#{spec.name}"
+  spec.summary        = "OAuth 2.0 Authorization Server as a Rack module"
+  spec.description    = "Because you don't allow strangers into your app, and OAuth 2.0 is the new awesome."
+  spec.post_install_message = ""
+
+  spec.files          = Dir["{bin,lib,test}/**/*", "CHANGELOG", "MIT-LICENSE", "README.rdoc", "Rakefile", "Gemfile", "*.gemspec"]
+
+  spec.has_rdoc         = true
+  spec.extra_rdoc_files = "README.rdoc", "CHANGELOG"
+  spec.rdoc_options     = "--title", "rack-oauth2-server #{spec.version}", "--main", "README.rdoc",
+                          "--webcvs", "http://github.com/assaf/#{spec.name}"
+
+  spec.required_ruby_version = '>= 1.8.7'
+  spec.add_dependency "rack", "~>1"
+  spec.add_dependency "mongo", "~>1"
+  spec.add_dependency "bson_ext"
+end

data/test/access_grant_test.rb

@@ -0,0 +1,216 @@
+require File.dirname(__FILE__) + "/setup"
+
+
+# 4.  Obtaining an Access Token
+class AccessGrantTest < Test::Unit::TestCase
+  module Helpers
+
+    def should_return_error(error)
+      should "respond with status 400 (Bad Request)" do
+        assert_equal 400, last_response.status
+      end
+      should "respond with JSON document" do
+        assert_equal "application/json", last_response.content_type
+      end
+      should "respond with error code #{error}" do
+        assert_equal error.to_s, JSON.parse(last_response.body)["error"]
+      end
+    end
+
+    def should_respond_with_authentication_error(error)
+      should "respond with status 401 (Unauthorized)" do
+        assert_equal 401, last_response.status
+      end
+      should "respond with authentication method OAuth" do
+        assert_equal "OAuth", last_response["WWW-Authenticate"].split.first
+      end
+      should "respond with realm" do
+        assert_match " realm=\"example.org\"", last_response["WWW-Authenticate"] 
+      end
+      should "respond with error code #{error}" do
+        assert_match " error=\"#{error}\"", last_response["WWW-Authenticate"]
+      end
+    end
+
+    def should_respond_with_access_token(scope = "read write")
+      should "respond with status 200" do
+        assert_equal 200, last_response.status
+      end
+      should "respond with JSON document" do
+        assert_equal "application/json", last_response.content_type
+      end
+      should "respond with cache control no-store" do
+        assert_equal "no-store", last_response["Cache-Control"]
+      end
+      should "not respond with error code" do
+        assert JSON.parse(last_response.body)["error"].nil?
+      end
+      should "response with access token" do
+        assert_match /[a-f0-9]{32}/i, JSON.parse(last_response.body)["access_token"]
+      end
+      should "response with scope" do
+        assert_equal scope, JSON.parse(last_response.body)["scope"]
+      end
+    end
+
+
+  end
+  extend Helpers
+
+  def setup
+    super
+    # Get authorization code.
+    params = { :redirect_uri=>client.redirect_uri, :client_id=>client.id, :client_secret=>client.secret, :response_type=>"code",
+               :scope=>"read write", :state=>"bring this back" }
+    get "/oauth/authorize?" + Rack::Utils.build_query(params)
+    post "/oauth/grant"
+    @code = Rack::Utils.parse_query(URI.parse(last_response["Location"]).query)["code"]
+  end
+
+  def request_access_token(changes = nil)
+    params = { :client_id=>client.id, :client_secret=>client.secret, :scope=>"read write",
+               :grant_type=>"authorization_code", :code=>@code, :redirect_uri=>client.redirect_uri }.merge(changes || {})
+    basic_authorize params.delete(:client_id), params.delete(:client_secret)
+    post "/oauth/access_token", params
+  end
+
+  def request_with_username_password(username, password, scope = "read write")
+    basic_authorize client.id, client.secret
+    params = { :grant_type=>"password", :scope=>scope }
+    params[:username] = username if username
+    params[:password] = password if password
+    post "/oauth/access_token", params
+  end
+
+
+  # 4.  Obtaining an Access Token
+  
+  context "GET request" do
+    setup { get "/oauth/access_token" }
+
+    should "respond with status 405 (Method Not Allowed)" do
+      assert_equal 405, last_response.status
+    end
+  end
+
+  context "no client ID" do
+    setup { request_access_token :client_id=>nil }
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "invalid client ID" do
+    setup { request_access_token :client_id=>"foobar" }
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "client ID but no such client" do
+    setup { request_access_token :client_id=>"4cc7bc483321e814b8000000" }
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "no client secret" do
+    setup { request_access_token :client_secret=>nil }
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "wrong client secret" do
+    setup { request_access_token :client_secret=>"plain wrong" }
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "client revoked" do
+    setup do
+      client.revoke!
+      request_access_token
+    end
+    should_respond_with_authentication_error :invalid_client
+  end
+
+  context "unsupported grant type" do
+    setup { request_access_token :grant_type=>"bogus" }
+    should_return_error :unsupported_grant_type
+  end
+
+
+  # 4.1.1.  Authorization Code
+
+  context "no authorization code" do
+    setup { request_access_token :code=>nil }
+    should_return_error :invalid_grant
+  end
+  
+  context "unknown authorization code" do
+    setup { request_access_token :code=>"unknown" }
+    should_return_error :invalid_grant
+  end
+
+  context "authorization code for different client" do
+    setup do
+      grant = Rack::OAuth2::Server::AccessGrant.create("foo bar", "read write", "4cc7bc483321e814b8000000", nil)
+      request_access_token :code=>grant.code
+    end
+    should_return_error :invalid_grant
+  end
+
+  context "authorization code revoked" do
+    setup do
+      Rack::OAuth2::Server::AccessGrant.from_code(@code).revoke!
+      request_access_token
+    end
+    should_return_error :invalid_grant
+  end
+
+  context "mistmatched redirect URI" do
+    setup { request_access_token :redirect_uri=>"http://uberclient.dot/oz" }
+    should_return_error :invalid_grant
+  end
+
+  context "no redirect URI to match" do
+    setup do
+      grant = Rack::OAuth2::Server::AccessGrant.create("foo bar", "read write", client.id, nil)
+      request_access_token :code=>grant.code, :redirect_uri=>"http://uberclient.dot/oz"
+    end
+    should_respond_with_access_token
+  end
+
+
+  # 4.1.2.  Resource Owner Password Credentials
+
+  context "no username" do
+    setup { request_with_username_password nil, "more" }
+    should_return_error :invalid_grant
+  end  
+  
+  context "no password" do
+    setup { request_with_username_password nil, "more" }
+    should_return_error :invalid_grant
+  end
+
+  context "not authorized" do
+    setup { request_with_username_password "cowbell", "less" }
+    should_return_error :invalid_grant
+  end
+
+  context "no scope specified" do
+    setup { request_with_username_password "cowbell", "more", nil }
+    should_respond_with_access_token nil
+  end
+
+  context "unsupported scope" do
+    setup { request_with_username_password "cowbell", "more", "read write math" }
+    should_return_error :invalid_scope
+  end
+
+  # 4.2.  Access Token Response
+
+  context "using authorization code" do
+    setup { request_access_token }
+    should_respond_with_access_token "read write"
+  end
+
+  context "using username/password" do
+    setup { request_with_username_password "cowbell", "more", "read" }
+    should_respond_with_access_token "read"
+  end
+  
+end

data/test/access_token_test.rb

@@ -0,0 +1,237 @@
+require File.dirname(__FILE__) + "/setup"
+
+
+# 5.  Accessing a Protected Resource
+class AccessTokenTest < Test::Unit::TestCase
+  module Helpers
+
+    def should_return_resource(content)
+      should "respond with status 200" do
+        assert_equal 200, last_response.status
+      end
+      should "respond with resource name" do
+        assert_equal content, last_response.body
+      end
+    end
+
+    def should_fail_authentication(error = nil)
+      should "respond with status 401 (Unauthorized)" do
+        assert_equal 401, last_response.status
+      end
+      should "respond with authentication method OAuth" do
+        assert_equal "OAuth", last_response["WWW-Authenticate"].split.first
+      end
+      should "respond with realm" do
+        assert_match " realm=\"example.org\"", last_response["WWW-Authenticate"] 
+      end
+      if error
+        should "respond with error code #{error}" do
+          assert_match " error=\"#{error}\"", last_response["WWW-Authenticate"]
+        end
+      else
+        should "not respond with error code" do
+          assert !last_response["WWW-Authenticate"]["error="]
+        end
+      end
+    end
+
+  end
+  extend Helpers
+
+
+  def setup
+    super
+    # Get authorization code.
+    params = { :redirect_uri=>client.redirect_uri, :client_id=>client.id, :client_secret=>client.secret, :response_type=>"code",
+               :scope=>"read write", :state=>"bring this back" }
+    get "/oauth/authorize?" + Rack::Utils.build_query(params)
+    post "/oauth/grant"
+    code = Rack::Utils.parse_query(URI.parse(last_response["Location"]).query)["code"]
+    # Get access token
+    basic_authorize client.id, client.secret
+    post "/oauth/access_token", :scope=>"read write", :grant_type=>"authorization_code", :code=>code, :redirect_uri=>client.redirect_uri
+    @token = JSON.parse(last_response.body)["access_token"]
+    header "Authorization", nil
+  end
+
+  def with_token(token = @token)
+    header "Authorization", "OAuth #{token}"
+  end
+
+
+  # 5.  Accessing a Protected Resource
+
+  context "public resource" do
+    context "no authorization" do
+      setup { get "/public" }
+      should_return_resource "HAI"
+    end
+
+    context "with authorization" do
+      setup do
+        with_token
+        get "/public"
+      end
+      should_return_resource "HAI from Superman"
+    end
+  end
+
+  context "private resource" do
+    context "no authorization" do
+      setup { get "/private" }
+      should_fail_authentication
+    end
+
+    context "HTTP authentication" do
+      context "valid token" do
+        setup do
+          with_token
+          get "/private"
+        end
+        should_return_resource "Shhhh"
+      end
+
+      context "unknown token" do
+        setup do
+          with_token "dingdong"
+          get "/private"
+        end
+        should_fail_authentication :invalid_token
+      end
+
+      context "revoked HTTP token" do
+        setup do
+          Rack::OAuth2::Server::AccessToken.from_token(@token).revoke!
+          with_token
+          get "/private"
+        end
+        should_fail_authentication :invalid_token
+      end
+
+      context "revoked client" do
+        setup do
+          client.revoke!
+          with_token
+          get "/private"
+        end
+        should_fail_authentication :invalid_token
+      end
+    end
+
+    # 5.1.2.  URI Query Parameter
+    
+    context "query parameter" do
+      context "valid token" do
+        setup { get "/private?oauth_token=#{@token}" }
+        should_return_resource "Shhhh"
+      end
+
+      context "invalid token" do
+        setup { get "/private?oauth_token=dingdong" }
+        should_fail_authentication :invalid_token
+      end
+    end
+  end
+  
+  context "POST" do
+    context "no authorization" do
+      setup { post "/change" }
+      should_fail_authentication
+    end
+
+    context "HTTP authentication" do
+      context "valid token" do
+        setup do
+          with_token
+          post "/change"
+        end
+        should_return_resource "Woot!"
+      end
+
+      context "unknown token" do
+        setup do
+          with_token "dingdong"
+          post "/change"
+        end
+        should_fail_authentication :invalid_token
+      end
+
+    end
+
+    # 5.1.3.  Form-Encoded Body Parameter
+
+    context "body parameter" do
+      context "valid token" do
+        setup { post "/change", :oauth_token=>@token }
+        should_return_resource "Woot!"
+      end
+
+      context "invalid token" do
+        setup { post "/change", :oauth_token=>"dingdong" }
+        should_fail_authentication :invalid_token
+      end
+    end
+  end
+
+
+  context "insufficient scope" do
+    context "valid token" do
+      setup { get "/calc?oauth_token=#@token" }
+
+      should "respond with status 403 (Forbidden)" do
+        assert_equal 403, last_response.status
+      end
+      should "respond with authentication method OAuth" do
+        assert_equal "OAuth", last_response["WWW-Authenticate"].split.first
+      end
+      should "respond with realm" do
+        assert_match " realm=\"example.org\"", last_response["WWW-Authenticate"] 
+      end
+      should "respond with error code insufficient_scope" do
+        assert_match " error=\"insufficient_scope\"", last_response["WWW-Authenticate"]
+      end
+      should "respond with scope name" do
+        assert_match " scope=\"math\"", last_response["WWW-Authenticate"]
+      end
+    end
+  end
+
+
+  context "setting resource" do
+    context "authenticated" do
+      setup do
+        with_token
+        get "/user"
+      end
+
+      should "render user name" do
+        assert_equal "Superman", last_response.body
+      end
+    end
+
+    context "not authenticated" do
+      setup do
+        get "/user"
+      end
+
+      should "not render user name" do
+        assert  last_response.body.empty?
+      end
+    end
+  end
+
+  context "list tokens" do
+    setup do
+      @other = Rack::OAuth2::Server::AccessToken.get_token_for("foobar", "read", client.id).token
+      get "/list_tokens"
+    end
+
+    should "return access token" do
+      assert_contains last_response.body.split, @token
+    end
+
+    should "not return other resource's token" do
+      assert !last_response.body.split.include?(@other)
+    end
+  end
+end