rack-oauth2-server 1.2.2 → 1.3.0

data/lib/rack/oauth2/server/admin.rb

@@ -0,0 +1,216 @@
+require "sinatra/base"
+require "json"
+require "rack/oauth2/sinatra"
+
+module Rack
+  module OAuth2
+    class Server
+      class Admin < ::Sinatra::Base
+
+        class << self
+
+          # Rack module that mounts the specified class on the specified path,
+          # and passes all other request to the application.
+          class Mount
+            class << self
+              def mount(klass, path)
+                @klass = klass
+                @path = path
+                @match = /^#{Regexp.escape(path)}\/(.*)$/
+              end
+
+              attr_reader :klass, :path, :match
+            end
+
+            def initialize(app)
+              @pass = app
+              @admin = self.class.klass.new
+            end
+
+            def call(env)
+              path = env["PATH_INFO"].to_s
+              script_name = env['SCRIPT_NAME']
+              if path =~ self.class.match && rest = $1
+                env.merge! "SCRIPT_NAME"=>(script_name + self.class.path), "PATH_INFO"=>"/#{rest}"
+                return @admin.call(env)
+              else
+                return @pass.call(env)
+              end
+            end
+          end
+
+          # Returns Rack handle that mounts Admin on the specified path, and
+          # forwards all other requests back to the application.
+          #
+          # @param [String, nil] path The path to mount on, defaults to
+          # /oauth/admin
+          # @return [Object] Rack module
+          #
+          # @example To include admin console in Rails 2.x app
+          #   config.middleware.use Rack::OAuth2::Server::Admin.mount
+          def mount(path = "/oauth/admin")
+            mount = Class.new(Mount)
+            mount.mount Admin, "/oauth/admin"
+            mount
+          end
+
+        end
+
+        # Need client ID to get access token to access this console.
+        set :client_id, nil
+        # Need client secret to get access token to access this console.
+        set :client_secret, nil
+        # Use this URL to authorize access to this console. If not set, goes to
+        # /oauth/authorize.
+        set :authorize, nil
+
+        # Number of tokens to return in each page.
+        set :tokens_per_page, 100
+        set :public, ::File.dirname(__FILE__) + "/../admin"
+        mime_type :js, "text/javascript"
+        mime_type :tmpl, "text/x-jquery-template"
+
+
+        helpers Rack::OAuth2::Sinatra::Helpers
+        extend Rack::OAuth2::Sinatra
+        use Rack::OAuth2::Server
+
+        # Force HTTPS except for development environment.
+        before do
+          redirect request.url.sub(/^http:/, "https:") unless request.scheme == "https"
+        end unless development?
+
+
+
+        # -- Static content --
+
+        # It's a single-page app, this is that single page.
+        get "/" do
+          send_file settings.public + "/views/index.html"
+        end
+
+        # Service JavaScript, CSS and jQuery templates from the gem.
+        %w{js css views}.each do |path|
+          get "/#{path}/:name" do
+            send_file settings.public + "/#{path}/" + params[:name]
+          end
+        end
+
+
+        # -- Getting an access token --
+
+        # To get an OAuth token, you need client ID and secret, two values we
+        # didn't pass on to the JavaScript code, so it has no way to request
+        # authorization directly. Instead, it redirects to this URL which in turn
+        # redirects to the authorization endpoint. This redirect does accept the
+        # state parameter, which will be returned after authorization.
+        get "/authorize" do
+          redirect_uri = "#{request.scheme}://#{request.host}:#{request.port}#{request.script_name}"
+          query = { :client_id=>settings.client_id, :client_secret=>settings.client_secret, :state=>params[:state],
+                    :response_type=>"token", :scope=>"oauth-admin", :redirect_uri=>redirect_uri }
+          auth_url = settings.authorize || "#{request.scheme}://#{request.host}:#{request.port}/oauth/authorize"
+          redirect "#{auth_url}?#{Rack::Utils.build_query(query)}"
+        end
+
+
+        # -- API --
+       
+        oauth_required "/api/clients", "/api/client/:id", "/api/client/:id/revoke", "/api/token/:token/revoke", :scope=>"oauth-admin"
+
+        get "/api/clients" do
+          content_type "application/json"
+          json = { :list=>Server::Client.all.map { |client| client_as_json(client) },
+                   :tokens=>{ :total=>Server::AccessToken.count, :week=>Server::AccessToken.count(:days=>7),
+                              :revoked=>Server::AccessToken.count(:days=>7, :revoked=>true) } }
+          json.to_json
+        end
+
+        post "/api/clients" do
+          begin
+            client = Server::Client.create(validate_params(params))
+            redirect "#{request.script_name}/api/client/#{client.id}"
+          rescue
+            halt 400, $!.message
+          end
+        end
+
+        get "/api/client/:id" do
+          content_type "application/json"
+          client = Server::Client.find(params[:id])
+          json = client_as_json(client, true)
+
+          page = [params[:page].to_i, 1].max
+          offset = (page - 1) * settings.tokens_per_page
+          total = Server::AccessToken.count(:client_id=>client.id)
+          tokens = Server::AccessToken.for_client(params[:id], offset, settings.tokens_per_page)
+          json[:tokens] = { :list=>tokens.map { |token| token_as_json(token) } }
+          json[:tokens][:total] = total
+          json[:tokens][:page] = page
+          json[:tokens][:next] = "#{request.script_name}/client/#{params[:id]}?page=#{page + 1}" if total > page * settings.tokens_per_page
+          json[:tokens][:previous] = "#{request.script_name}/client/#{params[:id]}?page=#{page - 1}" if page > 1
+          json[:tokens][:total] = Server::AccessToken.count(:client_id=>client.id)
+          json[:tokens][:week] = Server::AccessToken.count(:client_id=>client.id, :days=>7)
+          json[:tokens][:revoked] = Server::AccessToken.count(:client_id=>client.id, :days=>7, :revoked=>true)
+
+          json.to_json
+        end
+
+        put "/api/client/:id" do
+          client = Server::Client.find(params[:id])
+          begin
+            client.update validate_params(params)
+            redirect "#{request.script_name}/api/client/#{client.id}"
+          rescue
+            halt 400, $!.message
+          end
+        end
+
+        post "/api/client/:id/revoke" do
+          client = Server::Client.find(params[:id])
+          client.revoke!
+          200
+        end
+
+        post "/api/token/:token/revoke" do
+          token = Server::AccessToken.from_token(params[:token])
+          token.revoke!
+          200
+        end
+
+        helpers do
+          def validate_params(params)
+            display_name = params[:displayName].to_s.strip
+            halt 400, "Missing display name" if display_name.empty?
+            link = URI.parse(params[:link].to_s.strip).normalize rescue nil
+            halt 400, "Link is not a URL (must be http://....)" unless link
+            halt 400, "Link must be an absolute URL with HTTP/S scheme" unless link.absolute? && %{http https}.include?(link.scheme)
+            redirect_uri = URI.parse(params[:redirectUri].to_s.strip).normalize rescue nil
+            halt 400, "Redirect URL is not a URL (must be http://....)" unless redirect_uri
+            halt 400, "Redirect URL must be an absolute URL with HTTP/S scheme" unless
+              redirect_uri.absolute? && %{http https}.include?(redirect_uri.scheme)
+            if image_url = URI.parse(params[:imageUrl].to_s.strip).normalize rescue nil
+              halt 400, "Image URL must be an absolute URL with HTTP/S scheme" unless
+                image_url.absolute? && %{http https}.include?(image_url.scheme)
+            end
+            { :display_name=>display_name, :link=>link.to_s, :image_url=>image_url.to_s, :redirect_uri=>redirect_uri.to_s }
+          end
+
+          def client_as_json(client, with_stats = false)
+            { "id"=>client.id.to_s, "secret"=>client.secret, :redirectUri=>client.redirect_uri,
+              :displayName=>client.display_name, :link=>client.link, :imageUrl=>client.image_url,
+              :url=>"#{request.script_name}/api/client/#{client.id}",
+              :revoke=>"#{request.script_name}/api/client/#{client.id}/revoke",
+              :created=>client.created_at, :revoked=>client.revoked }
+          end
+
+          def token_as_json(token)
+            { :token=>token.token, :identity=>token.identity, :scope=>token.scope, :created=>token.created_at,
+              :expired=>token.expires_at, :revoked=>token.revoked,
+              :revoke=>"#{request.script_name}/api/token/#{token.token}/revoke" }
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/helper.rb

@@ -66,7 +66,7 @@ module Rack
         #
         # @return 401
         def no_access!
-          @response["oauth.no_access"] = true
+          @response["oauth.no_access"] = "true"
           @response.status = 401
         end
         
@@ -77,7 +77,7 @@ module Rack
         # @param [String] scope The missing scope, e.g. "read"
         # @return 403
         def no_scope!(scope)
-          @response["oauth.no_scope"] = scope
+          @response["oauth.no_scope"] = scope.to_s
           @response.status = 403
         end
 
@@ -106,7 +106,7 @@ module Rack
         # @param [String] identity Identity string
         # @return 200
         def grant!(authorization, identity)
-          @response["oauth.authorization"] = authorization
+          @response["oauth.authorization"] = authorization.to_s
           @response["oauth.identity"] = identity.to_s
           @response.status = 200
         end
@@ -118,7 +118,7 @@ module Rack
         # @param [String] authorization Authorization handle
         # @return 401
         def deny!(authorization)
-          @response["oauth.authorization"] = authorization
+          @response["oauth.authorization"] = authorization.to_s
           @response.status = 401
         end
 

data/lib/rack/oauth2/sinatra.rb

@@ -42,10 +42,10 @@ module Rack
           before path do
             if oauth.authenticated?
               if scope && !oauth.scope.include?(scope)
-                oauth.no_scope! scope
+                halt oauth.no_scope! scope
               end
             else
-              oauth.no_access!
+              halt oauth.no_access!
             end
           end
         end

data/rack-oauth2-server.gemspec

@@ -1,9 +1,8 @@
 $: << File.dirname(__FILE__) + "/lib"
-require "rack/oauth2/server/version"
 
 Gem::Specification.new do |spec|
   spec.name           = "rack-oauth2-server"
-  spec.version        = Rack::OAuth2::Server::VERSION
+  spec.version        = IO.read("VERSION")
   spec.author         = "Assaf Arkin"
   spec.email          = "assaf@labnotes.org"
   spec.homepage       = "http://github.com/assaf/#{spec.name}"
@@ -11,7 +10,7 @@ Gem::Specification.new do |spec|
   spec.description    = "Because you don't allow strangers into your app, and OAuth 2.0 is the new awesome."
   spec.post_install_message = ""
 
-  spec.files          = Dir["{bin,lib,rails,test}/**/*", "CHANGELOG", "MIT-LICENSE", "README.rdoc", "Rakefile", "Gemfile", "*.gemspec"]
+  spec.files          = Dir["{bin,lib,rails,test}/**/*", "CHANGELOG", "VERSION", "MIT-LICENSE", "README.rdoc", "Rakefile", "Gemfile", "*.gemspec"]
 
   spec.has_rdoc         = true
   spec.extra_rdoc_files = "README.rdoc", "CHANGELOG"

data/test/admin/api_test.rb

@@ -0,0 +1,196 @@
+require "test/setup"
+
+class AdminApiTest < Test::Unit::TestCase
+  module Helpers
+    def should_fail_authentication
+      should "respond with status 401 (Unauthorized)" do
+        assert_equal 401, last_response.status
+      end
+    end
+
+    def should_forbid_access
+      should "respond with status 403 (Forbidden)" do
+        assert_equal 403, last_response.status
+      end
+    end
+  end
+  extend Helpers
+
+
+  def setup
+    super
+  end
+
+  def without_scope
+    token = Rack::OAuth2::Server::AccessToken.get_token_for("Superman", "nobody", client.id)
+    header "Authorization", "OAuth #{token.token}"
+  end
+
+  def with_scope
+    token = Rack::OAuth2::Server::AccessToken.get_token_for("Superman", "oauth-admin", client.id)
+    header "Authorization", "OAuth #{token.token}"
+  end
+
+  def json
+    JSON.parse(last_response.body)
+  end
+
+
+  # -- /oauth/admin/api/clients
+
+  context "all clients" do
+    context "without authentication" do
+      setup { get "/oauth/admin/api/clients" }
+      should_fail_authentication
+    end
+
+    context "without scope" do
+      setup { without_scope ; get "/oauth/admin/api/clients" }
+      should_forbid_access
+    end
+
+    context "with scope" do
+      setup { with_scope ; get "/oauth/admin/api/clients" }
+      should "return OK" do
+        assert_equal 200, last_response.status
+      end
+      should "return JSON document" do
+        assert_equal "application/json;charset=utf-8", last_response.content_type
+      end
+      should "return list of clients" do
+        assert Array === json["list"]
+      end
+    end
+
+    context "client" do
+      setup do
+        with_scope
+        get "/oauth/admin/api/clients"
+        @first = json["list"].first
+      end
+
+      should "provide client identifier" do
+        assert_equal client.id.to_s, @first["id"]
+      end
+      should "provide client secret" do
+        assert_equal client.secret, @first["secret"]
+      end
+      should "provide redirect URI" do
+        assert_equal client.redirect_uri, @first["redirectUri"]
+      end
+      should "provide display name" do
+        assert_equal client.display_name, @first["displayName"]
+      end
+      should "provide site URL" do
+        assert_equal client.link, @first["link"]
+      end
+      should "provide image URL" do
+        assert_equal client.image_url, @first["imageUrl"]
+      end
+      should "provide created timestamp" do
+        assert_equal client.created_at.to_i, @first["created"]
+      end
+      should "provide link to client resource"do
+        assert_equal ["/oauth/admin/api/client", client.id].join("/"), @first["url"]
+      end
+      should "provide link to revoke resource"do
+        assert_equal ["/oauth/admin/api/client", client.id, "revoke"].join("/"), @first["revoke"]
+      end
+      should "tell if not revoked" do
+        assert @first["revoked"].nil?
+      end
+    end
+
+    context "revoked client" do
+      setup do
+        client.revoke!
+        with_scope
+        get "/oauth/admin/api/clients"
+        @first = json["list"].first
+      end
+
+      should "provide revoked timestamp" do
+        assert_equal client.revoked.to_i, @first["revoked"]
+      end
+    end
+
+    context "tokens" do
+      setup do
+        tokens = []
+        1.upto(10).map do |days|
+          Timecop.travel -days*86400 do
+            tokens << Rack::OAuth2::Server::AccessToken.get_token_for("Superman", days.to_s, client.id)
+          end
+        end
+        # Revoke one token today (within past 7 days), one 10 days ago (beyond)
+        tokens.first.revoke!
+        tokens.last.revoke!
+        with_scope ; get "/oauth/admin/api/clients"
+      end
+
+      should "return total number of tokens" do
+        assert_equal 11, json["tokens"]["total"]
+      end
+      should "return number of tokens created past week" do
+        assert_equal 7, json["tokens"]["week"]
+      end
+      should "return number of revoked token past week" do
+        assert_equal 1, json["tokens"]["revoked"]
+      end
+    end
+  end
+
+
+  # -- /oauth/admin/api/client/:id
+
+  context "single client" do
+    context "without authentication" do
+      setup { get "/oauth/admin/api/client/#{client.id}" }
+      should_fail_authentication
+    end
+
+    context "without scope" do
+      setup { without_scope ; get "/oauth/admin/api/client/#{client.id}" }
+      should_forbid_access
+    end
+
+    context "with scope" do
+      setup { with_scope ; get "/oauth/admin/api/client/#{client.id}" }
+
+      should "return OK" do
+        assert_equal 200, last_response.status
+      end
+      should "return JSON document" do
+        assert_equal "application/json;charset=utf-8", last_response.content_type
+      end
+      should "provide client identifier" do
+        assert_equal client.id.to_s, json["id"]
+      end
+      should "provide client secret" do
+        assert_equal client.secret, json["secret"]
+      end
+      should "provide redirect URI" do
+        assert_equal client.redirect_uri, json["redirectUri"]
+      end
+      should "provide display name" do
+        assert_equal client.display_name, json["displayName"]
+      end
+      should "provide site URL" do
+        assert_equal client.link, json["link"]
+      end
+      should "provide image URL" do
+        assert_equal client.image_url, json["imageUrl"]
+      end
+      should "provide created timestamp" do
+        assert_equal client.created_at.to_i, json["created"]
+      end
+      should "provide link to client resource"do
+        assert_equal ["/oauth/admin/api/client", client.id].join("/"), json["url"]
+      end
+      should "provide link to revoke resource"do
+        assert_equal ["/oauth/admin/api/client", client.id, "revoke"].join("/"), json["revoke"]
+      end
+    end
+  end
+
+end