RubyGems - rack-oauth2 - Versions diffs - 0.5.1 → 0.6.0.alpha - Mend

rack-oauth2 0.5.1 → 0.6.0.alpha

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

data/VERSION +1 -1
data/lib/rack/oauth2.rb +2 -1
data/lib/rack/oauth2/access_token.rb +30 -0
data/lib/rack/oauth2/access_token/bearer.rb +29 -0
data/lib/rack/oauth2/access_token/mac.rb +109 -0
data/lib/rack/oauth2/access_token/mac/body_hash.rb +15 -0
data/lib/rack/oauth2/access_token/mac/signature.rb +49 -0
data/lib/rack/oauth2/access_token/mac/verifier.rb +43 -0
data/lib/rack/oauth2/server/authorize/code.rb +0 -1
data/lib/rack/oauth2/server/resource.rb +55 -1
data/lib/rack/oauth2/server/resource/bearer.rb +12 -39
data/lib/rack/oauth2/server/resource/bearer/error.rb +5 -60
data/lib/rack/oauth2/server/resource/error.rb +81 -0
data/lib/rack/oauth2/server/resource/mac.rb +39 -0
data/lib/rack/oauth2/server/resource/mac/error.rb +24 -0
data/lib/rack/oauth2/server/token.rb +3 -10
data/lib/rack/oauth2/server/token/refresh_token.rb +0 -2
data/lib/rack/oauth2/util.rb +10 -0
data/spec/fake_response/facebook_token_response.txt +1 -0
data/spec/fake_response/resources/fake.txt +1 -0
data/spec/helpers/time.rb +19 -0
data/spec/rack/oauth2/access_token/bearer_spec.rb +43 -0
data/spec/rack/oauth2/access_token/mac/verifier_spec.rb +23 -0
data/spec/rack/oauth2/access_token/mac_spec.rb +163 -0
data/spec/rack/oauth2/access_token_spec.rb +48 -0
data/spec/rack/oauth2/client_spec.rb +18 -6
data/spec/rack/oauth2/server/resource/bearer/error_spec.rb +9 -87
data/spec/rack/oauth2/server/resource/bearer_spec.rb +40 -69
data/spec/rack/oauth2/server/resource/error_spec.rb +147 -0
data/spec/rack/oauth2/server/resource/mac/error_spec.rb +52 -0
data/spec/rack/oauth2/server/resource/mac_spec.rb +92 -0
data/spec/rack/oauth2/server/resource_spec.rb +23 -0
data/spec/rack/oauth2/server/token/authorization_code_spec.rb +1 -2
data/spec/rack/oauth2/server/token/client_credentials_spec.rb +1 -2
data/spec/rack/oauth2/server/token/password_spec.rb +1 -2
data/spec/rack/oauth2/server/token/refresh_token_spec.rb +1 -2
data/spec/rack/oauth2/server/token_spec.rb +1 -2
data/spec/rack/oauth2/util_spec.rb +10 -0
data/spec/spec_helper.rb +1 -0
metadata +38 -6

data/VERSION CHANGED

	@@ -1 +1 @@
1	- 0.5.1
1	+ 0.6.0.alpha

data/lib/rack/oauth2.rb CHANGED

@@ -6,4 +6,5 @@ require 'attr_required'
 require 'attr_optional'
 require 'rack/oauth2/util'
 require 'rack/oauth2/server'
-require 'rack/oauth2/client'
+require 'rack/oauth2/client'
+require 'rack/oauth2/access_token'

data/lib/rack/oauth2/access_token.rb ADDED

@@ -0,0 +1,30 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      include AttrRequired, AttrOptional
+      attr_required :access_token, :token_type
+      attr_optional :refresh_token, :expires_in, :scope
+      def initialize(attributes = {})
+        (required_attributes + optional_attributes).each do |key|
+          self.send :"#{key}=", attributes[key]
+        end
+        @token_type = self.class.to_s.split('::').last.underscore.to_sym
+        attr_missing!
+      end
+      def token_response(options = {})
+        {
+          :access_token => access_token,
+          :refresh_token => refresh_token,
+          :token_type => token_type,
+          :expires_in => expires_in,
+          :scope => Array(scope).join(' ')
+        }
+      end
+    end
+  end
+end
+require 'rack/oauth2/access_token/bearer'
+require 'rack/oauth2/access_token/mac'

data/lib/rack/oauth2/access_token/bearer.rb ADDED

@@ -0,0 +1,29 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class Bearer < AccessToken
+        def get(url, headers = {}, &block)
+          RestClient.get url, authenticate(headers), &block
+        end
+        def post(url, payload, headers = {}, &block)
+          RestClient.post url, payload, authenticate(headers), &block
+        end
+        def put(url, payload, headers = {}, &block)
+          RestClient.put url, payload, authenticate(headers), &block
+        end
+        def delete(url, headers = {}, &block)
+          RestClient.delete url, authenticate(headers), &block
+        end
+        private
+        def authenticate(headers)
+          headers.merge(:HTTP_AUTHORIZATION => "Bearer #{access_token}")
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac.rb ADDED

@@ -0,0 +1,109 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC < AccessToken
+        attr_required :secret, :algorithm
+        attr_optional :timestamp, :nonce, :body_hash, :signature
+        def token_response
+          super.merge(
+            :secret => secret,
+            :algorithm => algorithm
+          )
+        end
+        def verify!(request)
+          if request.body_hash.present?
+            _body_hash_ = BodyHash.new(
+              :raw_body  => request.body.read,
+              :algorithm => self.algorithm
+            )
+            _body_hash_.verify!(request.body_hash)
+          end
+          _signature_ = Signature.new(
+            :token     => request.access_token,
+            :secret    => self.secret,
+            :algorithm => self.algorithm,
+            :timestamp => request.timestamp,
+            :nonce     => request.nonce,
+            :body_hash => request.body_hash,
+            :method    => request.request_method,
+            :host      => request.host,
+            :port      => request.port,
+            :path      => request.path,
+            :query     => request.GET
+          )
+          _signature_.verify!(request.signature)
+        end
+        def get(url, headers = {}, &block)
+          _headers_ = authenticate(:get, url, headers)
+          RestClient.get url, _headers_, &block
+        end
+        def post(url, payload, headers = {}, &block)
+          _headers_ = authenticate(:post, url, headers, payload)
+          RestClient.post url, payload, _headers_, &block
+        end
+        def put(url, payload, headers = {}, &block)
+          _headers_ = authenticate(:put, url, headers, payload)
+          RestClient.put url, payload, _headers_, &block
+        end
+        def delete(url, headers = {}, &block)
+          _headers_ = authenticate(:delete, url, headers)
+          RestClient.delete url, _headers_, &block
+        end
+        private
+        def authenticate(method, url, headers = {}, payload = {})
+          _url_ = URI.parse(url)
+          self.timestamp = Time.now.to_i
+          self.nonce = generate_nonce
+          if payload.present?
+            raw_body = RestClient::Payload.generate(payload).to_s
+            _body_hash_ = BodyHash.new(
+              :raw_body => raw_body,
+              :algorithm => self.algorithm
+            )
+            self.body_hash = _body_hash_.calculate
+          end
+          _signature_ = Signature.new(
+            :token     => self.access_token,
+            :secret    => self.secret,
+            :algorithm => self.algorithm,
+            :timestamp => self.timestamp,
+            :nonce     => self.nonce,
+            :body_hash => self.body_hash,
+            :method    => method,
+            :host      => _url_.host,
+            :port      => _url_.port,
+            :path      => _url_.path,
+            :query     => Rack::Utils.parse_nested_query(_url_.query)
+          )
+          self.signature = _signature_.calculate
+          headers.merge(:HTTP_AUTHORIZATION => authorization_header)
+        end
+        def authorization_header
+          header = "MAC"
+          header << " token=\"#{access_token}\""
+          header << " timestamp=\"#{timestamp}\""
+          header << " nonce=\"#{nonce}\""
+          header << " bodyhash=\"#{body_hash}\"" if self.body_hash.present?
+          header << " signature=\"#{signature}\""
+        end
+        def generate_nonce
+          ActiveSupport::SecureRandom.hex(16)
+        end
+      end
+    end
+  end
+end
+require 'rack/oauth2/access_token/mac/verifier'
+require 'rack/oauth2/access_token/mac/body_hash'
+require 'rack/oauth2/access_token/mac/signature'

data/lib/rack/oauth2/access_token/mac/body_hash.rb ADDED

@@ -0,0 +1,15 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class BodyHash < Verifier
+          attr_optional :raw_body
+          def calculate
+            Rack::OAuth2::Util.base64_encode hash_generator.digest(raw_body)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac/signature.rb ADDED

@@ -0,0 +1,49 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class Signature < Verifier
+          attr_required :token, :secret, :timestamp, :nonce, :method, :host, :port, :path
+          attr_optional :body_hash, :query
+          def calculate
+            Rack::OAuth2::Util.base64_encode OpenSSL::HMAC.digest(
+              hash_generator,
+              secret,
+              normalized_request_string
+            )
+          end
+          def normalized_request_string
+            arr = [
+              token,
+              secret,
+              algorithm,
+              timestamp,
+              nonce,
+              body_hash,
+              method,
+              host,
+              port,
+              path,
+              normalized_query
+            ]
+            arr.join("\n")
+          end
+          def normalized_query
+            if query.present?
+              query.inject([]) do |result, (key, value)|
+                result << [key, value]
+              end.sort.inject('') do |result, (key, value)|
+                result << "#{Rack::OAuth2::Util.rfc3986_encode key}=#{Rack::OAuth2::Util.rfc3986_encode value}\n"
+              end
+            else
+              query.to_s
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac/verifier.rb ADDED

@@ -0,0 +1,43 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class Verifier
+          include AttrRequired, AttrOptional
+          attr_required :algorithm
+          # TODO: rescue this in proper location later
+          class VerificationFailed < StandardError; end
+          def initialize(attributes = {})
+            (required_attributes + optional_attributes).each do |key|
+              self.send :"#{key}=", attributes[key]
+            end
+            attr_missing!
+          end
+          def verify!(expected)
+            if expected == self.calculate
+              :verified
+            else
+              raise VerificationFailed.new("#{self.class.to_s.split('::').last} Invalid")
+            end
+          end
+          private
+          def hash_generator
+            case algorithm.to_s
+            when 'hmac-sha-1'
+              OpenSSL::Digest::SHA1.new
+            when 'hmac-sha-256'
+              OpenSSL::Digest::SHA256.new
+            else
+              raise 'Unsupported Algorithm'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/authorize/code.rb CHANGED

@@ -3,7 +3,6 @@ module Rack
     module Server
       class Authorize
         class Code < Abstract::Handler
           def call(env)
             @request  = Request.new env
             @response = Response.new request

data/lib/rack/oauth2/server/resource.rb CHANGED

@@ -1 +1,55 @@
-require 'rack/oauth2/server/resource/bearer'
+module Rack
+  module OAuth2
+    module Server
+      class Resource < Abstract::Handler
+        ACCESS_TOKEN = 'rack.oauth2.access_token'
+        DEFAULT_REALM = 'Protected by OAuth 2.0'
+        attr_accessor :realm, :request
+        def initialize(app, realm = nil, &authenticator)
+          @app = app
+          @realm = realm
+          super &authenticator
+        end
+        def call(env)
+          if request.oauth2?
+            authenticate! request.setup!
+            env[ACCESS_TOKEN] = request.access_token
+          end
+          @app.call(env)
+        rescue Rack::OAuth2::Server::Abstract::Error => e
+          e.realm ||= realm
+          e.finish
+        end
+        private
+        def authenticate!(request)
+          @authenticator.call(request)
+        end
+        class Request < Rack::Request
+          attr_reader :access_token
+          def initialize(env)
+            @env = env
+            @auth_header = Rack::Auth::AbstractRequest.new(env)
+          end
+          def setup!
+            raise 'Define me!'
+          end
+          def oauth2?
+            raise 'Define me!'
+          end
+        end
+      end
+    end
+  end
+end
+require 'rack/oauth2/server/resource/error'
+require 'rack/oauth2/server/resource/bearer'
+require 'rack/oauth2/server/resource/mac'

data/lib/rack/oauth2/server/resource/bearer.rb CHANGED

@@ -1,56 +1,29 @@
 module Rack
   module OAuth2
     module Server
-      module Resource
-        class Bearer < Abstract::Handler
-          ACCESS_TOKEN = 'rack.oauth2.bearer_token'
-          DEFAULT_REALM = 'Bearer Token Required'
-          attr_accessor :realm
-          def initialize(app, realm = nil,&authenticator)
-            @app = app
-            @realm = realm
-            super(&authenticator)
-          end
+      class Resource
+        class Bearer < Resource
           def call(env)
-            request = Request.new(env)
-            if request.bearer?
-              authenticate!(request)
-              env[ACCESS_TOKEN] = request.access_token
-            end
-            @app.call(env)
-          rescue Rack::OAuth2::Server::Abstract::Error => e
-            e.realm ||= realm
-            e.finish
+            self.request = Request.new(env)
+            super
           end
           private
-          def authenticate!(request)
-            @authenticator.call(request)
-          end
-          class Request < Rack::Request
-            def initialize(env)
-              @env = env
-              @auth_header = Rack::Auth::AbstractRequest.new(env)
-            end
-            def bearer?
-              access_token.present?
-            end
-            def access_token
+          class Request < Resource::Request
+            def setup!
               tokens = [access_token_in_haeder, access_token_in_payload].compact
-              case Array(tokens).size
-              when 0
-                nil
+              @access_token = case Array(tokens).size
               when 1
                 tokens.first
               else
                 invalid_request!('Both Authorization header and payload includes access token.')
               end
+              self
+            end
+            def oauth2?
+              (access_token_in_haeder || access_token_in_payload).present?
             end
             def access_token_in_haeder

data/lib/rack/oauth2/server/resource/bearer/error.rb CHANGED

@@ -1,74 +1,19 @@
 module Rack
   module OAuth2
     module Server
-      module Resource
+      class Resource
         class Bearer
-          class BadRequest < Abstract::BadRequest
-          end
-          class Unauthorized < Abstract::Unauthorized
-            def finish
-              super do |response|
-                self.realm ||= DEFAULT_REALM
-                header = response.header['WWW-Authenticate'] = "Bearer realm=\"#{realm}\""
-                if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
-                  header << " error=\"#{error}\""
-                  header << " error_description=\"#{description}\"" if description.present?
-                  header << " error_uri=\"#{uri}\""                 if uri.present?
-                end
-              end
-            end
-          end
-          class Forbidden < Abstract::Forbidden
-            attr_accessor :scope
-            def initialize(error = :forbidden, description = nil, options = {})
-              super
-              @scope = options[:scope]
-            end
-            def protocol_params
-              super.merge(:scope => Array(scope).join(' '))
+          class Unauthorized < Resource::Unauthorized
+            def scheme
+              :Bearer
             end
           end
           module ErrorMethods
-            DEFAULT_DESCRIPTION = {
-              :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
-              :invalid_token => "The access token provided is expired, revoked, malformed or invalid for other reasons.",
-              :insufficient_scope => "The request requires higher privileges than provided by the access token."
-            }
-            def self.included(klass)
-              DEFAULT_DESCRIPTION.each do |error, default_description|
-                error_method = case error
-                when :invalid_request
-                  :bad_request!
-                when :insufficient_scope
-                  :forbidden!
-                else
-                  :unauthorized!
-                end
-                klass.class_eval <<-ERROR
-                  def #{error}!(description = "#{default_description}", options = {})
-                    #{error_method} :#{error}, description, options
-                  end
-                ERROR
-              end
-            end
-            def bad_request!(error, description = nil, options = {})
-              raise BadRequest.new(error, description, options)
-            end
+            include Resource::ErrorMethods
             def unauthorized!(error = nil, description = nil, options = {})
               raise Unauthorized.new(error, description, options)
             end
-            def forbidden!(error, description = nil, options = {})
-              raise Forbidden.new(error, description, options)
-            end
           end
           Request.send :include, ErrorMethods