rack-oauth2 0.5.1 → 0.6.0.alpha

data/VERSION

@@ -1 +1 @@
-0.5.1
+0.6.0.alpha

data/lib/rack/oauth2.rb

@@ -6,4 +6,5 @@ require 'attr_required'
 require 'attr_optional'
 require 'rack/oauth2/util'
 require 'rack/oauth2/server'
-require 'rack/oauth2/client'
+require 'rack/oauth2/client'
+require 'rack/oauth2/access_token'

data/lib/rack/oauth2/access_token.rb

@@ -0,0 +1,30 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      include AttrRequired, AttrOptional
+      attr_required :access_token, :token_type
+      attr_optional :refresh_token, :expires_in, :scope
+
+      def initialize(attributes = {})
+        (required_attributes + optional_attributes).each do |key|
+          self.send :"#{key}=", attributes[key]
+        end
+        @token_type = self.class.to_s.split('::').last.underscore.to_sym
+        attr_missing!
+      end
+
+      def token_response(options = {})
+        {
+          :access_token => access_token,
+          :refresh_token => refresh_token,
+          :token_type => token_type,
+          :expires_in => expires_in,
+          :scope => Array(scope).join(' ')
+        }
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/access_token/bearer'
+require 'rack/oauth2/access_token/mac'

data/lib/rack/oauth2/access_token/bearer.rb

@@ -0,0 +1,29 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class Bearer < AccessToken
+        def get(url, headers = {}, &block)
+          RestClient.get url, authenticate(headers), &block
+        end
+
+        def post(url, payload, headers = {}, &block)
+          RestClient.post url, payload, authenticate(headers), &block
+        end
+
+        def put(url, payload, headers = {}, &block)
+          RestClient.put url, payload, authenticate(headers), &block
+        end
+
+        def delete(url, headers = {}, &block)
+          RestClient.delete url, authenticate(headers), &block
+        end
+
+        private
+
+        def authenticate(headers)
+          headers.merge(:HTTP_AUTHORIZATION => "Bearer #{access_token}")
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac.rb

@@ -0,0 +1,109 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC < AccessToken
+        attr_required :secret, :algorithm
+        attr_optional :timestamp, :nonce, :body_hash, :signature
+
+        def token_response
+          super.merge(
+            :secret => secret,
+            :algorithm => algorithm
+          )
+        end
+
+        def verify!(request)
+          if request.body_hash.present?
+            _body_hash_ = BodyHash.new(
+              :raw_body  => request.body.read,
+              :algorithm => self.algorithm
+            )
+            _body_hash_.verify!(request.body_hash)
+          end
+          _signature_ = Signature.new(
+            :token     => request.access_token,
+            :secret    => self.secret,
+            :algorithm => self.algorithm,
+            :timestamp => request.timestamp,
+            :nonce     => request.nonce,
+            :body_hash => request.body_hash,
+            :method    => request.request_method,
+            :host      => request.host,
+            :port      => request.port,
+            :path      => request.path,
+            :query     => request.GET
+          )
+          _signature_.verify!(request.signature)
+        end
+
+        def get(url, headers = {}, &block)
+          _headers_ = authenticate(:get, url, headers)
+          RestClient.get url, _headers_, &block
+        end
+
+        def post(url, payload, headers = {}, &block)
+          _headers_ = authenticate(:post, url, headers, payload)
+          RestClient.post url, payload, _headers_, &block
+        end
+
+        def put(url, payload, headers = {}, &block)
+          _headers_ = authenticate(:put, url, headers, payload)
+          RestClient.put url, payload, _headers_, &block
+        end
+
+        def delete(url, headers = {}, &block)
+          _headers_ = authenticate(:delete, url, headers)
+          RestClient.delete url, _headers_, &block
+        end
+
+        private
+
+        def authenticate(method, url, headers = {}, payload = {})
+          _url_ = URI.parse(url)
+          self.timestamp = Time.now.to_i
+          self.nonce = generate_nonce
+          if payload.present?
+            raw_body = RestClient::Payload.generate(payload).to_s
+            _body_hash_ = BodyHash.new(
+              :raw_body => raw_body,
+              :algorithm => self.algorithm
+            )
+            self.body_hash = _body_hash_.calculate
+          end
+          _signature_ = Signature.new(
+            :token     => self.access_token,
+            :secret    => self.secret,
+            :algorithm => self.algorithm,
+            :timestamp => self.timestamp,
+            :nonce     => self.nonce,
+            :body_hash => self.body_hash,
+            :method    => method,
+            :host      => _url_.host,
+            :port      => _url_.port,
+            :path      => _url_.path,
+            :query     => Rack::Utils.parse_nested_query(_url_.query)
+          )
+          self.signature = _signature_.calculate
+          headers.merge(:HTTP_AUTHORIZATION => authorization_header)
+        end
+
+        def authorization_header
+          header = "MAC"
+          header << " token=\"#{access_token}\""
+          header << " timestamp=\"#{timestamp}\""
+          header << " nonce=\"#{nonce}\""
+          header << " bodyhash=\"#{body_hash}\"" if self.body_hash.present?
+          header << " signature=\"#{signature}\""
+        end
+
+        def generate_nonce
+          ActiveSupport::SecureRandom.hex(16)
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/access_token/mac/verifier'
+require 'rack/oauth2/access_token/mac/body_hash'
+require 'rack/oauth2/access_token/mac/signature'

data/lib/rack/oauth2/access_token/mac/body_hash.rb

@@ -0,0 +1,15 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class BodyHash < Verifier
+          attr_optional :raw_body
+
+          def calculate
+            Rack::OAuth2::Util.base64_encode hash_generator.digest(raw_body)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac/signature.rb

@@ -0,0 +1,49 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class Signature < Verifier
+          attr_required :token, :secret, :timestamp, :nonce, :method, :host, :port, :path
+          attr_optional :body_hash, :query
+
+          def calculate
+            Rack::OAuth2::Util.base64_encode OpenSSL::HMAC.digest(
+              hash_generator,
+              secret,
+              normalized_request_string
+            )
+          end
+
+          def normalized_request_string
+            arr = [
+              token,
+              secret,
+              algorithm,
+              timestamp,
+              nonce,
+              body_hash,
+              method,
+              host,
+              port,
+              path,
+              normalized_query
+            ]
+            arr.join("\n")
+          end
+
+          def normalized_query
+            if query.present?
+              query.inject([]) do |result, (key, value)|
+                result << [key, value]
+              end.sort.inject('') do |result, (key, value)|
+                result << "#{Rack::OAuth2::Util.rfc3986_encode key}=#{Rack::OAuth2::Util.rfc3986_encode value}\n"
+              end
+            else
+              query.to_s
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/access_token/mac/verifier.rb

@@ -0,0 +1,43 @@
+module Rack
+  module OAuth2
+    class AccessToken
+      class MAC
+        class Verifier
+          include AttrRequired, AttrOptional
+          attr_required :algorithm
+
+          # TODO: rescue this in proper location later
+          class VerificationFailed < StandardError; end
+
+          def initialize(attributes = {})
+            (required_attributes + optional_attributes).each do |key|
+              self.send :"#{key}=", attributes[key]
+            end
+            attr_missing!
+          end
+
+          def verify!(expected)
+            if expected == self.calculate
+              :verified
+            else
+              raise VerificationFailed.new("#{self.class.to_s.split('::').last} Invalid")
+            end
+          end
+
+          private
+
+          def hash_generator
+            case algorithm.to_s
+            when 'hmac-sha-1'
+              OpenSSL::Digest::SHA1.new
+            when 'hmac-sha-256'
+              OpenSSL::Digest::SHA256.new
+            else
+              raise 'Unsupported Algorithm'
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/authorize/code.rb

@@ -3,7 +3,6 @@ module Rack
     module Server
       class Authorize
         class Code < Abstract::Handler
-
           def call(env)
             @request  = Request.new env
             @response = Response.new request

data/lib/rack/oauth2/server/resource.rb

@@ -1 +1,55 @@
-require 'rack/oauth2/server/resource/bearer'
+module Rack
+  module OAuth2
+    module Server
+      class Resource < Abstract::Handler
+        ACCESS_TOKEN = 'rack.oauth2.access_token'
+        DEFAULT_REALM = 'Protected by OAuth 2.0'
+        attr_accessor :realm, :request
+
+        def initialize(app, realm = nil, &authenticator)
+          @app = app
+          @realm = realm
+          super &authenticator
+        end
+
+        def call(env)
+          if request.oauth2?
+            authenticate! request.setup!
+            env[ACCESS_TOKEN] = request.access_token
+          end
+          @app.call(env)
+        rescue Rack::OAuth2::Server::Abstract::Error => e
+          e.realm ||= realm
+          e.finish
+        end
+
+        private
+
+        def authenticate!(request)
+          @authenticator.call(request)
+        end
+
+        class Request < Rack::Request
+          attr_reader :access_token
+
+          def initialize(env)
+            @env = env
+            @auth_header = Rack::Auth::AbstractRequest.new(env)
+          end
+
+          def setup!
+            raise 'Define me!'
+          end
+
+          def oauth2?
+            raise 'Define me!'
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/server/resource/error'
+require 'rack/oauth2/server/resource/bearer'
+require 'rack/oauth2/server/resource/mac'

data/lib/rack/oauth2/server/resource/bearer.rb

@@ -1,56 +1,29 @@
 module Rack
   module OAuth2
     module Server
-      module Resource
-        class Bearer < Abstract::Handler
-          ACCESS_TOKEN = 'rack.oauth2.bearer_token'
-          DEFAULT_REALM = 'Bearer Token Required'
-          attr_accessor :realm
-
-          def initialize(app, realm = nil,&authenticator)
-            @app = app
-            @realm = realm
-            super(&authenticator)
-          end
-
+      class Resource
+        class Bearer < Resource
           def call(env)
-            request = Request.new(env)
-            if request.bearer?
-              authenticate!(request)
-              env[ACCESS_TOKEN] = request.access_token
-            end
-            @app.call(env)
-          rescue Rack::OAuth2::Server::Abstract::Error => e
-            e.realm ||= realm
-            e.finish
+            self.request = Request.new(env)
+            super
           end
 
           private
 
-          def authenticate!(request)
-            @authenticator.call(request)
-          end
-
-          class Request < Rack::Request
-            def initialize(env)
-              @env = env
-              @auth_header = Rack::Auth::AbstractRequest.new(env)
-            end
-
-            def bearer?
-              access_token.present?
-            end
-
-            def access_token
+          class Request < Resource::Request
+            def setup!
               tokens = [access_token_in_haeder, access_token_in_payload].compact
-              case Array(tokens).size
-              when 0
-                nil
+              @access_token = case Array(tokens).size
               when 1
                 tokens.first
               else
                 invalid_request!('Both Authorization header and payload includes access token.')
               end
+              self
+            end
+
+            def oauth2?
+              (access_token_in_haeder || access_token_in_payload).present?
             end
 
             def access_token_in_haeder

data/lib/rack/oauth2/server/resource/bearer/error.rb

@@ -1,74 +1,19 @@
 module Rack
   module OAuth2
     module Server
-      module Resource
+      class Resource
         class Bearer
-          class BadRequest < Abstract::BadRequest
-          end
-
-          class Unauthorized < Abstract::Unauthorized
-            def finish
-              super do |response|
-                self.realm ||= DEFAULT_REALM
-                header = response.header['WWW-Authenticate'] = "Bearer realm=\"#{realm}\""
-                if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
-                  header << " error=\"#{error}\""
-                  header << " error_description=\"#{description}\"" if description.present?
-                  header << " error_uri=\"#{uri}\""                 if uri.present?
-                end
-              end
-            end
-          end
-
-          class Forbidden < Abstract::Forbidden
-            attr_accessor :scope
-
-            def initialize(error = :forbidden, description = nil, options = {})
-              super
-              @scope = options[:scope]
-            end
-
-            def protocol_params
-              super.merge(:scope => Array(scope).join(' '))
+          class Unauthorized < Resource::Unauthorized
+            def scheme
+              :Bearer
             end
           end
 
           module ErrorMethods
-            DEFAULT_DESCRIPTION = {
-              :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
-              :invalid_token => "The access token provided is expired, revoked, malformed or invalid for other reasons.",
-              :insufficient_scope => "The request requires higher privileges than provided by the access token."
-            }
-
-            def self.included(klass)
-              DEFAULT_DESCRIPTION.each do |error, default_description|
-                error_method = case error
-                when :invalid_request
-                  :bad_request!
-                when :insufficient_scope
-                  :forbidden!
-                else
-                  :unauthorized!
-                end
-                klass.class_eval <<-ERROR
-                  def #{error}!(description = "#{default_description}", options = {})
-                    #{error_method} :#{error}, description, options
-                  end
-                ERROR
-              end
-            end
-
-            def bad_request!(error, description = nil, options = {})
-              raise BadRequest.new(error, description, options)
-            end
-
+            include Resource::ErrorMethods
             def unauthorized!(error = nil, description = nil, options = {})
               raise Unauthorized.new(error, description, options)
             end
-
-            def forbidden!(error, description = nil, options = {})
-              raise Forbidden.new(error, description, options)
-            end
           end
 
           Request.send :include, ErrorMethods