rack-oauth2 0.5.1 → 0.6.0.alpha

data/lib/rack/oauth2/server/resource/error.rb

@@ -0,0 +1,81 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class BadRequest < Abstract::BadRequest
+        end
+
+        class Unauthorized < Abstract::Unauthorized
+          def scheme
+            raise 'Define me!'
+          end
+
+          def finish
+            super do |response|
+              self.realm ||= DEFAULT_REALM
+              header = response.header['WWW-Authenticate'] = "#{scheme} realm=\"#{realm}\""
+              if ErrorMethods::DEFAULT_DESCRIPTION.keys.include?(error)
+                header << " error=\"#{error}\""
+                header << " error_description=\"#{description}\"" if description.present?
+                header << " error_uri=\"#{uri}\""                 if uri.present?
+              end
+            end
+          end
+        end
+
+        class Forbidden < Abstract::Forbidden
+          attr_accessor :scope
+
+          def initialize(error = :forbidden, description = nil, options = {})
+            super
+            @scope = options[:scope]
+          end
+
+          def protocol_params
+            super.merge(:scope => Array(scope).join(' '))
+          end
+        end
+
+        module ErrorMethods
+          DEFAULT_DESCRIPTION = {
+            :invalid_request => "The request is missing a required parameter, includes an unsupported parameter or parameter value, repeats the same parameter, uses more than one method for including an access token, or is otherwise malformed.",
+            :invalid_token => "The access token provided is expired, revoked, malformed or invalid for other reasons.",
+            :insufficient_scope => "The request requires higher privileges than provided by the access token."
+          }
+
+          def self.included(klass)
+            DEFAULT_DESCRIPTION.each do |error, default_description|
+              error_method = case error
+              when :invalid_request
+                :bad_request!
+              when :insufficient_scope
+                :forbidden!
+              else
+                :unauthorized!
+              end
+              klass.class_eval <<-ERROR
+                def #{error}!(description = "#{default_description}", options = {})
+                  #{error_method} :#{error}, description, options
+                end
+              ERROR
+            end
+          end
+
+          def bad_request!(error, description = nil, options = {})
+            raise BadRequest.new(error, description, options)
+          end
+
+          def unauthorized!(error = nil, description = nil, options = {})
+            raise 'Define me!'
+          end
+
+          def forbidden!(error, description = nil, options = {})
+            raise Forbidden.new(error, description, options)
+          end
+        end
+
+        Request.send :include, ErrorMethods
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/resource/mac.rb

@@ -0,0 +1,39 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class MAC < Resource
+          def call(env)
+            self.request = Request.new(env)
+            super
+          end
+
+          private
+
+          class Request < Resource::Request
+            attr_reader :timestamp, :nonce, :body_hash, :signature
+
+            def setup!
+              auth_params = @auth_header.params.split(' ').inject({}) do |auth_params, pair|
+                key, value = pair.scan(/^(.*)=\"(.*)\"/).flatten
+                auth_params.merge!(key => value)
+              end.with_indifferent_access
+              @access_token = auth_params[:token]
+              @timestamp = auth_params[:timestamp]
+              @nonce = auth_params[:nonce]
+              @body_hash = auth_params[:bodyhash]
+              @signature = auth_params[:signature]
+              self
+            end
+
+            def oauth2?
+              @auth_header.provided? && @auth_header.scheme == :mac
+            end
+          end
+        end
+      end
+    end
+  end
+end
+
+require 'rack/oauth2/server/resource/mac/error'

data/lib/rack/oauth2/server/resource/mac/error.rb

@@ -0,0 +1,24 @@
+module Rack
+  module OAuth2
+    module Server
+      class Resource
+        class MAC
+          class Unauthorized < Resource::Unauthorized
+            def scheme
+              :MAC
+            end
+          end
+
+          module ErrorMethods
+            include Resource::ErrorMethods
+            def unauthorized!(error = nil, description = nil, options = {})
+              raise Unauthorized.new(error, description, options)
+            end
+          end
+
+          Request.send :include, ErrorMethods
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/token.rb

@@ -46,23 +46,16 @@ module Rack
         end
 
         class Response < Abstract::Response
-          attr_required :access_token, :token_type
-          attr_optional :refresh_token, :expires_in, :scope
+          attr_required :access_token
 
           def protocol_params
-            {
-              :access_token => access_token,
-              :refresh_token => refresh_token,
-              :token_type => token_type,
-              :expires_in => expires_in,
-              :scope => Array(scope).join(' ')
-            }
+            access_token.token_response
           end
 
           def finish
+            attr_missing!
             write Util.compact_hash(protocol_params).to_json
             header['Content-Type'] = "application/json"
-            attr_missing!
             super
           end
         end

data/lib/rack/oauth2/server/token/refresh_token.rb

@@ -3,7 +3,6 @@ module Rack
     module Server
       class Token
         class RefreshToken < Abstract::Handler
-
           def call(env)
             @request  = Request.new(env)
             @response = Response.new(request)
@@ -20,7 +19,6 @@ module Rack
               attr_missing!
             end
           end
-
         end
       end
     end

data/lib/rack/oauth2/util.rb

@@ -1,7 +1,17 @@
+require 'base64'
+
 module Rack
   module OAuth2
     module Util
       class << self
+        def rfc3986_encode(text)
+          URI.encode(text, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+        end
+
+        def base64_encode(text)
+          Base64.encode64(text).gsub(/\n/, '')
+        end
+
         def compact_hash(hash)
           hash.reject do |key, value|
             value.blank?

data/spec/fake_response/facebook_token_response.txt

@@ -0,0 +1 @@
+access_token=access_token&expires_in=3600

data/spec/fake_response/resources/fake.txt

@@ -0,0 +1 @@
+fake

data/spec/helpers/time.rb

@@ -0,0 +1,19 @@
+class Time
+  class << self
+    def now_with_fixed_time
+      if @fixed_time
+        @fixed_time.dup
+      else
+        now_without_fixed_time
+      end
+    end
+    alias_method_chain :now, :fixed_time
+
+    def fix(time = Time.now)
+      @fixed_time = time
+      yield
+    ensure
+      @fixed_time = nil
+    end
+  end
+end

data/spec/rack/oauth2/access_token/bearer_spec.rb

@@ -0,0 +1,43 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken::Bearer do
+  let :token do
+    Rack::OAuth2::AccessToken::Bearer.new(
+      :access_token => 'access_token'
+    )
+  end
+  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
+
+  [:get, :delete].each do |method|
+    before do
+      fake_response(method, resource_endpoint, 'resources/fake.txt')
+    end
+
+    describe method.to_s.upcase do
+      it 'should have Bearer Authorization header' do
+        RestClient.should_receive(method).with(
+          resource_endpoint,
+          :HTTP_AUTHORIZATION => 'Bearer access_token'
+        )
+        token.send method, resource_endpoint
+      end
+    end
+  end
+
+  [:post, :put].each do |method|
+    before do
+      fake_response(method, resource_endpoint, 'resources/fake.txt')
+    end
+
+    describe method.to_s.upcase do
+      it 'should have Bearer Authorization header' do
+        RestClient.should_receive(method).with(
+          resource_endpoint,
+          {:key => :value},
+          {:HTTP_AUTHORIZATION => 'Bearer access_token'}
+        )
+        token.send method, resource_endpoint, {:key => :value}
+      end
+    end
+  end
+end

data/spec/rack/oauth2/access_token/mac/verifier_spec.rb

@@ -0,0 +1,23 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken::MAC::Verifier do
+  let(:verifier) { Rack::OAuth2::AccessToken::MAC::Verifier.new(:algorithm => algorithm) }
+  subject { verifier }
+
+  context 'when "hmac-sha-1" is specified' do
+    let(:algorithm) { 'hmac-sha-1' }
+    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA1 }
+  end
+
+  context 'when "hmac-sha-256" is specified' do
+    let(:algorithm) { 'hmac-sha-256' }
+    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA256 }
+  end
+
+  context 'otherwise' do
+    let(:algorithm) { 'invalid' }
+    it do
+      expect { verifier.send(:hash_generator) }.should raise_error(StandardError, 'Unsupported Algorithm')
+    end
+  end
+end

data/spec/rack/oauth2/access_token/mac_spec.rb

@@ -0,0 +1,163 @@
+require 'spec_helper'
+
+describe Rack::OAuth2::AccessToken::MAC do
+  let :token do
+    Rack::OAuth2::AccessToken::MAC.new(
+      :access_token => 'access_token',
+      :secret => 'secret',
+      :algorithm => 'hmac-sha-256'
+    )
+  end
+  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
+  subject { token }
+
+  its(:secret)    { should == 'secret' }
+  its(:algorithm) { should == 'hmac-sha-256' }
+  its(:token_response) do
+    should == {
+      :token_type => :mac,
+      :access_token => 'access_token',
+      :secret => 'secret',
+      :algorithm => 'hmac-sha-256',
+      :expires_in => nil,
+      :refresh_token => nil,
+      :scope => ''
+    }
+  end
+  its(:generate_nonce) { should be_a String }
+
+  describe 'HTTP methods' do
+    before do
+      token.should_receive(:generate_nonce).and_return("51e74de734c05613f37520872e68db5f")
+    end
+
+    describe :GET do
+      let(:resource_endpoint) { 'https://server.example.com/resources/fake?key=value' }
+      it 'should have MAC Authorization header' do
+        Time.fix(Time.at(1302361200)) do
+          RestClient.should_receive(:get).with(
+            resource_endpoint,
+            :HTTP_AUTHORIZATION => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" signature=\"yYDSkZMrEbOOqj0anHNLA9ougNA+lxU0zmPiMSPtmJ8=\""
+          )
+          token.get resource_endpoint
+        end
+      end
+    end
+
+    describe :POST do
+      it 'should have MAC Authorization header' do
+        Time.fix(Time.at(1302361200)) do
+          RestClient.should_receive(:post).with(
+            resource_endpoint,
+            {:key => :value},
+            {:HTTP_AUTHORIZATION => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" bodyhash=\"Vj8DVxGNBe8UXWvd8pZswj6Gyo8vAT+RXlZa/fCfeiM=\" signature=\"xRvIiA+rmjhPjULVpyCCgiHEsOkLEHZik4ZaB+cyqgk=\""}
+          )
+          token.post resource_endpoint, :key => :value
+        end
+      end
+    end
+
+    describe :PUT do
+      it 'should have MAC Authorization header' do
+        Time.fix(Time.at(1302361200)) do
+          RestClient.should_receive(:put).with(
+            resource_endpoint,
+            {:key => :value},
+            {:HTTP_AUTHORIZATION => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" bodyhash=\"Vj8DVxGNBe8UXWvd8pZswj6Gyo8vAT+RXlZa/fCfeiM=\" signature=\"2lWgkUCtD9lNBlDi5fe9eVDwEwbxfLGAqjgykaSV1ww=\""}
+          )
+          token.put resource_endpoint, :key => :value
+        end
+      end
+    end
+
+    describe :DELETE do
+      it 'should have MAC Authorization header' do
+        Time.fix(Time.at(1302361200)) do
+          RestClient.should_receive(:delete).with(
+            resource_endpoint,
+            :HTTP_AUTHORIZATION => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" signature=\"PX2GhHuo5yYNEs51e4Zlllw8itQ4Te0v+6ZuRCK7k+s=\""
+          )
+          token.delete resource_endpoint
+        end
+      end
+    end
+  end
+
+  describe 'verify!' do
+    let(:request) { Rack::OAuth2::Server::Resource::MAC::Request.new(env) }
+
+    context 'when no body_hash is given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/protected_resources',
+          'HTTP_AUTHORIZATION' => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" signature=\"#{signature}\""
+        )
+      end
+
+      context 'when signature is valid' do
+        let(:signature) { 'jaOwJ1eEjabkiRJJ4hdOeVvCGfiCHgeb9NDSrkM0ka4=' }
+        it do
+          Time.fix(Time.at(1302361200)) do
+            token.verify!(request.setup!).should == :verified
+          end
+        end
+      end
+
+      context 'otherwise' do
+        let(:signature) { 'invalid' }
+        it do
+          expect { token.verify!(request.setup!) }.should raise_error(
+            Rack::OAuth2::AccessToken::MAC::Verifier::VerificationFailed,
+            'Signature Invalid'
+          )
+        end
+      end
+    end
+
+    context 'when body_hash is given' do
+      let(:env) do
+        Rack::MockRequest.env_for(
+          '/protected_resources',
+          :method => :POST,
+          :params => {
+            :key1 => 'value1'
+          },
+          'HTTP_AUTHORIZATION' => "MAC token=\"access_token\" timestamp=\"1302361200\" nonce=\"51e74de734c05613f37520872e68db5f\" bodyhash=\"#{body_hash}\" signature=\"#{signature}\""
+        )
+      end
+      let(:signature) { 'invalid' }
+
+      context 'when body_hash is invalid' do
+        let(:body_hash) { 'invalid' }
+        it do
+          expect { token.verify!(request.setup!) }.should raise_error(
+            Rack::OAuth2::AccessToken::MAC::Verifier::VerificationFailed,
+            'BodyHash Invalid'
+          )
+        end
+      end
+
+      context 'when body_hash is valid' do
+        let(:body_hash) { 'TPzUbFn1S16mpfmwXCi1L+8oZHRxlLX9/D1ZwAV781o=' }
+
+        context 'when signature is valid' do
+          let(:signature) { 'ZSicF/YCg5bdDef103/NLGeuhH7ylHwrnYUUMcCz12A=' }
+          it do
+            Time.fix(Time.at(1302361200)) do
+              token.verify!(request.setup!).should == :verified
+            end
+          end
+        end
+
+        context 'otherwise' do
+          it do
+            expect { token.verify!(request.setup!) }.should raise_error(
+              Rack::OAuth2::AccessToken::MAC::Verifier::VerificationFailed,
+              'Signature Invalid'
+            )
+          end
+        end
+      end
+    end
+  end
+end