rack-oauth2 1.12.0 → 2.2.0

data/lib/rack/oauth2/access_token/mac/signature.rb

@@ -1,34 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC
-        class Signature < Verifier
-          attr_required :secret, :ts, :nonce, :method, :request_uri, :host, :port
-          attr_optional :ext, :query
-
-          def calculate
-            Rack::OAuth2::Util.base64_encode OpenSSL::HMAC.digest(
-              hash_generator,
-              secret,
-              normalized_request_string
-            )
-          end
-
-          def normalized_request_string
-            [
-              ts.to_i,
-              nonce,
-              method.to_s.upcase,
-              request_uri,
-              host,
-              port,
-              ext || '',
-              nil
-            ].join("\n")
-          end
-
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac/verifier.rb

@@ -1,44 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC
-        class Verifier
-          include AttrRequired, AttrOptional
-          attr_required :algorithm
-
-          class VerificationFailed < StandardError; end
-
-          def initialize(attributes = {})
-            (required_attributes + optional_attributes).each do |key|
-              self.send :"#{key}=", attributes[key]
-            end
-            attr_missing!
-          rescue AttrRequired::AttrMissing => e
-            raise VerificationFailed.new("#{self.class.name.demodulize} Invalid: #{e.message}")
-          end
-
-          def verify!(expected)
-            if expected == self.calculate
-              :verified
-            else
-              raise VerificationFailed.new("#{self.class.name.demodulize} Invalid")
-            end
-          end
-
-          private
-
-          def hash_generator
-            case algorithm.to_s
-            when 'hmac-sha-1'
-              OpenSSL::Digest::SHA1.new
-            when 'hmac-sha-256'
-              OpenSSL::Digest::SHA256.new
-            else
-              raise 'Unsupported Algorithm'
-            end
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/access_token/mac.rb

@@ -1,103 +0,0 @@
-module Rack
-  module OAuth2
-    class AccessToken
-      class MAC < AccessToken
-        attr_required :mac_key, :mac_algorithm
-        attr_optional :ts, :ext_verifier, :ts_expires_in
-        attr_reader :nonce, :signature, :ext
-
-        def initialize(attributes = {})
-          super(attributes)
-          @issued_at = Time.now.utc
-          @ts_expires_in ||= 5.minutes
-        end
-
-        def token_response
-          super.merge(
-            mac_key: mac_key,
-            mac_algorithm: mac_algorithm
-          )
-        end
-
-        def verify!(request)
-          if self.ext_verifier.present?
-            body = request.body.read
-            request.body.rewind # for future use
-
-            self.ext_verifier.new(
-              raw_body: body,
-              algorithm: self.mac_algorithm
-            ).verify!(request.ext)
-          end
-
-          now = Time.now.utc.to_i
-          now = @ts.to_i if @ts.present?
-
-          raise Rack::OAuth2::AccessToken::MAC::Verifier::VerificationFailed.new("Request ts expired") if now - request.ts.to_i > @ts_expires_in.to_i
-
-          Signature.new(
-            secret:      self.mac_key,
-            algorithm:   self.mac_algorithm,
-            nonce:       request.nonce,
-            method:      request.request_method,
-            request_uri: request.fullpath,
-            host:        request.host,
-            port:        request.port,
-            ts:          request.ts,
-            ext:         request.ext
-          ).verify!(request.signature)
-        rescue Verifier::VerificationFailed => e
-          request.invalid_token! e.message
-        end
-
-        def authenticate(request)
-          @nonce = generate_nonce
-          @ts_generated = @ts || Time.now.utc
-
-          if self.ext_verifier.present?
-            @ext = self.ext_verifier.new(
-              raw_body: request.body,
-              algorithm: self.mac_algorithm
-            ).calculate
-          end
-
-          @signature = Signature.new(
-            secret:      self.mac_key,
-            algorithm:   self.mac_algorithm,
-            nonce:       self.nonce,
-            method:      request.header.request_method,
-            request_uri: request.header.create_query_uri,
-            host:        request.header.request_uri.host,
-            port:        request.header.request_uri.port,
-            ts:          @ts_generated,
-            ext:         @ext
-          ).calculate
-
-          request.header['Authorization'] = authorization_header
-        end
-
-        private
-
-        def authorization_header
-          header = "MAC id=\"#{access_token}\""
-          header << ", nonce=\"#{nonce}\""
-          header << ", ts=\"#{@ts_generated.to_i}\""
-          header << ", mac=\"#{signature}\""
-          header << ", ext=\"#{ext}\"" if @ext.present?
-          header
-        end
-
-        def generate_nonce
-          [
-            (Time.now.utc - @issued_at).to_i,
-            SecureRandom.hex
-          ].join(':')
-        end
-      end
-    end
-  end
-end
-
-require 'rack/oauth2/access_token/mac/verifier'
-require 'rack/oauth2/access_token/mac/sha256_hex_verifier'
-require 'rack/oauth2/access_token/mac/signature'

data/lib/rack/oauth2/debugger/request_filter.rb

@@ -1,30 +0,0 @@
-module Rack
-  module OAuth2
-    module Debugger
-      class RequestFilter
-        # Callback called in HTTPClient (before sending a request)
-        # request:: HTTP::Message
-        def filter_request(request)
-          started = "======= [Rack::OAuth2] HTTP REQUEST STARTED ======="
-          log started, request.dump
-        end
-
-        # Callback called in HTTPClient (after received a response)
-        # request::  HTTP::Message
-        # response:: HTTP::Message
-        def filter_response(request, response)
-          finished = "======= [Rack::OAuth2] HTTP REQUEST FINISHED ======="
-          log '-' * 50, response.dump, finished
-        end
-
-        private
-
-        def log(*outputs)
-          outputs.each do |output|
-            OAuth2.logger.info output
-          end
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/debugger.rb

@@ -1,3 +0,0 @@
-Dir[File.dirname(__FILE__) + '/debugger/*.rb'].each do |file|
-  require file
-end

data/lib/rack/oauth2/server/resource/mac/error.rb

@@ -1,24 +0,0 @@
-module Rack
-  module OAuth2
-    module Server
-      class Resource
-        class MAC
-          class Unauthorized < Resource::Unauthorized
-            def scheme
-              :MAC
-            end
-          end
-
-          module ErrorMethods
-            include Resource::ErrorMethods
-            def unauthorized!(error = nil, description = nil, options = {})
-              raise Unauthorized.new(error, description, options)
-            end
-          end
-
-          Request.send :include, ErrorMethods
-        end
-      end
-    end
-  end
-end

data/lib/rack/oauth2/server/resource/mac.rb

@@ -1,36 +0,0 @@
-module Rack
-  module OAuth2
-    module Server
-      class Resource
-        class MAC < Resource
-          def _call(env)
-            self.request = Request.new(env)
-            super
-          end
-
-          private
-
-          class Request < Resource::Request
-            attr_reader :nonce, :ts, :ext, :signature
-
-            def setup!
-              auth_params = Rack::Auth::Digest::Params.parse(@auth_header.params).with_indifferent_access
-              @access_token = auth_params[:id]
-              @nonce = auth_params[:nonce]
-              @ts = auth_params[:ts]
-              @ext = auth_params[:ext]
-              @signature = auth_params[:mac]
-              self
-            end
-
-            def oauth2?
-              @auth_header.provided? && @auth_header.scheme.to_s == 'mac'
-            end
-          end
-        end
-      end
-    end
-  end
-end
-
-require 'rack/oauth2/server/resource/mac/error'

data/spec/mock_response/tokens/legacy.json

@@ -1,5 +0,0 @@
-{
-  "access_token":"access_token",
-  "refresh_token":"refresh_token",
-  "expires_in":3600
-}

data/spec/mock_response/tokens/legacy.txt

@@ -1 +0,0 @@
-access_token=access_token&expires=3600

data/spec/mock_response/tokens/legacy_without_expires_in.txt

@@ -1 +0,0 @@
-access_token=access_token

data/spec/mock_response/tokens/mac.json

@@ -1,8 +0,0 @@
-{
-  "token_type":"mac",
-  "mac_algorithm":"hmac-sha-256",
-  "expires_in":3600,
-  "mac_key":"secret",
-  "refresh_token":"refresh_token",
-  "access_token":"access_token"
-}

data/spec/rack/oauth2/access_token/legacy_spec.rb

@@ -1,23 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::AccessToken::Legacy do
-  let :token do
-    Rack::OAuth2::AccessToken::Legacy.new(
-      access_token: 'access_token'
-    )
-  end
-  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
-  let(:request) { HTTPClient.new.send(:create_request, :post, URI.parse(resource_endpoint), {}, {hello: "world"}, {}) }
-
-  describe '#to_s' do
-    subject { token }
-    its(:to_s) { should == token.access_token }
-  end
-
-  describe '.authenticate' do
-    it 'should set Authorization header' do
-      expect(request.header).to receive(:[]=).with('Authorization', 'OAuth access_token')
-      token.authenticate(request)
-    end
-  end
-end

data/spec/rack/oauth2/access_token/mac/sha256_hex_verifier_spec.rb

@@ -1,28 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::AccessToken::MAC::Sha256HexVerifier do
-
-  # From the example of webtopay wallet API spec
-  # ref) https://www.webtopay.com/wallet/#authentication
-  context 'when example from webtopay wallet API' do
-    subject do
-      Rack::OAuth2::AccessToken::MAC::Sha256HexVerifier.new(
-        algorithm: 'hmac-sha-256',
-        raw_body: 'grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA&redirect_uri=http%3A%2F%2Flocalhost%2Fabc'
-      )
-    end
-    its(:calculate) { should == '21fb73c40b589622d0c78e9cd8900f89d9472aa724d0e5c3eca9ac1cd9d2a6d5' }
-  end
-
-
-  context 'when raw_body is empty' do
-    subject do
-      Rack::OAuth2::AccessToken::MAC::Sha256HexVerifier.new(
-        algorithm: 'hmac-sha-256',
-        raw_body: ''
-      )
-    end
-    its(:calculate) { should be_nil }
-  end
-
-end

data/spec/rack/oauth2/access_token/mac/signature_spec.rb

@@ -1,59 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::AccessToken::MAC::Signature do
-  # From the example of Webtopay wallet API
-  # ref) https://www.webtopay.com/wallet/
-  context 'when ext is not given' do
-    subject do
-      Rack::OAuth2::AccessToken::MAC::Signature.new(
-        secret:      'IrdTc8uQodU7PRpLzzLTW6wqZAO6tAMU',
-        algorithm:   'hmac-sha-256',
-        nonce:       'dj83hs9s',
-        ts:          1336363200,
-        method:      'GET',
-        request_uri: '/wallet/rest/api/v1/payment/123',
-        host:        'www.webtopay.com',
-        port:        443
-      )
-    end
-    its(:calculate) { should == 'OZE9fTk2qiRtL1jb01L8lRxC66PTiAGhMDEmboeVeLs=' }
-  end
-
-  # From the example of MAC spec section 1.1
-  # ref) http://tools.ietf.org/pdf/draft-ietf-oauth-v2-http-mac-01.pdf
-  context 'when ext is not given' do
-    subject do
-      Rack::OAuth2::AccessToken::MAC::Signature.new(
-        secret:      '489dks293j39',
-        algorithm:   'hmac-sha-1',
-        nonce:       'dj83hs9s',
-        ts:          1336363200,
-        method:      'GET',
-        request_uri: '/resource/1?b=1&a=2',
-        host:        'example.com',
-        port:        80
-      )
-    end
-    its(:calculate) { should == '6T3zZzy2Emppni6bzL7kdRxUWL4=' }
-  end
-
-  # From the example of MAC spec section 3.2
-  # ref) http://tools.ietf.org/pdf/draft-ietf-oauth-v2-http-mac-01.pdf
-  context 'otherwise' do
-    subject do
-      Rack::OAuth2::AccessToken::MAC::Signature.new(
-        secret:      '489dks293j39',
-        algorithm:   'hmac-sha-1',
-        nonce:       '7d8f3e4a',
-        ts:          264095,
-        method:      'POST',
-        request_uri: '/request?b5=%3D%253D&a3=a&c%40=&a2=r%20b&c2&a3=2+q',
-        host:        'example.com',
-        port:        80,
-        ext:         'a,b,c'
-      )
-    end
-    its(:calculate) { should == '+txL5oOFHGYjrfdNYH5VEzROaBY=' }
-  end
-
-end

data/spec/rack/oauth2/access_token/mac/verifier_spec.rb

@@ -1,25 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::AccessToken::MAC::Verifier do
-  let(:verifier) { Rack::OAuth2::AccessToken::MAC::Verifier.new(algorithm: algorithm) }
-  subject { verifier }
-
-  context 'when "hmac-sha-1" is specified' do
-    let(:algorithm) { 'hmac-sha-1' }
-    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA1 }
-  end
-
-  context 'when "hmac-sha-256" is specified' do
-    let(:algorithm) { 'hmac-sha-256' }
-    its(:hash_generator) { should be_instance_of OpenSSL::Digest::SHA256 }
-  end
-
-  context 'otherwise' do
-    let(:algorithm) { 'invalid' }
-    it do
-      expect { verifier.send(:hash_generator) }.to raise_error(StandardError, 'Unsupported Algorithm')
-    end
-  end
-
-
-end

data/spec/rack/oauth2/access_token/mac_spec.rb

@@ -1,141 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::AccessToken::MAC do
-  let(:ts) { 1305820234 }
-  let :token do
-    Rack::OAuth2::AccessToken::MAC.new(
-      access_token: 'access_token',
-      mac_key: 'secret',
-      mac_algorithm: 'hmac-sha-256',
-      ts: ts
-    )
-  end
-  let :token_with_ext_verifier do
-    Rack::OAuth2::AccessToken::MAC.new(
-      access_token: 'access_token',
-      mac_key: 'secret',
-      mac_algorithm: 'hmac-sha-256',
-      ts: ts,
-      ext_verifier: Rack::OAuth2::AccessToken::MAC::Sha256HexVerifier
-    )
-  end
-  let(:nonce) { '1000:51e74de734c05613f37520872e68db5f' }
-  let(:resource_endpoint) { 'https://server.example.com/resources/fake' }
-  subject { token }
-
-  its(:mac_key)    { should == 'secret' }
-  its(:mac_algorithm) { should == 'hmac-sha-256' }
-  its(:token_response) do
-    should == {
-      access_token: 'access_token',
-      refresh_token: nil,
-      token_type: :mac,
-      expires_in: nil,
-      scope: '',
-      mac_key: 'secret',
-      mac_algorithm: 'hmac-sha-256'
-    }
-  end
-  its(:generate_nonce) { should be_a String }
-
-  describe 'verify!' do
-    let(:request) { Rack::OAuth2::Server::Resource::MAC::Request.new(env) }
-
-    context 'when no ext_verifier is given' do
-      let(:env) do
-        Rack::MockRequest.env_for(
-          '/protected_resources',
-          'HTTP_AUTHORIZATION' => %{MAC id="access_token", nonce="#{nonce}", ts="#{ts}" mac="#{signature}"}
-        )
-      end
-
-      context 'when signature is valid' do
-        let(:signature) { 'BgooS/voPOZWLwoVfx4+zbC3xAVKW3jtjhKYOfIGZOA=' }
-        it do
-
-          token.verify!(request.setup!).should == :verified
-        end
-      end
-
-      context 'otherwise' do
-        let(:signature) { 'invalid' }
-        it do
-          expect { token.verify!(request.setup!) }.to raise_error(
-            Rack::OAuth2::Server::Resource::MAC::Unauthorized,
-            'invalid_token :: Signature Invalid'
-          )
-        end
-      end
-    end
-
-    context 'when ext_verifier is given' do
-      let(:env) do
-        Rack::MockRequest.env_for(
-          '/protected_resources',
-          method: :POST,
-          params: {
-            key1: 'value1'
-          },
-          'HTTP_AUTHORIZATION' => %{MAC id="access_token", nonce="#{nonce}", ts="#{ts}", mac="#{signature}", ext="#{ext}"}
-        )
-      end
-      let(:signature) { 'invalid' }
-
-      context 'when ext is invalid' do
-        let(:ext) { 'invalid' }
-        it do
-          expect { token_with_ext_verifier.verify!(request.setup!) }.to raise_error(
-            Rack::OAuth2::Server::Resource::MAC::Unauthorized,
-            'invalid_token :: Sha256HexVerifier Invalid'
-          )
-        end
-      end
-
-      context 'when ext is valid' do
-        let(:ext) { '4cfcd46c59f54b5ea6a5f9b05c28b52fef2864747194b5fdfc3d59c0057bf35a' }
-
-        context 'when signature is valid' do
-          let(:signature) { 'dZYR54n+Lym5qCRRmDqmRZ71rG+bkjSWmqrOv8OjYHk=' }
-          it do
-            Time.fix(Time.at(1302361200)) do
-              token_with_ext_verifier.verify!(request.setup!).should == :verified
-            end
-          end
-        end
-
-        context 'otherwise' do
-          it do
-            expect { token.verify!(request.setup!) }.to raise_error(
-              Rack::OAuth2::Server::Resource::MAC::Unauthorized,
-              'invalid_token :: Signature Invalid'
-            )
-          end
-        end
-      end
-    end
-  end
-
-  describe '.authenticate' do
-    let(:request) { HTTPClient.new.send(:create_request, :post, URI.parse(resource_endpoint), {}, {hello: "world"}, {}) }
-    context 'when no ext_verifier is given' do
-      let(:signature) { 'pOBaL6HRawe4tUPmcU4vJEj1f2GJqrbQOlCcdAYgI/s=' }
-
-      it 'should set Authorization header' do
-        expect(token).to receive(:generate_nonce).and_return(nonce)
-        expect(request.header).to receive(:[]=).with('Authorization', "MAC id=\"access_token\", nonce=\"#{nonce}\", ts=\"#{ts.to_i}\", mac=\"#{signature}\"")
-        token.authenticate(request)
-      end
-    end
-
-    context 'when ext_verifier is given' do
-      let(:signature) { 'vgU0fj6rSpwUCAoCOrXlu8pZBR8a5Q5xIVlB4MCvJeM=' }
-      let(:ext) { '3d011e09502a84552a0f8ae112d024cc2c115597e3a577d5f49007902c221dc5' }
-      it 'should set Authorization header with ext_verifier' do
-        expect(token_with_ext_verifier).to receive(:generate_nonce).and_return(nonce)
-        expect(request.header).to receive(:[]=).with('Authorization', "MAC id=\"access_token\", nonce=\"#{nonce}\", ts=\"#{ts.to_i}\", mac=\"#{signature}\", ext=\"#{ext}\"")
-        token_with_ext_verifier.authenticate(request)
-      end
-    end
-
-  end
-end

data/spec/rack/oauth2/debugger/request_filter_spec.rb

@@ -1,33 +0,0 @@
-require 'spec_helper'
-
-describe Rack::OAuth2::Debugger::RequestFilter do
-  let(:resource_endpoint) { 'https://example.com/resources' }
-  let(:request) { HTTP::Message.new_request(:get, URI.parse(resource_endpoint)) }
-  let(:response) { HTTP::Message.new_response({hello: 'world'}.to_json) }
-  let(:request_filter) { Rack::OAuth2::Debugger::RequestFilter.new }
-
-  describe '#filter_request' do
-    it 'should log request' do
-      [
-        "======= [Rack::OAuth2] HTTP REQUEST STARTED =======",
-        request.dump
-      ].each do |output|
-        expect(Rack::OAuth2.logger).to receive(:info).with output
-      end
-      request_filter.filter_request(request)
-    end
-  end
-
-  describe '#filter_response' do
-    it 'should log response' do
-      [
-        "--------------------------------------------------",
-        response.dump,
-        "======= [Rack::OAuth2] HTTP REQUEST FINISHED ======="
-      ].each do |output|
-        expect(Rack::OAuth2.logger).to receive(:info).with output
-      end
-      request_filter.filter_response(request, response)
-    end
-  end
-end

data/spec/rack/oauth2/server/resource/mac/error_spec.rb

@@ -1,52 +0,0 @@
-require 'spec_helper.rb'
-
-describe Rack::OAuth2::Server::Resource::MAC::Unauthorized do
-  let(:error) { Rack::OAuth2::Server::Resource::MAC::Unauthorized.new(:invalid_token) }
-
-  it { should be_a Rack::OAuth2::Server::Resource::Unauthorized }
-
-  describe '#scheme' do
-    subject { error }
-    its(:scheme) { should == :MAC }
-  end
-
-  describe '#finish' do
-    it 'should use MAC scheme' do
-      status, header, response = error.finish
-      header['WWW-Authenticate'].should =~ /^MAC /
-    end
-  end
-end
-
-describe Rack::OAuth2::Server::Resource::MAC::ErrorMethods do
-  let(:unauthorized)        { Rack::OAuth2::Server::Resource::MAC::Unauthorized }
-  let(:redirect_uri)        { 'http://client.example.com/callback' }
-  let(:default_description) { Rack::OAuth2::Server::Resource::ErrorMethods::DEFAULT_DESCRIPTION }
-  let(:env)                 { Rack::MockRequest.env_for("/authorize?client_id=client_id") }
-  let(:request)             { Rack::OAuth2::Server::Resource::MAC::Request.new env }
-
-  describe 'unauthorized!' do
-    it do
-      expect { request.unauthorized! :invalid_client }.to raise_error unauthorized
-    end
-  end
-
-  Rack::OAuth2::Server::Resource::Bearer::ErrorMethods::DEFAULT_DESCRIPTION.keys.each do |error_code|
-    method = "#{error_code}!"
-    case error_code
-    when :invalid_request
-      # ignore
-    when :insufficient_scope
-      # ignore
-    else
-      describe method do
-        it "should raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized with error = :#{error_code}" do
-          expect { request.send method }.to raise_error(unauthorized) { |error|
-            error.error.should       == error_code
-            error.description.should == default_description[error_code]
-          }
-        end
-      end
-    end
-  end
-end