rack-oauth2 0.0.7 → 0.0.8

data/VERSION

@@ -1 +1 @@
-0.0.7
+0.0.8

data/lib/rack/oauth2.rb

@@ -1,4 +1,10 @@
 require 'rack'
 require 'json'
 require 'active_support/core_ext'
-require 'rack/oauth2/server'
+require 'rack/oauth2/server'
+
+module Rack
+  module OAuth2
+    ACCESS_TOKEN = "rack.oauth2.oauth_token"
+  end
+end

data/lib/rack/oauth2/server.rb

@@ -2,4 +2,5 @@ require 'rack/oauth2/server/util'
 require 'rack/oauth2/server/error'
 require 'rack/oauth2/server/abstract'
 require 'rack/oauth2/server/authorize'
-require 'rack/oauth2/server/token'
+require 'rack/oauth2/server/token'
+require 'rack/oauth2/server/resource'

data/lib/rack/oauth2/server/abstract/handler.rb

@@ -5,7 +5,7 @@ module Rack
         class Handler
           attr_accessor :realm, :authenticator, :request, :response
 
-          def initialize(realm = '', &authenticator)
+          def initialize(realm = nil, &authenticator)
             @realm = realm
             @authenticator = authenticator
           end

data/lib/rack/oauth2/server/error.rb

@@ -3,7 +3,7 @@ module Rack
     module Server
 
       class Error < StandardError
-        attr_accessor :code, :error, :description, :uri, :redirect_uri, :state
+        attr_accessor :code, :error, :description, :uri, :state, :scope, :redirect_uri, :realm
 
         def initialize(code, error, description = "", options = {})
           @code         = code
@@ -11,7 +11,17 @@ module Rack
           @description  = description
           @uri          = options[:uri]
           @state        = options[:state]
+          @realm        = options[:realm]
+          @scope        = Array(options[:scope])
           @redirect_uri = Util.parse_uri(options[:redirect_uri]) if options[:redirect_uri]
+          @www_authenticate = 
+          @channel = if options[:www_authenticate].present?
+            :www_authenticate
+          elsif @redirect_uri.present?
+            :query_string
+          else
+            :json_body
+          end
         end
 
         def finish
@@ -19,11 +29,18 @@ module Rack
             :error             => error,
             :error_description => description,
             :error_uri         => uri,
-            :state             => state
+            :state             => state,
+            :scope             => scope.join(' ')
           }.delete_if do |key, value|
             value.blank?
           end
-          if redirect_uri
+          case @channel
+          when :www_authenticate
+            params = params.collect do |key, value|
+              "#{key}=\"#{URI.encode value.to_s}\""
+            end
+            [code, {'WWW-Authenticate' => "OAuth realm=\"#{realm}\" #{params.join(" ")}"}, []]
+          when :query_string
             redirect_uri.query = if redirect_uri.query
               [redirect_uri.query, params.to_query].join('&')
             else
@@ -32,7 +49,7 @@ module Rack
             response = Rack::Response.new
             response.redirect redirect_uri.to_s
             response.finish
-          else
+          when :json_body
             [code, {'Content-Type' => 'application/json'}, params.to_json]
           end
         end
@@ -40,12 +57,7 @@ module Rack
 
       class Unauthorized < Error
         def initialize(error, description = "", options = {})
-          status = if options[:payload] == :header
-            401
-          else
-            400
-          end
-          super(status, error, description, options)
+          super(401, error, description, options)
         end
       end
 

data/lib/rack/oauth2/server/resource.rb

@@ -0,0 +1,76 @@
+require 'rack/auth/abstract/request'
+
+module Rack
+  module OAuth2
+    module Server
+      class Resource < Abstract::Handler
+
+        def initialize(app, realm=nil, &authenticator)
+          @app = app
+          super(realm, &authenticator)
+        end
+
+        def call(env)
+          request = Request.new(env)
+          if request.oauth2?
+            authenticate!(request)
+            env[ACCESS_TOKEN] = request.access_token
+          end
+          @app.call(env)
+        rescue Error => e
+          e.realm = realm
+          e.finish
+        end
+
+        private
+
+        def authenticate!(request)
+          @authenticator.call(request)
+        end
+
+        class Request < Rack::Request
+
+          def initialize(env)
+            @env = env
+            @auth_header = Rack::Auth::AbstractRequest.new(env)
+          end
+
+          def oauth2?
+            access_token.present?
+          end
+
+          def access_token
+            @access_token ||= case
+            when access_token_in_haeder.present? && access_token_in_payload.blank?
+              access_token_in_haeder
+            when access_token_in_haeder.blank? && access_token_in_payload.present?
+              access_token_in_payload
+            when access_token_in_haeder.present? && access_token_in_payload.present?
+              raise BadRequest.new(:invalid_request, 'Both Authorization header and payload includes oauth_token.', :www_authenticate => true)
+            else
+              nil
+            end
+          end
+
+          def access_token_in_haeder
+            if @auth_header.provided? && @auth_header.scheme == :oauth && @auth_header.params !~ /oauth_signature_method/
+              @auth_header.params
+            else
+              nil
+            end
+          end
+
+          def access_token_in_payload
+            if params['oauth_token'] && !params['oauth_signature_method']
+              params['oauth_token']
+            else
+              nil # This is OAuth1 request
+            end
+          end
+
+        end
+
+      end
+    end
+  end
+end

data/rack-oauth2.gemspec

@@ -5,7 +5,7 @@
 
 Gem::Specification.new do |s|
   s.name = %q{rack-oauth2}
-  s.version = "0.0.7"
+  s.version = "0.0.8"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["nov matake"]
@@ -37,6 +37,7 @@ Gem::Specification.new do |s|
      "lib/rack/oauth2/server/authorize/code_and_token.rb",
      "lib/rack/oauth2/server/authorize/token.rb",
      "lib/rack/oauth2/server/error.rb",
+     "lib/rack/oauth2/server/resource.rb",
      "lib/rack/oauth2/server/token.rb",
      "lib/rack/oauth2/server/token/assertion.rb",
      "lib/rack/oauth2/server/token/authorization_code.rb",
@@ -49,6 +50,7 @@ Gem::Specification.new do |s|
      "spec/rack/oauth2/server/authorize/token_spec.rb",
      "spec/rack/oauth2/server/authorize_spec.rb",
      "spec/rack/oauth2/server/error_spec.rb",
+     "spec/rack/oauth2/server/resource_spec.rb",
      "spec/rack/oauth2/server/token/assertion_spec.rb",
      "spec/rack/oauth2/server/token/authorization_code_spec.rb",
      "spec/rack/oauth2/server/token/password_spec.rb",
@@ -68,6 +70,7 @@ Gem::Specification.new do |s|
      "spec/rack/oauth2/server/authorize/token_spec.rb",
      "spec/rack/oauth2/server/authorize_spec.rb",
      "spec/rack/oauth2/server/error_spec.rb",
+     "spec/rack/oauth2/server/resource_spec.rb",
      "spec/rack/oauth2/server/token/assertion_spec.rb",
      "spec/rack/oauth2/server/token/authorization_code_spec.rb",
      "spec/rack/oauth2/server/token/password_spec.rb",

data/spec/rack/oauth2/server/error_spec.rb

@@ -28,7 +28,23 @@ describe Rack::OAuth2::Server::Error, '#finish' do
     end
   end
 
-  context "when redirect_uri isn't given" do
+  context "when www_authenticate isn given" do
+    before do
+      @params = {
+        :error => :invalid_request,
+        :error_description => "Something invalid!!"
+      }
+      @error = Rack::OAuth2::Server::Error.new(401, @params[:error], @params[:error_description], :www_authenticate => true)
+    end
+
+    it "should return failure response with error message in WWW-Authenticate header" do
+      status, header, body = @error.finish
+      status.should === 401
+      header['WWW-Authenticate'].should == "OAuth realm=\"\" error_description=\"Something%20invalid!!\" error=\"invalid_request\""
+    end
+  end
+
+  context "when either redirect_uri nor www_authenticate isn't given" do
     before do
       @params = {
         :error => :invalid_request,
@@ -39,6 +55,7 @@ describe Rack::OAuth2::Server::Error, '#finish' do
 
     it "should return failure response with error message in json body" do
       status, header, body = @error.finish
+      status.should === 400
       body.should == @params.to_json
     end
   end
@@ -53,17 +70,8 @@ describe Rack::OAuth2::Server::BadRequest do
 end
 
 describe Rack::OAuth2::Server::Unauthorized do
-  context "when payload is header" do
-    it "should use 401 as status" do
-      error = Rack::OAuth2::Server::Unauthorized.new(:invalid_client, '', :payload => :header)
-      error.code.should == 401
-    end
-  end
-
-  context "when payload isn't header" do
-    it "should use 400 as status" do
-      error = Rack::OAuth2::Server::Unauthorized.new(:invalid_request)
-      error.code.should == 400
-    end
+  it "should use 400 as status" do
+    error = Rack::OAuth2::Server::Unauthorized.new(:invalid_request)
+    error.code.should == 401
   end
 end

data/spec/rack/oauth2/server/resource_spec.rb

@@ -0,0 +1,111 @@
+require 'spec_helper.rb'
+
+describe Rack::OAuth2::Server::Resource do
+  it "should support realm" do
+    app = Rack::OAuth2::Server::Resource.new(simple_app, "server.example.com")
+    app.realm.should == "server.example.com"
+  end
+end
+
+describe Rack::OAuth2::Server::Resource, '#call' do
+
+  before do
+    @app = Rack::OAuth2::Server::Resource.new(simple_app, "server.example.com") do |request|
+      case request.access_token
+      when "valid_token"
+        # nothing to do
+      when "insufficient_scope_token"
+        raise Rack::OAuth2::Server::Unauthorized.new(:insufficient_scope, "More scope is required.", :www_authenticate => true)
+      when "expired_token"
+        raise Rack::OAuth2::Server::Unauthorized.new(:expired_token, "Given access token has been expired.", :www_authenticate => true)
+      else
+        raise Rack::OAuth2::Server::Unauthorized.new(:invalid_token, "Given access token is invalid.", :www_authenticate => true)
+      end
+    end
+    @request = Rack::MockRequest.new @app
+  end
+
+  context "when no access token is given" do
+    it "should skip OAuth 2.0 authentication" do
+      env = Rack::MockRequest.env_for("/protected_resource")
+      status, header, body = @app.call(env)
+      status.should == 200
+      env[Rack::OAuth2::ACCESS_TOKEN].should be_nil
+    end
+  end
+
+  context "when valid_token is given" do
+    it "should succeed" do
+      response = @request.get("/protected_resource?oauth_token=valid_token")
+      response.status.should == 200
+    end
+
+    it "should store access token in env" do
+      env = Rack::MockRequest.env_for("/protected_resource?oauth_token=valid_token")
+      @app.call(env)
+      env[Rack::OAuth2::ACCESS_TOKEN].should == "valid_token"
+    end
+  end
+
+  context "when expired_token is given" do
+    it "should fail with expired_token error" do
+      response = @request.get("/protected_resource?oauth_token=expired_token")
+      response.status.should == 401
+      response.headers["WWW-Authenticate"].should == "OAuth realm=\"server.example.com\" error_description=\"Given%20access%20token%20has%20been%20expired.\" error=\"expired_token\""
+    end
+
+    it "should not store access token in env" do
+      env = Rack::MockRequest.env_for("/protected_resource?oauth_token=expired_token")
+      @app.call(env)
+      env[Rack::OAuth2::ACCESS_TOKEN].should be_nil
+    end
+  end
+
+  context "when expired_token is given" do
+    it "should fail with invalid_token error" do
+      response = @request.get("/protected_resource?oauth_token=invalid_token")
+      response.status.should == 401
+      response.headers["WWW-Authenticate"].should == "OAuth realm=\"server.example.com\" error_description=\"Given%20access%20token%20is%20invalid.\" error=\"invalid_token\""
+    end
+
+    it "should not store access token in env" do
+      env = Rack::MockRequest.env_for("/protected_resource?oauth_token=invalid_token")
+      @app.call(env)
+      env[Rack::OAuth2::ACCESS_TOKEN].should be_nil
+    end
+  end
+
+  context "when multiple access_token is given" do
+    it "should fail with invalid_request error" do
+      response = @request.get("/protected_resource?oauth_token=invalid_token", "HTTP_AUTHORIZATION" => "OAuth valid_token")
+      response.status.should == 400
+      response.headers["WWW-Authenticate"].should == "OAuth realm=\"server.example.com\" error_description=\"Both%20Authorization%20header%20and%20payload%20includes%20oauth_token.\" error=\"invalid_request\""
+    end
+  end
+
+  context "when OAuth 1.0 Authorization header is given" do
+    it "should ignore the OAuth params" do
+      env = Rack::MockRequest.env_for("/protected_resource", "HTTP_AUTHORIZATION" => "OAuth realm=\"server.example.com\" oauth_consumer_key=\"key\" oauth_token=\"token\" oauth_signature_method=\"HMAC-SHA1\" oauth_signature=\"sig\" oauth_timestamp=\"123456789\" oauth_nonce=\"nonce\"")
+      status, header, body = @app.call(env)
+      status.should == 200
+      env[Rack::OAuth2::ACCESS_TOKEN].should be_nil
+    end
+  end
+
+  context "when OAuth 1.0 params is given" do
+    it "should ignore the OAuth params" do
+      env = Rack::MockRequest.env_for("/protected_resource", :params => {
+        :oauth_consumer_key => "key",
+        :oauth_token => "token",
+        :oauth_signature_method => "HMAC-SHA1",
+        :oauth_signature => "sig",
+        :oauth_timestamp => 123456789,
+        :oauth_nonce => "nonce"
+      })
+      status, header, body = @app.call(env)
+      status.should == 200
+      env[Rack::OAuth2::ACCESS_TOKEN].should be_nil
+    end
+  end
+
+end

data/spec/rack/oauth2/server/token/assertion_spec.rb

@@ -43,7 +43,7 @@ describe Rack::OAuth2::Server::Token::Assertion do
         :assertion => "invalid_assertion",
         :assertion_type => "something"
       })
-      response.status.should == 400
+      response.status.should == 401
       response.content_type.should == "application/json"
       response.body.should == "{\"error_description\":\"Invalid assertion.\",\"error\":\"invalid_grant\"}"
     end

data/spec/rack/oauth2/server/token/authorization_code_spec.rb

@@ -43,7 +43,7 @@ describe Rack::OAuth2::Server::Token::AuthorizationCode do
         :code => "invalid_authorization_code",
         :redirect_uri => "http://client.example.com/callback"
       })
-      response.status.should == 400
+      response.status.should == 401
       response.content_type.should == "application/json"
       response.body.should == "{\"error_description\":\"Invalid authorization code.\",\"error\":\"invalid_grant\"}"
     end
@@ -67,7 +67,7 @@ describe Rack::OAuth2::Server::Token::AuthorizationCode do
         :code => "valid_authorization_code",
         :redirect_uri => "http://client.example.com/callback"
       })
-      response.status.should == 400
+      response.status.should == 401
       response.content_type.should == "application/json"
       response.body.should == "{\"error_description\":\"Invalid client identifier.\",\"error\":\"invalid_client\"}"
     end

data/spec/rack/oauth2/server/token/password_spec.rb

@@ -43,7 +43,7 @@ describe Rack::OAuth2::Server::Token::Password do
         :username => "nov",
         :password => "invalid_pass"
       })
-      response.status.should == 400
+      response.status.should == 401
       response.content_type.should == "application/json"
       response.body.should == "{\"error_description\":\"Invalid resource owner credentials.\",\"error\":\"invalid_grant\"}"
     end

data/spec/rack/oauth2/server/token/refresh_token_spec.rb

@@ -41,7 +41,7 @@ describe Rack::OAuth2::Server::Token::RefreshToken do
         :client_id => "valid_client",
         :refresh_token => "invalid_refresh_token"
       })
-      response.status.should == 400
+      response.status.should == 401
       response.content_type.should == "application/json"
       response.body.should == "{\"error_description\":\"Invalid refresh_token.\",\"error\":\"invalid_grant\"}"
     end

data/spec/rack/oauth2/server/token_spec.rb

@@ -19,28 +19,50 @@ describe Rack::OAuth2::Server::Token::Request do
   context "when any required parameters are missing" do
     it "should return invalid_request error" do
       assert_error_response(:json, :invalid_request) do
-        @request.get('/')
+        @request.post('/')
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code&client_id=client')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :client_id => "client"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?client_id=client&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :client_id => "client",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code&client_id=client&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :client_id => "client",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
       assert_error_response(:json, :invalid_request) do
-        @request.get('/?grant_type=authorization_code&code=authorization_code&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :code => "authorization_code",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
     end
   end
@@ -48,14 +70,24 @@ describe Rack::OAuth2::Server::Token::Request do
   context "when unsupported grant_type is given" do
     it "should return unsupported_response_type error" do
       assert_error_response(:json, :unsupported_grant_type) do
-        @request.get('/?grant_type=hello&client_id=client&code=authorization_code&redirect_uri=http://client.example.com/callback')
+        @request.post('/', :params => {
+          :grant_type => "hello",
+          :client_id => "client",
+          :code => "authorization_code",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end
     end
   end
 
   context "when all required parameters are valid" do
     it "should succeed" do
-      response = @request.get('/?grant_type=authorization_code&client_id=client&code=authorization_code&redirect_uri=http://client.example.com/callback')
+      response = @request.post('/', :params => {
+        :grant_type => "authorization_code",
+        :client_id => "client",
+        :code => "authorization_code",
+        :redirect_uri => "http://client.example.com/callback"
+      })
       response.status.should == 200
     end
   end
@@ -75,7 +107,12 @@ describe Rack::OAuth2::Server::Token::Response do
 
     it "should raise an error" do
       lambda do
-        @request.get("/?grant_type=authorization_code&client_id=client&code=authorization_code&redirect_uri=http://client.example.com/callback")
+        @request.post('/', :params => {
+          :grant_type => "authorization_code",
+          :client_id => "client",
+          :code => "authorization_code",
+          :redirect_uri => "http://client.example.com/callback"
+        })
       end.should raise_error(StandardError)
     end
 
@@ -91,7 +128,12 @@ describe Rack::OAuth2::Server::Token::Response do
     end
 
     it "should succeed" do
-      response = @request.get("/?grant_type=authorization_code&client_id=client&code=authorization_code&redirect_uri=http://client.example.com/callback")
+      response = @request.post('/', :params => {
+        :grant_type => "authorization_code",
+        :client_id => "client",
+        :code => "authorization_code",
+        :redirect_uri => "http://client.example.com/callback"
+      })
       response.status.should == 200
     end
 

data/spec/spec.opts

@@ -1 +1,3 @@
---color
+--colour
+--format
+specdoc

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: rack-oauth2
 version: !ruby/object:Gem::Version 
-  hash: 17
+  hash: 15
   prerelease: false
   segments: 
   - 0
   - 0
-  - 7
-  version: 0.0.7
+  - 8
+  version: 0.0.8
 platform: ruby
 authors: 
 - nov matake
@@ -92,6 +92,7 @@ files:
 - lib/rack/oauth2/server/authorize/code_and_token.rb
 - lib/rack/oauth2/server/authorize/token.rb
 - lib/rack/oauth2/server/error.rb
+- lib/rack/oauth2/server/resource.rb
 - lib/rack/oauth2/server/token.rb
 - lib/rack/oauth2/server/token/assertion.rb
 - lib/rack/oauth2/server/token/authorization_code.rb
@@ -104,6 +105,7 @@ files:
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/authorize_spec.rb
 - spec/rack/oauth2/server/error_spec.rb
+- spec/rack/oauth2/server/resource_spec.rb
 - spec/rack/oauth2/server/token/assertion_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
 - spec/rack/oauth2/server/token/password_spec.rb
@@ -151,6 +153,7 @@ test_files:
 - spec/rack/oauth2/server/authorize/token_spec.rb
 - spec/rack/oauth2/server/authorize_spec.rb
 - spec/rack/oauth2/server/error_spec.rb
+- spec/rack/oauth2/server/resource_spec.rb
 - spec/rack/oauth2/server/token/assertion_spec.rb
 - spec/rack/oauth2/server/token/authorization_code_spec.rb
 - spec/rack/oauth2/server/token/password_spec.rb