rockoauth 0.1.0

data/lib/rockoauth/provider/authorization.rb

@@ -0,0 +1,185 @@
+module RockOAuth
+  class Provider
+
+    class Authorization
+      attr_reader :owner, :client,
+      :code, :access_token,
+      :expires_in, :refresh_token,
+      :error, :error_description
+
+      REQUIRED_PARAMS = [RESPONSE_TYPE, CLIENT_ID, REDIRECT_URI]
+      VALID_PARAMS    = REQUIRED_PARAMS + [SCOPE, STATE]
+      VALID_RESPONSES = [CODE, TOKEN, CODE_AND_TOKEN]
+
+      def initialize(resource_owner, params, transport_error = nil)
+        @owner  = resource_owner
+        @params = params
+        @scope  = params[SCOPE]
+        @state  = params[STATE]
+
+        @transport_error = transport_error
+
+        validate!
+
+        return unless @owner and not @error
+
+        @model = @owner.oauth2_authorization_for(@client)
+        return unless @model and @model.in_scope?(scopes) and not @model.expired?
+
+        @authorized = true
+
+        if @params[RESPONSE_TYPE] =~ /code/
+          @code = @model.generate_code
+        end
+
+        if @params[RESPONSE_TYPE] =~ /token/
+          @access_token = @model.generate_access_token
+        end
+      end
+
+      def scopes
+        scopes = @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+        Set.new(scopes)
+      end
+
+      def unauthorized_scopes
+        @model ? scopes.select { |s| not @model.in_scope?(s) } : scopes
+      end
+
+      def grant_access!(options = {})
+        @model = Model::Authorization.for(@owner, @client,
+                                          :response_type => @params[RESPONSE_TYPE],
+                                          :scope         => @scope,
+                                          :duration      => options[:duration])
+
+        @code          = @model.code
+        @access_token  = @model.access_token
+        @refresh_token = @model.refresh_token
+        @expires_in    = @model.expires_in
+
+        unless @params[RESPONSE_TYPE] == CODE
+          @expires_in = @model.expires_in
+        end
+
+        @authorized = true
+      end
+
+      def deny_access!
+        @code = @access_token = @refresh_token = nil
+        @error = ACCESS_DENIED
+        @error_description = "The user denied you access"
+      end
+
+      def params
+        params = {}
+        VALID_PARAMS.each { |key| params[key] = @params[key] if @params.has_key?(key) }
+        params
+      end
+
+      def redirect?
+        @client and (@authorized or not valid?)
+      end
+
+      def redirect_uri
+        return nil unless @client
+        base_redirect_uri = @client.redirect_uri
+        q = (base_redirect_uri =~ /\?/) ? '&' : '?'
+
+        if not valid?
+          query = to_query_string(ERROR, ERROR_DESCRIPTION, STATE)
+          "#{ base_redirect_uri }#{ q }#{ query }"
+
+        elsif @params[RESPONSE_TYPE] == CODE_AND_TOKEN
+          query    = to_query_string(CODE, STATE)
+          fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE)
+          "#{ base_redirect_uri }#{ query.empty? ? '' : q + query }##{ fragment }"
+
+        elsif @params[RESPONSE_TYPE] == TOKEN
+          fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE, STATE)
+          "#{ base_redirect_uri }##{ fragment }"
+
+        else
+          query = to_query_string(CODE, SCOPE, STATE)
+          "#{ base_redirect_uri }#{ q }#{ query }"
+        end
+      end
+
+      def response_body
+        warn "RockOAuth::Provider::Authorization no longer returns a response body "+
+          "when the request is invalid. You should call valid? to determine "+
+          "whether to render your login page or an error page."
+        nil
+      end
+
+      def response_headers
+        redirect? ? {} : {'Cache-Control' => 'no-store'}
+      end
+
+      def response_status
+        return 302 if redirect?
+        return 200 if valid?
+        @client ? 302 : 400
+      end
+
+      def valid?
+        @error.nil?
+      end
+
+      private
+
+      def validate!
+        if @transport_error
+          @error = @transport_error.error
+          @error_description = @transport_error.error_description
+          return
+        end
+
+        @client = @params[CLIENT_ID] && Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+
+        REQUIRED_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+        return if @error
+
+        [SCOPE, STATE].each do |param|
+          next unless @params.has_key?(param)
+          if @params[param] =~ /\r\n/
+            @error = INVALID_REQUEST
+            @error_description = "Illegal value for #{param} parameter"
+          end
+        end
+
+        unless VALID_RESPONSES.include?(@params[RESPONSE_TYPE])
+          @error = UNSUPPORTED_RESPONSE
+          @error_description = "Response type #{@params[RESPONSE_TYPE]} is not supported"
+        end
+
+        @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+
+        if @client and @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+          @error = REDIRECT_MISMATCH
+          @error_description = "Parameter #{REDIRECT_URI} does not match registered URI"
+        end
+      end
+
+      def to_query_string(*ivars)
+        ivars.map { |key|
+          value = instance_variable_get("@#{key}")
+          value = value.join(' ') if Array === value
+          value ? "#{ key }=#{ CGI.escape(value.to_s) }" : nil
+        }.compact.join('&')
+      end
+    end
+
+  end
+end

data/lib/rockoauth/provider/error.rb

@@ -0,0 +1,19 @@
+module RockOAuth
+  class Provider
+
+    class Error
+      def initialize(message = nil)
+        @message = message
+      end
+
+      def error
+        INVALID_REQUEST
+      end
+
+      def error_description
+        'Bad request' + (@message ? ": #{@message}" : '')
+      end
+    end
+
+  end
+end

data/lib/rockoauth/provider/exchange.rb

@@ -0,0 +1,225 @@
+module RockOAuth
+  class Provider
+
+    class Exchange
+      attr_reader :client, :error, :error_description
+
+      REQUIRED_PARAMS    = [CLIENT_ID, CLIENT_SECRET, GRANT_TYPE]
+      VALID_GRANT_TYPES  = [AUTHORIZATION_CODE, PASSWORD, ASSERTION, REFRESH_TOKEN]
+
+      REQUIRED_PASSWORD_PARAMS  = [USERNAME, PASSWORD]
+      REQUIRED_ASSERTION_PARAMS = [ASSERTION_TYPE, ASSERTION]
+
+      RESPONSE_HEADERS = {
+        'Cache-Control' => 'no-store',
+        'Content-Type'  => 'application/json'
+      }
+
+      def initialize(resource_owner, params, transport_error = nil)
+        @params          = params
+        @scope           = params[SCOPE]
+        @grant_type      = @params[GRANT_TYPE]
+        @resource_owner  = resource_owner
+
+        @transport_error = transport_error
+
+        validate!
+      end
+
+      def owner
+        @authorization && @authorization.owner
+      end
+
+      def redirect?
+        false
+      end
+
+      def response_body
+        return jsonize(ERROR, ERROR_DESCRIPTION) unless valid?
+        update_authorization
+
+        response = {}
+        [ACCESS_TOKEN, REFRESH_TOKEN, SCOPE].each do |key|
+          value = @authorization.__send__(key)
+          response[key] = value if value
+        end
+        if expiry = @authorization.expires_in
+          response[EXPIRES_IN] = expiry
+        end
+
+        JSON.unparse(response)
+      end
+
+      def response_headers
+        RESPONSE_HEADERS
+      end
+
+      def response_status
+        valid? ? 200 : 400
+      end
+
+      def scopes
+        scopes = @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+        Set.new(scopes)
+      end
+
+      def update_authorization
+        return if not valid? or @already_updated
+        @authorization.exchange!
+        @already_updated = true
+      end
+
+      def valid?
+        @error.nil?
+      end
+
+      private
+
+      def jsonize(*ivars)
+        hash = {}
+        ivars.each { |key| hash[key] = instance_variable_get("@#{key}") }
+        JSON.unparse(hash)
+      end
+
+      def validate!
+        if @transport_error
+          @error = @transport_error.error
+          @error_description = @transport_error.error_description
+          return
+        end
+
+        validate_required_params
+
+        return if @error
+        validate_client
+
+        unless VALID_GRANT_TYPES.include?(@grant_type)
+          @error = UNSUPPORTED_GRANT_TYPE
+          @error_description = "The grant type #{@grant_type} is not recognized"
+        end
+        return if @error
+
+        __send__("validate_#{@grant_type}")
+        validate_scope
+      end
+
+      def validate_required_params
+        REQUIRED_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+      end
+
+      def validate_client
+        @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+        unless @client
+          @error = INVALID_CLIENT
+          @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+        end
+
+        if @client and not @client.valid_client_secret?(@params[CLIENT_SECRET])
+          @error = INVALID_CLIENT
+          @error_description = 'Parameter client_secret does not match'
+        end
+      end
+
+      def validate_scope
+        if @authorization and not @authorization.in_scope?(scopes)
+          @error = INVALID_SCOPE
+          @error_description = 'The request scope was never granted by the user'
+        end
+      end
+
+      def validate_authorization_code
+        unless @params[CODE]
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter code"
+        end
+
+        if @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+          @error = REDIRECT_MISMATCH
+          @error_description = "Parameter redirect_uri does not match registered URI"
+        end
+
+        unless @params.has_key?(REDIRECT_URI)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter redirect_uri"
+        end
+
+        return if @error
+
+        @authorization = @client.authorizations.find_by_code(@params[CODE])
+        validate_authorization
+      end
+
+      def validate_password
+        REQUIRED_PASSWORD_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+
+        return if @error
+
+        @authorization = Provider.handle_password(@client, @params[USERNAME], @params[PASSWORD], scopes)
+        return validate_authorization if @authorization
+
+        @error = INVALID_GRANT
+        @error_description = 'The access grant you supplied is invalid'
+      end
+
+      def validate_assertion
+        REQUIRED_ASSERTION_PARAMS.each do |param|
+          next if @params.has_key?(param)
+          @error = INVALID_REQUEST
+          @error_description = "Missing required parameter #{param}"
+        end
+
+        if @params[ASSERTION_TYPE]
+          uri = URI.parse(@params[ASSERTION_TYPE]) rescue nil
+          unless uri and uri.absolute?
+            @error = INVALID_REQUEST
+            @error_description = 'Parameter assertion_type must be an absolute URI'
+          end
+        end
+
+        return if @error
+
+        assertion = Assertion.new(@params)
+        @authorization = Provider.handle_assertion(@client, assertion, scopes, @resource_owner)
+        return validate_authorization if @authorization
+
+        @error = UNAUTHORIZED_CLIENT
+        @error_description = 'Client cannot use the given assertion type'
+      end
+
+      def validate_refresh_token
+        refresh_token_hash = RockOAuth.hashify(@params[REFRESH_TOKEN])
+        @authorization = @client.authorizations.find_by_refresh_token_hash(refresh_token_hash)
+        validate_authorization
+      end
+
+      def validate_authorization
+        unless @authorization
+          @error = INVALID_GRANT
+          @error_description = 'The access grant you supplied is invalid'
+        end
+
+        if @authorization and @authorization.expired?
+          @error = INVALID_GRANT
+          @error_description = 'The access grant you supplied is invalid'
+        end
+      end
+    end
+
+    class Assertion
+      attr_reader :type, :value
+      def initialize(params)
+        @type  = params[ASSERTION_TYPE]
+        @value = params[ASSERTION]
+      end
+    end
+
+  end
+end

data/lib/rockoauth/provider.rb

@@ -0,0 +1,133 @@
+require 'base64'
+require 'bcrypt'
+require 'cgi'
+require 'digest/sha1'
+require 'json'
+require 'logger'
+require 'rack'
+
+begin
+  require 'securerandom'
+rescue LoadError
+end
+
+module RockOAuth
+  ROOT = File.dirname(__FILE__)
+  TOKEN_SIZE = 160
+
+  autoload :Model,  ROOT + '/model'
+  autoload :Router, ROOT + '/router'
+  autoload :Schema, ROOT + '/schema'
+
+  def self.random_string
+    if defined? SecureRandom
+      SecureRandom.hex(TOKEN_SIZE / 8).to_i(16).to_s(36)
+    else
+      rand(2 ** TOKEN_SIZE).to_s(36)
+    end
+  end
+
+  def self.generate_id(&predicate)
+    id = random_string
+    id = random_string until predicate.call(id)
+    id
+  end
+
+  def self.hashify(token)
+    return nil unless String === token
+    Digest::SHA1.hexdigest(token)
+  end
+
+  ACCESS_TOKEN           = 'access_token'
+  ASSERTION              = 'assertion'
+  ASSERTION_TYPE         = 'assertion_type'
+  AUTHORIZATION_CODE     = 'authorization_code'
+  CLIENT_ID              = 'client_id'
+  CLIENT_SECRET          = 'client_secret'
+  CODE                   = 'code'
+  CODE_AND_TOKEN         = 'code_and_token'
+  DURATION               = 'duration'
+  ERROR                  = 'error'
+  ERROR_DESCRIPTION      = 'error_description'
+  EXPIRES_IN             = 'expires_in'
+  GRANT_TYPE             = 'grant_type'
+  OAUTH_TOKEN            = 'oauth_token'
+  PASSWORD               = 'password'
+  REDIRECT_URI           = 'redirect_uri'
+  REFRESH_TOKEN          = 'refresh_token'
+  RESPONSE_TYPE          = 'response_type'
+  SCOPE                  = 'scope'
+  STATE                  = 'state'
+  TOKEN                  = 'token'
+  USERNAME               = 'username'
+
+  INVALID_REQUEST        = 'invalid_request'
+  UNSUPPORTED_RESPONSE   = 'unsupported_response_type'
+  REDIRECT_MISMATCH      = 'redirect_uri_mismatch'
+  UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
+  INVALID_GRANT          = 'invalid_grant'
+  INVALID_CLIENT         = 'invalid_client'
+  UNAUTHORIZED_CLIENT    = 'unauthorized_client'
+  INVALID_SCOPE          = 'invalid_scope'
+  INVALID_TOKEN          = 'invalid_token'
+  EXPIRED_TOKEN          = 'expired_token'
+  INSUFFICIENT_SCOPE     = 'insufficient_scope'
+  ACCESS_DENIED          = 'access_denied'
+
+  class Provider
+    EXPIRY_TIME = 3600
+
+    autoload :Authorization, ROOT + '/provider/authorization'
+    autoload :Exchange,      ROOT + '/provider/exchange'
+    autoload :AccessToken,   ROOT + '/provider/access_token'
+    autoload :Error,         ROOT + '/provider/error'
+
+    class << self
+      attr_accessor :realm, :enforce_ssl
+    end
+
+    def self.clear_assertion_handlers!
+      @password_handler   = nil
+      @assertion_handlers = {}
+      @assertion_filters  = []
+    end
+
+    clear_assertion_handlers!
+
+    def self.handle_passwords(&block)
+      @password_handler = block
+    end
+
+    def self.handle_password(client, username, password, scopes)
+      return nil unless @password_handler
+      @password_handler.call(client, username, password, scopes)
+    end
+
+    def self.filter_assertions(&filter)
+      @assertion_filters.push(filter)
+    end
+
+    def self.handle_assertions(assertion_type, &handler)
+      @assertion_handlers[assertion_type] = handler
+    end
+
+    def self.handle_assertion(client, assertion, scopes, resource_owner)
+      return nil unless @assertion_filters.all? { |f| f.call(client) }
+      handler = @assertion_handlers[assertion.type]
+      handler ? handler.call(client, assertion.value, scopes, resource_owner) : nil
+    end
+
+    def self.parse(*args)
+      Router.parse(*args)
+    end
+
+    def self.access_token(*args)
+      Router.access_token(*args)
+    end
+
+    def self.access_token_from_request(*args)
+      Router.access_token_from_request(*args)
+    end
+  end
+
+end

data/lib/rockoauth/router.rb

@@ -0,0 +1,75 @@
+module RockOAuth
+  class Router
+
+    # Public methods in the namespace take either Rack env objects, or Request
+    # objects from Rails/Sinatra and an optional params hash which it then
+    # coerces to Rack requests. This is for backward compatibility; originally
+    # it only took request objects.
+
+    class << self
+      def parse(resource_owner, env)
+        error   = detect_transport_error(env)
+        request = request_from(env)
+        params  = request.params
+        auth    = auth_params(env)
+
+        if auth[CLIENT_ID] and auth[CLIENT_ID] != params[CLIENT_ID]
+          error ||= Provider::Error.new("#{CLIENT_ID} from Basic Auth and request body do not match")
+        end
+
+        params = params.merge(auth)
+
+        if params[GRANT_TYPE]
+          error ||= Provider::Error.new('must be a POST request') unless request.post?
+          Provider::Exchange.new(resource_owner, params, error)
+        else
+          Provider::Authorization.new(resource_owner, params, error)
+        end
+      end
+
+      def access_token(resource_owner, scopes, env)
+        access_token = access_token_from_request(env)
+        Provider::AccessToken.new(resource_owner,
+                                  scopes,
+                                  access_token,
+                                  detect_transport_error(env))
+      end
+
+      def access_token_from_request(env)
+        request = request_from(env)
+        params  = request.params
+        header  = request.env['HTTP_AUTHORIZATION']
+
+        header && header =~ /^OAuth\s+/ ?
+        header.gsub(/^OAuth\s+/, '') :
+          params[OAUTH_TOKEN]
+      end
+
+      private
+
+      def request_from(env_or_request)
+        env = env_or_request.respond_to?(:env) ? env_or_request.env : env_or_request
+        env = Rack::MockRequest.env_for(env['REQUEST_URI'] || '', :input => env['RAW_POST_DATA']).merge(env)
+        Rack::Request.new(env)
+      end
+
+      def auth_params(env)
+        return {} unless basic = env['HTTP_AUTHORIZATION']
+        parts = basic.split(/\s+/)
+        username, password = Base64.decode64(parts.last).split(':')
+        {CLIENT_ID => username, CLIENT_SECRET => password}
+      end
+
+      def detect_transport_error(env)
+        request = request_from(env)
+
+        if Provider.enforce_ssl and not request.ssl?
+          Provider::Error.new('must make requests using HTTPS')
+        elsif request.GET['client_secret']
+          Provider::Error.new('must not send client credentials in the URI')
+        end
+      end
+    end
+
+  end
+end

data/lib/rockoauth/schema/20120828112156_rockoauth_schema_original_schema.rb

@@ -0,0 +1,35 @@
+class RockoauthSchemaOriginalSchema < ActiveRecord::Migration
+  def self.up
+    create_table :oauth2_clients do |t|
+      t.timestamps
+      t.string     :oauth2_client_owner_type
+      t.integer    :oauth2_client_owner_id
+      t.string     :name
+      t.string     :client_id
+      t.string     :client_secret_hash
+      t.string     :redirect_uri
+    end
+    add_index :oauth2_clients, [:client_id]
+
+    create_table :oauth2_authorizations do |t|
+      t.timestamps
+      t.string     :oauth2_resource_owner_type
+      t.integer    :oauth2_resource_owner_id
+      t.belongs_to :client
+      t.string     :scope
+      t.string     :code,               :limit => 40
+      t.string     :access_token_hash,  :limit => 40
+      t.string     :refresh_token_hash, :limit => 40
+      t.datetime   :expires_at
+    end
+    add_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:client_id, :code], name: :index_oauth2_client_id_and_code
+    add_index :oauth2_authorizations, [:client_id, :access_token_hash], name: :index_oauth2_client_id_and_access_token_hash
+    add_index :oauth2_authorizations, [:client_id, :refresh_token_hash], name: :index_oauth2_client_id_and_refresh_token_hash
+  end
+
+  def self.down
+    drop_table :oauth2_clients
+    drop_table :oauth2_authorizations
+  end
+end

data/lib/rockoauth/schema/20121024180930_rockoauth_schema_add_authorization_index.rb

@@ -0,0 +1,13 @@
+class RockoauthSchemaAddAuthorizationIndex < ActiveRecord::Migration
+  INDEX_NAME = 'index_owner_client_pairs'
+
+  def self.up
+    remove_index :oauth2_authorizations, name: "index_oauth2_client_id_and_access_token_hash"
+    add_index :oauth2_authorizations, [:client_id, :oauth2_resource_owner_type, :oauth2_resource_owner_id], :name => INDEX_NAME, :unique => true
+  end
+
+  def self.down
+    remove_index :oauth2_authorizations, :name => INDEX_NAME
+    add_index :oauth2_authorizations, [:client_id, :access_token_hash]
+  end
+end