signet 0.1.4 → 0.2.0

data/CHANGELOG

@@ -1,3 +1,7 @@
+== 0.2.0
+
+* Added support for OAuth 2.0 draft 10
+
 == 0.1.4
 
 * Added support for a two-legged authorization flow

data/README

@@ -14,6 +14,8 @@ Signet is an OAuth 1.0 / OAuth 2.0 implementation.
 - {Signet::OAuth1}
 - {Signet::OAuth1::Client}
 - {Signet::OAuth1::Credential}
+- {Signet::OAuth2}
+- {Signet::OAuth2::Client}
 
 == Example Usage for Google
 
@@ -36,6 +38,7 @@ Signet is an OAuth 1.0 / OAuth 2.0 implementation.
   response = client.fetch_protected_resource(
     :uri => 'https://mail.google.com/mail/feed/atom'
   )
+  # The Rack response format is used here
   status, headers, body = response
 
 == Install

data/lib/signet.rb

@@ -15,4 +15,58 @@
 require 'signet/version'
 
 module Signet #:nodoc:
+  def self.parse_auth_param_list(auth_param_string)
+    # Production rules from:
+    # http://tools.ietf.org/html/draft-ietf-httpbis-p1-messaging-12
+    token = /[-!#$\%&'*+.^_`|~0-9a-zA-Z]+/
+    d_qdtext = /[\s\x21\x23-\x5B\x5D-\x7E\x80-\xFF]/
+    d_quoted_pair = /\\[\s\x21-\x7E\x80-\xFF]/
+    d_qs = /"(?:#{d_qdtext}|#{d_quoted_pair})*"/
+    # Production rules that allow for more liberal parsing, i.e. single quotes
+    s_qdtext = /[\s\x21-\x26\x28-\x5B\x5D-\x7E\x80-\xFF]/
+    s_quoted_pair = /\\[\s\x21-\x7E\x80-\xFF]/
+    s_qs = /'(?:#{s_qdtext}|#{s_quoted_pair})*'/
+    # Combine the above production rules to find valid auth-param pairs.
+    auth_param = /((?:#{token})\s*=\s*(?:#{d_qs}|#{s_qs}|#{token}))/
+    auth_param_pairs = []
+    position = 0
+    last_match = nil
+    remainder = auth_param_string
+    # Iterate over the string, consuming pair matches as we go.  Verify that
+    # pre-matches and post-matches contain only allowable characters.
+    #
+    # This would be way easier in Ruby 1.9, but we want backwards
+    # compatibility.
+    while (match = remainder.match(auth_param))
+      if match.pre_match && match.pre_match !~ /^[\s,]*$/
+        raise ParseError,
+          "Unexpected auth param format: '#{auth_param_string}'."
+      end
+      pair = match.captures[0]
+      auth_param_pairs << pair
+      remainder = match.post_match
+      last_match = match
+    end
+    if last_match.post_match && last_match.post_match !~ /^[\s,]*$/
+      raise ParseError,
+        "Unexpected auth param format: '#{auth_param_string}'."
+    end
+    # Now parse the auth-param pair strings & turn them into key-value pairs.
+    return (auth_param_pairs.inject([]) do |accu, pair|
+      name, value = pair.split('=', 2)
+      if value =~ /^".*"$/
+        value = value.gsub(/^"(.*)"$/, '\1').gsub(/\\(.)/, '\1')
+      elsif value =~ /^'.*'$/
+        value = value.gsub(/^'(.*)'$/, '\1').gsub(/\\(.)/, '\1')
+      elsif value =~ /[\(\)<>@,;:\\\"\/\[\]?={}]/
+        # Certain special characters are not allowed
+        raise ParseError, (
+          "Unexpected characters in auth param " +
+          "list: '#{auth_param_string}'."
+        )
+      end
+      accu << [name, value]
+      accu
+    end)
+  end
 end

data/lib/signet/errors.rb

@@ -12,27 +12,62 @@
 #    See the License for the specific language governing permissions and
 #    limitations under the License.
 
-module Signet #:nodoc:
+require 'addressable/uri'
+
+module Signet
+  ##
+  # An error indicating that the client has aborted an operation that
+  # would have been unsafe to perform.
+  class UnsafeOperationError < StandardError
+  end
+
+  ##
+  # An error indicating the client failed to parse a value.
+  class ParseError < StandardError
+  end
+
+  ##
+  # An error indicating the server refused to authorize the client.
   class AuthorizationError < StandardError
     ##
     # Creates a new authentication error.
     #
     # @param [String] message
     #   A message describing the error.
-    # @param [Array] request
-    #   A tuple of method, uri, headers, and body.  Optional.
-    # @param [Array] response
-    #   A tuple of status, headers, and body.  Optional.
-    def initialize(message, request=nil, response=nil)
+    # @param [Hash] options
+    #   The configuration parameters for the request.
+    #   - <code>:request</code> —
+    #     A tuple of method, uri, headers, and body.  Optional.
+    #   - <code>:response</code> —
+    #     A tuple of status, headers, and body.  Optional.
+    #   - <code>:code</code> —
+    #     An error code.
+    #   - <code>:description</code> —
+    #     Human-readable text intended to be used to assist in resolving the
+    #     error condition.
+    #   - <code>:uri</code> —
+    #     A URI identifying a human-readable web page with additional
+    #     information about the error, indended for the resource owner.
+    def initialize(message, options={})
       super(message)
-      @request = request
-      @response = response
+      @options = options
+      @request = options[:request]
+      @response = options[:response]
+      @code = options[:code]
+      @description = options[:description]
+      @uri = Addressable::URI.parse(options[:uri])
     end
 
+    ##
+    # The HTTP request that triggered this authentication error.
+    #
+    # @return [Array] A tuple of method, uri, headers, and body.
+    attr_reader :request
+
     ##
     # The HTTP response that triggered this authentication error.
     #
     # @return [Array] A tuple of status, headers, and body.
     attr_reader :response
   end
-end
+end

data/lib/signet/oauth_1.rb

@@ -1,4 +1,5 @@
 require 'addressable/uri'
+require 'signet'
 
 begin
   require 'securerandom'
@@ -226,27 +227,27 @@ module Signet #:nodoc:
     # Parses an <code>Authorization</code> header into its component
     # parameters.  Parameter keys and values are decoded according to the
     # rules given in RFC 5849.
-    def self.parse_authorization_header(header)
-      if !header.kind_of?(String)
-        raise TypeError, "Expected String, got #{header.class}."
+    def self.parse_authorization_header(field_value)
+      if !field_value.kind_of?(String)
+        raise TypeError, "Expected String, got #{field_value.class}."
       end
-      unless header[0...6] == 'OAuth '
-        raise ArgumentError,
+      auth_scheme = field_value[/^([-._0-9a-zA-Z]+)/, 1]
+      case auth_scheme
+      when /^OAuth$/i
+        # Other token types may be supported eventually
+        pairs = Signet.parse_auth_param_list(field_value[/^OAuth\s+(.*)$/i, 1])
+        return (pairs.inject([]) do |accu, (k, v)|
+          if k != 'realm'
+            k = self.unencode(k)
+            v = self.unencode(v)
+          end
+          accu << [k, v]
+          accu
+        end)
+      else
+        raise ParseError,
           'Parsing non-OAuth Authorization headers is out of scope.'
       end
-      header = header.gsub(/^OAuth /, '')
-      return header.split(/,\s*/).inject([]) do |accu, pair|
-        k = pair[/^(.*?)=\"[^\"]*\"/, 1]
-        v = pair[/^.*?=\"([^\"]*)\"/, 1]
-        if k != 'realm'
-          k = self.unencode(k)
-          v = self.unencode(v)
-        else
-          v = v.gsub('\"', '"')
-        end
-        accu << [k, v]
-        accu
-      end
     end
 
     ##
@@ -356,7 +357,7 @@ module Signet #:nodoc:
       }.merge(options)
       temporary_credential_key =
         self.extract_credential_key_option(:temporary, options)
-      parsed_uri = Addressable::URI.parse(authorization_uri)
+      parsed_uri = Addressable::URI.parse(authorization_uri).dup
       query_values = parsed_uri.query_values || {}
       if options[:additional_parameters]
         query_values = query_values.merge(

data/lib/signet/oauth_1/client.rb

@@ -14,11 +14,12 @@
 
 require 'stringio'
 require 'addressable/uri'
+require 'signet'
+require 'signet/errors'
 require 'signet/oauth_1'
 require 'signet/oauth_1/credential'
-require 'signet/errors'
 
-module Signet #:nodoc:
+module Signet
   module OAuth1
     class Client
       ##
@@ -28,7 +29,8 @@ module Signet #:nodoc:
       #   The configuration parameters for the client.
       #   - <code>:temporary_credential_uri</code> —
       #     The OAuth temporary credentials URI.
-      #   - <code>:authorization_uri</code> —  The OAuth authorization URI.
+      #   - <code>:authorization_uri</code> —
+      #     The OAuth authorization URI.
       #   - <code>:token_credential_uri</code> —
       #     The OAuth token credentials URI.
       #   - <code>:client_credential_key</code> —
@@ -555,6 +557,7 @@ module Signet #:nodoc:
           )
         ]
         headers = [authorization_header]
+        headers << ['Cache-Control', 'no-store']
         if method == 'POST'
           headers << ['Content-Type', 'application/x-www-form-urlencoded']
         end
@@ -622,15 +625,17 @@ module Signet #:nodoc:
           if body.strip.length > 0
             message += "  Server message:\n#{body.strip}"
           end
-          error = ::Signet::AuthorizationError.new(message, request, response)
-          raise error
+          raise ::Signet::AuthorizationError.new(
+            message, :request => request, :response => response
+          )
         else
           message = "Unexpected status code: #{status}."
           if body.strip.length > 0
             message += "  Server message:\n#{body.strip}"
           end
-          error = ::Signet::AuthorizationError.new(message, request, response)
-          raise error
+          raise ::Signet::AuthorizationError.new(
+            message, :request => request, :response => response
+          )
         end
       end
       alias_method(
@@ -727,6 +732,7 @@ module Signet #:nodoc:
           )
         ]
         headers = [authorization_header]
+        headers << ['Cache-Control', 'no-store']
         if method == 'POST'
           headers << ['Content-Type', 'application/x-www-form-urlencoded']
         end
@@ -792,15 +798,17 @@ module Signet #:nodoc:
           if body.strip.length > 0
             message += "  Server message:\n#{body.strip}"
           end
-          error = ::Signet::AuthorizationError.new(message, request, response)
-          raise error
+          raise ::Signet::AuthorizationError.new(
+            message, :request => request, :response => response
+          )
         else
           message = "Unexpected status code: #{status}."
           if body.strip.length > 0
             message += "  Server message:\n#{body.strip}"
           end
-          error = ::Signet::AuthorizationError.new(message, request, response)
-          raise error
+          raise ::Signet::AuthorizationError.new(
+            message, :request => request, :response => response
+          )
         end
       end
       alias_method(
@@ -959,6 +967,7 @@ module Signet #:nodoc:
           )
         ]
         headers << authorization_header
+        headers << ['Cache-Control', 'no-store']
         return [method, uri.to_str, headers, [body]]
       end
 
@@ -1032,8 +1041,9 @@ module Signet #:nodoc:
           if body.strip.length > 0
             message += "  Server message:\n#{body.strip}"
           end
-          error = ::Signet::AuthorizationError.new(message, request, response)
-          raise error
+          raise ::Signet::AuthorizationError.new(
+            message, :request => request, :response => response
+          )
         else
           return response
         end

data/lib/signet/oauth_2.rb

@@ -0,0 +1,148 @@
+# Copyright (C) 2010 Google Inc.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+
+require 'base64'
+require 'signet'
+require 'json'
+
+module Signet #:nodoc:
+  ##
+  # An implementation of http://tools.ietf.org/html/draft-ietf-oauth-v2-10
+  #
+  # This module will be updated periodically to support newer drafts of the
+  # specification, as they become widely deployed.
+  module OAuth2
+    def self.parse_authorization_header(field_value)
+      auth_scheme = field_value[/^([-._0-9a-zA-Z]+)/, 1]
+      case auth_scheme
+      when /^Basic$/i
+        # HTTP Basic is allowed in OAuth 2
+        return self.parse_basic_credentials(field_value[/^Basic\s+(.*)$/i, 1])
+      when /^OAuth$/i
+        # Other token types may be supported eventually
+        return self.parse_bearer_credentials(field_value[/^OAuth\s+(.*)$/i, 1])
+      else
+        raise ParseError,
+          'Parsing non-OAuth Authorization headers is out of scope.'
+      end
+    end
+
+    def self.parse_www_authenticate_header(field_value)
+      auth_scheme = field_value[/^([-._0-9a-zA-Z]+)/, 1]
+      case auth_scheme
+      when /^OAuth$/i
+        # Other token types may be supported eventually
+        return self.parse_oauth_challenge(field_value[/^OAuth\s+(.*)$/i, 1])
+      else
+        raise ParseError,
+          'Parsing non-OAuth WWW-Authenticate headers is out of scope.'
+      end
+    end
+
+    def self.parse_basic_credentials(credential_string)
+      decoded = Base64.decode64(credential_string)
+      client_id, client_secret = decoded.split(':', 2)
+      return [['client_id', client_id], ['client_secret', client_secret]]
+    end
+
+    def self.parse_bearer_credentials(credential_string)
+      access_token = credential_string[/^([^,\s]+)(?:\s|,|$)/i, 1]
+      parameters = []
+      parameters << ['access_token', access_token]
+      auth_param_string = credential_string[/^(?:[^,\s]+)\s*,\s*(.*)$/i, 1]
+      if auth_param_string
+        # This code will rarely get called, but is included for completeness
+        parameters.concat(Signet.parse_auth_param_list(auth_param_string))
+      end
+      return parameters
+    end
+
+    def self.parse_oauth_challenge(challenge_string)
+      return Signet.parse_auth_param_list(challenge_string)
+    end
+
+    def self.parse_json_credentials(body)
+      if !body.kind_of?(String)
+        raise TypeError, "Expected String, got #{body.class}."
+      end
+      return JSON.parse(body)
+    end
+
+    ##
+    # Generates a Basic Authorization header from a client identifier and a
+    # client password.
+    #
+    # @param [String] client_id
+    #   The client identifier.
+    # @param [String] client_password
+    #   The client password.
+    #
+    # @return [String]
+    #   The value for the HTTP Basic Authorization header.
+    def self.generate_basic_authorization_header(client_id, client_password)
+      if client_id =~ /:/
+        raise ArgumentError,
+          "A client identifier may not contain a ':' character."
+      end
+      return 'Basic ' + Base64.encode64(
+        client_id + ':' + client_password
+      ).gsub(/\n/, '')
+    end
+
+    ##
+    # Generates a Basic Authorization header from a client identifier and a
+    # client password.
+    #
+    # @param [String] client_id
+    #   The client identifier.
+    # @param [String] client_password
+    #   The client password.
+    #
+    # @return [String]
+    #   The value for the HTTP Basic Authorization header.
+    def self.generate_bearer_authorization_header(
+        access_token, auth_params=nil)
+      # TODO: escaping?
+      header = "OAuth #{access_token}"
+      if auth_params && !auth_params.empty?
+        header += (", " +
+          auth_params.inject('') do |accu, (key, value)|
+            accu += "#{key}=\"#{value}\""
+            accu
+          end
+        )
+      end
+      return header
+    end
+
+    ##
+    # Appends the necessary OAuth parameters to
+    # the base authorization endpoint URI.
+    #
+    # @param [Addressable::URI, String, #to_str] authorization_uri
+    #   The base authorization endpoint URI.
+    #
+    # @return [String] The authorization URI to redirect the user to.
+    def self.generate_authorization_uri(authorization_uri, parameters={})
+      for key, value in parameters
+        parameters.delete(key) if value == nil
+      end
+      parsed_uri = Addressable::URI.parse(authorization_uri).dup
+      query_values = parsed_uri.query_values || {}
+      query_values = query_values.merge(parameters)
+      parsed_uri.query_values = query_values
+      return parsed_uri.normalize.to_s
+    end
+  end
+end