signet 0.4.3 → 0.4.4

data/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 0.4.4
+
+* Add support for assertion profile
+
 # 0.4.3
 
 * Added method to clear credentials

data/lib/signet/oauth_2/client.rb

@@ -58,6 +58,14 @@ module Signet
       #     The resource owner's username.
       #   - <code>:password</code> —
       #     The resource owner's password.
+      #   - <code>:issuer</code> —
+      #     Issuer ID when using assertion profile
+      #   - <code>:person</code> -
+      #     Target user for assertions
+      #   - <code>:expiry</code> -
+      #     Number of seconds assertions are valid for
+      #   - <code>:signing_key</code> —
+      #     Signing key when using assertion profile
       #   - <code>:refresh_token</code> —
       #     The refresh token associated with the access token
       #     to be refreshed.
@@ -116,6 +124,16 @@ module Signet
       #     The resource owner's username.
       #   - <code>:password</code> —
       #     The resource owner's password.
+      #   - <code>:issuer</code> —
+      #     Issuer ID when using assertion profile
+      #   - <code>:audience</code> —
+      #     Target audience for assertions
+      #   - <code>:person</code> -
+      #     Target user for assertions
+      #   - <code>:expiry</code> -
+      #     Number of seconds assertions are valid for
+      #   - <code>:signing_key</code> —
+      #     Signing key when using assertion profile
       #   - <code>:refresh_token</code> —
       #     The refresh token associated with the access token
       #     to be refreshed.
@@ -149,6 +167,11 @@ module Signet
         self.redirect_uri = options["redirect_uri"]
         self.username = options["username"]
         self.password = options["password"]
+        self.issuer = options["issuer"]
+        self.person = options["person"]
+        self.expiry = options["expiry"] || 60
+        self.audience = options["audience"]
+        self.signing_key = options["signing_key"]
         self.extension_parameters = options["extension_parameters"] || {}
         self.update_token!(options)
         return self
@@ -451,6 +474,109 @@ module Signet
         @password = new_password
       end
 
+      ##
+      # Returns the issuer ID associated with this client.
+      # Used only by the assertion grant type.
+      #
+      # @return [String] Issuer id.
+      def issuer
+        return @issuer
+      end
+
+      ##
+      # Sets the issuer ID associated with this client.
+      # Used only by the assertion grant type.
+      #
+      # @param [String] new_issuer
+      #   Issuer ID (typical in email adddress form).
+      def issuer=(new_issuer)
+        @issuer = new_issuer
+      end
+
+      ##
+      # Returns the issuer ID associated with this client.
+      # Used only by the assertion grant type.
+      #
+      # @return [String] Target audience ID.
+      def audience
+        return @audience
+      end
+
+      ##
+      # Sets the target audience ID when issuing assertions.
+      # Used only by the assertion grant type.
+      #
+      # @param [String] new_issuer
+      #   Target audience ID
+      def audience=(new_audience)
+        @audience = new_audience
+      end
+
+      ##
+      # Returns the target resource owner for impersonation.
+      # Used only by the assertion grant type.
+      #
+      # @return [String] Target user for impersonation.
+      def person
+        return @person
+      end
+
+      ##
+      # Sets the target resource owner for impersonation.
+      # Used only by the assertion grant type.
+      #
+      # @param [String] new_person
+      #   Target user for impersonation
+      def person=(new_person)
+        @person = new_person
+      end
+      
+      ##
+      # Returns the number of seconds assertions are valid for
+      # Used only by the assertion grant type.
+      #
+      # @return [Fixnum] Assertion expiry, in seconds
+      def expiry
+        return @expiry
+      end
+
+      ##
+      # Sets the number of seconds assertions are valid for
+      # Used only by the assertion grant type.
+      #
+      # @param [String] new_expiry
+      #   Assertion expiry, in seconds
+      def expiry=(new_expiry)
+        @expiry = new_expiry
+      end
+      
+      
+      ##
+      # Returns the signing key associated with this client.
+      # Used only by the assertion grant type.
+      #
+      # @return [String,OpenSSL::PKey] Signing key
+      def signing_key
+        return @signing_key
+      end
+
+      ##
+      # Sets the signing key when issuing assertions.
+      # Used only by the assertion grant type.
+      #
+      # @param [String, OpenSSL::Pkey] new_key
+      #   Signing key. Either private key for RSA or string for HMAC algorithm
+      def signing_key=(new_key)
+        @signing_key = new_key
+      end
+      
+      ##
+      # Algorithm used for signing JWTs
+      # @return [String] Signing algorithm
+      def signing_algorithm
+        self.signing_key.is_a?(String) ? "HS256" : "RS256"
+      end
+      
       ##
       # Returns the set of extension parameters used by the client.
       # Used only by extension access grant types.
@@ -637,6 +763,8 @@ module Signet
             'refresh_token'
           elsif self.username && self.password
             'password'
+          elsif self.issuer && self.signing_key
+            'urn:ietf:params:oauth:grant-type:jwt-bearer'
           else
             # We don't have sufficient auth information, assume an out-of-band
             # authorization arrangement between the client and server, or an
@@ -656,6 +784,20 @@ module Signet
         end
       end
 
+      def to_jwt(options={})
+        now = Time.new        
+        skew = options[:skew] || 60
+        assertion = {
+          "iss" => self.issuer,
+          "scope" => self.scope.join(' '),
+          "aud" => self.audience,
+          "exp" => (now + self.expiry).to_i,
+          "iat" => (now - skew).to_i
+        }
+        assertion['prn'] = self.person unless self.person.nil?
+        JWT.encode(assertion, self.signing_key, self.signing_algorithm)
+      end
+      
       ##
       # Generates a request for token credentials.
       #
@@ -682,6 +824,8 @@ module Signet
           parameters['password'] = self.password
         when 'refresh_token'
           parameters['refresh_token'] = self.refresh_token
+        when 'urn:ietf:params:oauth:grant-type:jwt-bearer'
+          parameters['assertion'] = self.to_jwt(options)
         else
           if self.redirect_uri
             # Grant type was intended to be `authorization_code` because of
@@ -747,6 +891,12 @@ module Signet
         return token_hash
       end
 
+      ## 
+      # Refresh the access token, if possible
+      def refresh!
+        self.fetch_access_token!
+      end
+      
       ##
       # Generates an authenticated request for protected resources.
       #

data/lib/signet/version.rb

@@ -18,7 +18,7 @@ unless defined? Signet::VERSION
     module VERSION
       MAJOR = 0
       MINOR = 4
-      TINY  = 3
+      TINY  = 4
 
       STRING = [MAJOR, MINOR, TINY].join('.')
     end

data/spec/signet/oauth_2/client_spec.rb

@@ -139,6 +139,91 @@ describe Signet::OAuth2::Client, 'unconfigured' do
   end
 end
 
+describe Signet::OAuth2::Client, 'configured for assertions profile' do
+  
+  describe 'when using RSA keys' do
+    before do
+      @key = OpenSSL::PKey::RSA.new 2048
+      @client = Signet::OAuth2::Client.new(
+        :token_credential_uri =>
+          'https://accounts.google.com/o/oauth2/token',
+        :scope => 'https://www.googleapis.com/auth/userinfo.profile',
+        :issuer => 'app@example.com',
+        :audience => 'https://accounts.google.com/o/oauth2/token',
+        :signing_key => @key
+      )
+    end
+
+    it 'should generate valid JWTs' do
+      jwt = @client.to_jwt
+      jwt.should_not == nil
+
+      claim = JWT.decode(jwt, @key.public_key, true)
+      claim["iss"].should == 'app@example.com'
+      claim["scope"].should == 'https://www.googleapis.com/auth/userinfo.profile'
+      claim["aud"].should == 'https://accounts.google.com/o/oauth2/token'
+    end
+
+    it 'should generate valid JWTs for impersonation' do
+      @client.person = 'user@example.com'
+      jwt = @client.to_jwt
+      jwt.should_not == nil
+
+      claim = JWT.decode(jwt, @key.public_key, true)
+      claim["iss"].should == 'app@example.com'
+      claim["prn"].should == 'user@example.com'
+      claim["scope"].should == 'https://www.googleapis.com/auth/userinfo.profile'
+      claim["aud"].should == 'https://accounts.google.com/o/oauth2/token'
+    end
+
+    it 'should send valid access token request' do
+      stubs = Faraday::Adapter::Test::Stubs.new do |stub|
+        stub.post('/o/oauth2/token') do |env|
+          params = Addressable::URI.form_unencode(env[:body])
+          jwt = JWT.decode(params.assoc("assertion").last, @key.public_key)
+          params.assoc("grant_type").should == ['grant_type','urn:ietf:params:oauth:grant-type:jwt-bearer']
+          [200, {}, '{
+            "access_token" : "1/abcdef1234567890",
+            "token_type" : "Bearer",
+            "expires_in" : 3600
+          }']
+        end
+      end
+      connection = Faraday.new(:url => 'https://www.google.com') do |builder|
+        builder.adapter(:test, stubs)
+      end
+
+      @client.fetch_access_token!(:connection => connection)
+      @client.access_token.should == "1/abcdef1234567890"
+      stubs.verify_stubbed_calls    
+    end
+  end
+    
+  describe 'when using shared secrets' do
+    before do
+      @key = 'my secret key'
+      @client = Signet::OAuth2::Client.new(
+        :token_credential_uri =>
+          'https://accounts.google.com/o/oauth2/token',
+        :scope => 'https://www.googleapis.com/auth/userinfo.profile',
+        :issuer => 'app@example.com',
+        :audience => 'https://accounts.google.com/o/oauth2/token',
+        :signing_key => @key
+      )
+    end
+
+    it 'should generate valid JWTs' do
+      jwt = @client.to_jwt
+      jwt.should_not == nil
+
+      claim = JWT.decode(jwt, @key, true)
+      claim["iss"].should == 'app@example.com'
+      claim["scope"].should == 'https://www.googleapis.com/auth/userinfo.profile'
+      claim["aud"].should == 'https://accounts.google.com/o/oauth2/token'
+    end
+  end
+end
+
 describe Signet::OAuth2::Client, 'configured for Google userinfo API' do
   before do
     @client = Signet::OAuth2::Client.new(

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: signet
 version: !ruby/object:Gem::Version
-  version: 0.4.3
+  version: 0.4.4
   prerelease: 
 platform: ruby
 authors:
@@ -9,11 +9,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2012-10-05 00:00:00.000000000 Z
+date: 2012-12-08 00:00:00.000000000Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: addressable
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622285100 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -21,15 +21,10 @@ dependencies:
         version: 2.2.3
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 2.2.3
+  version_requirements: *70335622285100
 - !ruby/object:Gem::Dependency
   name: faraday
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622284080 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -37,15 +32,10 @@ dependencies:
         version: 0.8.1
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ~>
-      - !ruby/object:Gem::Version
-        version: 0.8.1
+  version_requirements: *70335622284080
 - !ruby/object:Gem::Dependency
   name: multi_json
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622283520 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -53,15 +43,10 @@ dependencies:
         version: 1.0.0
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 1.0.0
+  version_requirements: *70335622283520
 - !ruby/object:Gem::Dependency
   name: jwt
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622282880 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -69,15 +54,10 @@ dependencies:
         version: 0.1.5
   type: :runtime
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 0.1.5
+  version_requirements: *70335622282880
 - !ruby/object:Gem::Dependency
   name: rake
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622281960 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -85,15 +65,10 @@ dependencies:
         version: 0.9.0
   type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 0.9.0
+  version_requirements: *70335622281960
 - !ruby/object:Gem::Dependency
   name: rspec
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622281020 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -101,15 +76,10 @@ dependencies:
         version: 2.11.0
   type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 2.11.0
+  version_requirements: *70335622281020
 - !ruby/object:Gem::Dependency
   name: launchy
-  requirement: !ruby/object:Gem::Requirement
+  requirement: &70335622273940 !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -117,12 +87,7 @@ dependencies:
         version: 2.1.1
   type: :development
   prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    none: false
-    requirements:
-    - - ! '>='
-      - !ruby/object:Gem::Version
-        version: 2.1.1
+  version_requirements: *70335622273940
 description: ! 'Signet is an OAuth 1.0 / OAuth 2.0 implementation.
 
 '
@@ -194,7 +159,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: Signet is an OAuth 1.0 / OAuth 2.0 implementation.