simple_oauth2 0.0.0

data/lib/simple_oauth2/mixins/nobrainer/access_grant.rb

@@ -0,0 +1,62 @@
+module Simple
+  module OAuth2
+    module NoBrainer
+      # Includes all the required API, associations, validations and callbacks
+      module AccessGrant
+        extend ActiveSupport::Concern
+
+        included do # rubocop:disable Metrics/BlockLength
+          include ::NoBrainer::Document
+          include ::NoBrainer::Document::Timestamps
+
+          belongs_to :client, class_name: Simple::OAuth2.config.client_class_name,
+                              foreign_key: :client_id, primary_key: :id
+          belongs_to :resource_owner, class_name: Simple::OAuth2.config.resource_owner_class_name,
+                                      foreign_key: :resource_owner_id, primary_key: :id
+
+          before_save { self.updated_at = Time.now }
+          before_validation :setup_expiration, if: :new_record?
+
+          field :resource_owner_id, type: String, index: true, required: true
+          field :client_id,         type: String, index: true, required: true
+
+          field :token,
+                type: String,
+                required: true,
+                uniq: true,
+                index: true,
+                default: -> { Simple::OAuth2.config.token_generator.generate }
+
+          field :redirect_uri, type: String, required: true
+          field :scopes,       type: String
+
+          field :revoked_at, type: Time
+          field :expires_at, type: Time, required: true
+          field :created_at, type: Time, required: true, default: -> { Time.now }
+          field :updated_at, type: Time, required: true, default: -> { Time.now }
+
+          class << self
+            def create_for(client, resource_owner, redirect_uri, scopes = nil)
+              create(
+                client_id: client.id,
+                resource_owner_id: resource_owner.id,
+                redirect_uri: redirect_uri,
+                scopes: scopes
+              )
+            end
+
+            def authenticate(token)
+              where(token: token.to_s).first
+            end
+          end
+
+          private
+
+          def setup_expiration
+            self.expires_at = Time.now.utc + Simple::OAuth2.config.authorization_code_lifetime if expires_at.nil?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/mixins/nobrainer/access_token.rb

@@ -0,0 +1,98 @@
+module Simple
+  module OAuth2
+    module NoBrainer
+      # Includes all the required API, associations, validations and callbacks
+      module AccessToken
+        extend ActiveSupport::Concern
+
+        included do # rubocop:disable Metrics/BlockLength
+          include ::NoBrainer::Document
+          include ::NoBrainer::Document::Timestamps
+
+          before_save { self.updated_at = Time.now }
+          before_validation :setup_expiration, if: :new_record?
+
+          belongs_to :client, class_name: Simple::OAuth2.config.client_class_name,
+                              foreign_key: :client_id, primary_key: :id
+          belongs_to :resource_owner, class_name: Simple::OAuth2.config.resource_owner_class_name,
+                                      foreign_key: :resource_owner_id, primary_key: :id
+
+          field :resource_owner_id, type: String, index: true, required: true
+          field :client_id,         type: String, index: true, required: true
+          field :token,
+                type: String,
+                index: true,
+                required: true,
+                uniq: true,
+                default: -> { Simple::OAuth2.config.token_generator.generate }
+          field :refresh_token,
+                type: String,
+                index: true,
+                uniq: true,
+                default: -> do
+                  if Simple::OAuth2.config.issue_refresh_token
+                    Simple::OAuth2.config.token_generator.generate
+                  else
+                    ''
+                  end
+                end
+
+          field :scopes,     type: String
+
+          field :revoked_at, type: Time
+          field :expires_at, type: Time, required: true
+          field :created_at, type: Time, required: true, default: -> { Time.now }
+          field :updated_at, type: Time, required: true, default: -> { Time.now }
+
+          class << self
+            def create_for(client, resource_owner, scopes = nil)
+              create(
+                client_id: client.id,
+                resource_owner_id: resource_owner.id,
+                scopes: scopes
+              )
+            end
+
+            def authenticate(token, token_type_hint = nil)
+              return if token.blank?
+
+              if token_type_hint == 'refresh_token'
+                where(refresh_token: token).first
+              else
+                where(token: token).first
+              end
+            end
+          end
+
+          def expired?
+            expires_at && Time.now.utc > expires_at
+          end
+
+          def revoked?
+            revoked_at && revoked_at <= Time.now.utc
+          end
+
+          def revoke!(revoked_at = Time.now.utc)
+            update!(revoked_at: revoked_at)
+          end
+
+          def to_bearer_token
+            {
+              access_token: token,
+              expires_in: expires_at && Simple::OAuth2.config.access_token_lifetime.to_i,
+              refresh_token: refresh_token,
+              scope: scopes
+            }
+          end
+
+          private
+
+          def setup_expiration
+            expires_in = Simple::OAuth2.config.access_token_lifetime.to_i
+            self.expires_at = Time.now.utc + expires_in if expires_at.nil? && !expires_in.nil?
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/mixins/nobrainer/client.rb

@@ -0,0 +1,43 @@
+module Simple
+  module OAuth2
+    module NoBrainer
+      # Includes all the required API, associations, validations and callbacks
+      module Client
+        extend ActiveSupport::Concern
+
+        included do
+          include ::NoBrainer::Document
+          include ::NoBrainer::Document::Timestamps
+
+          before_save { self.updated_at = Time.now }
+
+          has_many :access_tokens, class_name: Simple::OAuth2.config.access_token_class_name, foreign_key: :client_id
+          has_many :access_grants, class_name: Simple::OAuth2.config.access_grant_class_name, foreign_key: :client_id
+
+          field :name,         type: String, required: true
+          field :redirect_uri, type: String, required: true
+
+          field :key,
+                type: String,
+                required: true,
+                index: true,
+                uniq: true,
+                default: -> { Simple::OAuth2.config.token_generator.generate }
+          field :secret,
+                type: String,
+                required: true,
+                index: true,
+                uniq: true,
+                default: -> { Simple::OAuth2.config.token_generator.generate }
+
+          field :created_at, type: Time, required: true, default: -> { Time.now }
+          field :updated_at, type: Time, required: true, default: -> { Time.now }
+
+          def self.authenticate(key)
+            where(key: key.to_s).first
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/resource/bearer.rb

@@ -0,0 +1,20 @@
+module Simple
+  module OAuth2
+    module Resource
+      # OAuth2 middleware Protected Resource Endpoint
+      class Bearer
+        def initialize(app)
+          @app = app
+        end
+
+        # See https://github.com/nov/rack-oauth2/wiki/Server-Resource-Endpoint
+        def call(env)
+          app = Rack::OAuth2::Server::Resource::Bearer.new(@app, Simple::OAuth2.config.realm) do |req|
+            Simple::OAuth2.config.token_authenticator.call(req)
+          end
+          app.call(env)
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/responses.rb

@@ -0,0 +1,62 @@
+module Simple
+  module OAuth2
+    # Processes Rack Responses and contains helper methods
+    #
+    # @return [Object] Rack response
+    #
+    # @example
+    #   rack_response = [
+    #     200,
+    #     { 'Content-Type' => 'application/json' },
+    #     Rack::BodyProxy.new(Rack::Response.new('200'.to_json))
+    #   ]
+    #   response = Simple::OAuth2::Responses.new(rack_response)
+    #
+    #   response.status  #=> 200
+    #   response.headers #=> {}
+    #   response.body    #=> '200'
+    #   response         #=> <Simple::OAuth2::Responses:0x007fc9f32080b8 @response=[
+    #     200,
+    #     {},
+    #     <Rack::BodyProxy:0x007fc9f3208108
+    #       @block=nil,
+    #       @body= <Rack::Response:0x007fc9f3208388
+    #         @block=nil,
+    #         @body=["\"200\""],
+    #         @header={"Content-Length"=>"5"},
+    #         @length=5,
+    #         @status=200
+    #       >,
+    #       @closed=false
+    #     >
+    #   ]
+    #
+    class Responses
+      # Simple::OAuth2 response class
+      #
+      # @param response [Array] raw Rack::Response object
+      #
+      def initialize(response)
+        @response = response
+      end
+
+      # Response status
+      def status
+        @response[0]
+      end
+
+      # Response headers
+      def headers
+        @response[1]
+      end
+
+      # Response JSON-parsed body
+      def body
+        response_body = @response[2].body.first
+        return {} if response_body.nil? || response_body.empty?
+
+        JSON.parse(response_body)
+      end
+    end
+  end
+end

data/lib/simple_oauth2/scopes.rb

@@ -0,0 +1,59 @@
+module Simple
+  module OAuth2
+    # Scopes helper for scopes validation
+    class Scopes
+      # Checks if requested scopes are valid
+      #
+      # @param access_scopes [Array] scopes of AccessToken class
+      # @param scopes [Array<String, Symbol>] array, symbol, string of any object that responds to `to_a`
+      #
+      def self.valid?(access_scopes, scopes)
+        new(access_scopes, scopes).valid?
+      end
+
+      # Helper class initializer
+      #
+      # @param access_scopes [Array] scopes of AccessToken class
+      # @param scopes [Array<String, Symbol>] array, symbol, string of any object that responds to `to_a`
+      #
+      def initialize(access_scopes, scopes = [])
+        @scopes = to_array(scopes)
+        @access_scopes = to_array(access_scopes)
+      end
+
+      # Checks if requested scopes (passed and processed on initialization) are presented in the AccessToken
+      #
+      # @return [Boolean] true if requested scopes are empty or present in access_scopes
+      #
+      def valid?
+        @scopes.empty? || present_in_access_token?
+      end
+
+      private
+
+      # Checks if scopes present in access_scopes
+      #
+      # @return [Boolean] true if requested scopes present in access_scopes
+      #
+      def present_in_access_token?
+        Set.new(@access_scopes) >= Set.new(@scopes)
+      end
+
+      # Converts scopes set to the array
+      #
+      # @param scopes [Array<String, Symbol>, #to_a]
+      #   string, symbol, array or object that responds to `to_a`
+      # @return [Array<String>] array of scopes
+      #
+      def to_array(scopes)
+        collection = if scopes.is_a?(Array) || scopes.respond_to?(:to_a)
+                       scopes.to_a
+                     elsif scopes.is_a?(String) || scopes.is_a?(Symbol)
+                       scopes.split(',')
+                     end
+
+        collection.map(&:to_s)
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/authorization_code.rb

@@ -0,0 +1,22 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # Authorization Code strategy class
+      # Processes request and respond with Access Token
+      class AuthorizationCode < Base
+        class << self
+          # Processes Authorization Code request
+          def process(request)
+            client = token_verify_client!(request)
+
+            code = authenticate_access_grant(request) || request.invalid_grant!
+            code.redirect_uri == request.redirect_uri || request.invalid_grant!
+
+            token = config.access_token_class.create_for(client, code.resource_owner, code.scopes)
+            expose_to_bearer_token(token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/base.rb

@@ -0,0 +1,61 @@
+module Simple
+  module OAuth2
+    # Simple::OAuth2 strategies namespace
+    module Strategies
+      # Base Strategies class.
+      # Contains common functionality for all the descendants
+      class Base
+        class << self
+          # Authenticates Client from the request
+          def authenticate_client(request)
+            config.client_class.authenticate(request.client_id)
+          end
+
+          # Authenticates Resource Owner from the request
+          def authenticate_resource_owner(client, request)
+            config.resource_owner_class.oauth_authenticate(
+              client,
+              request.params['username'],
+              request.params['password']
+            )
+          end
+
+          # Authenticates Access Grant from the request
+          def authenticate_access_grant(request)
+            config.access_grant_class.authenticate(request.code)
+          end
+
+          # Exposes token object to Bearer token.
+          #
+          # @param token [AccessToken] any object that responds to `to_bearer_token`
+          # @return [Rack::OAuth2::AccessToken::Bearer] bearer token instance
+          #
+          def expose_to_bearer_token(token)
+            Rack::OAuth2::AccessToken::Bearer.new(token.to_bearer_token)
+          end
+
+          # Token endpoint, check client for exact matching verifier
+          def token_verify_client!(request)
+            client = authenticate_client(request) || request.invalid_client!
+            client.secret == request.client_secret || request.invalid_client!
+            client
+          end
+
+          # Authorization endpoint, check client and redirect_uri for exact matching verifier
+          def authorization_verify_client!(request, response)
+            client = authenticate_client(request) || request.bad_request!
+            response.redirect_uri = request.verify_redirect_uri!(client.redirect_uri)
+            client
+          end
+
+          private
+
+          # Short getter for Simple::OAuth2 configuration.
+          def config
+            Simple::OAuth2.config
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/client_credentials.rb

@@ -0,0 +1,21 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # ClientCredentials strategy class.
+      # Processes request and respond with Access Token
+      class ClientCredentials < Base
+        class << self
+          # Processes ClientCredentials request
+          def process(request)
+            client = authenticate_client(request) || request.invalid_client!
+
+            resource_owner = authenticate_resource_owner(client, request) || request.invalid_grant!
+
+            token = config.access_token_class.create_for(client, resource_owner, request.scope.join(','))
+            expose_to_bearer_token(token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/code.rb

@@ -0,0 +1,25 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # Code strategy class.
+      # Processes request and respond with Code
+      class Code < Base
+        class << self
+          # Processes Code request
+          def process(request, response)
+            client = authorization_verify_client!(request, response)
+
+            authorization_code = config.access_grant_class.create_for(
+              client,
+              config.resource_owner_authenticator.call(request),
+              response.redirect_uri,
+              request.scope.join(',')
+            )
+
+            response.code = authorization_code.token
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/password.rb

@@ -0,0 +1,21 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # Resource Owner Password Credentials strategy class
+      # Processes request and respond with Access Token
+      class Password < Base
+        class << self
+          # Processes Password request
+          def process(request)
+            client = token_verify_client!(request)
+
+            resource_owner = authenticate_resource_owner(client, request) || request.invalid_grant!
+
+            token = config.access_token_class.create_for(client, resource_owner, request.scope.join(','))
+            expose_to_bearer_token(token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/refresh_token.rb

@@ -0,0 +1,53 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # Refresh Token strategy class
+      # Processes request and respond with Access Token
+      class RefreshToken < Base
+        class << self
+          # Processes Refresh Token request
+          def process(request)
+            client = token_verify_client!(request)
+            refresh_token = verify_refresh_token!(request, client.id)
+
+            token = config.access_token_class.create_for(
+              client, refresh_token.resource_owner, request.scope.join(',')
+            )
+            run_callback_on_refresh_token(refresh_token) if config.on_refresh_runnable?
+
+            expose_to_bearer_token(token)
+          end
+
+          private
+
+          # Check refresh token and client id for exact matching verifier
+          def verify_refresh_token!(request, client_id)
+            refresh_token = config.access_token_class.authenticate(request.refresh_token, 'refresh_token')
+            refresh_token || request.invalid_grant!
+            refresh_token.client_id == client_id || request.unauthorized_client!
+
+            refresh_token
+          end
+
+          # Invokes custom callback on Access Token refresh.
+          # If callback is a proc, then call it with token.
+          # If access token responds to callback value (symbol for example), then call it from the token.
+          #
+          # @param access_token [Object] Access Token instance
+          #
+          def run_callback_on_refresh_token(access_token)
+            callback = config.on_refresh
+
+            if callback.respond_to?(:call)
+              callback.call(access_token)
+            elsif access_token.respond_to?(callback)
+              access_token.send(callback)
+            else
+              raise(ArgumentError, ":on_refresh is not a block and Access Token class doesn't respond to #{callback}!")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/strategies/token.rb

@@ -0,0 +1,24 @@
+module Simple
+  module OAuth2
+    module Strategies
+      # Token strategy class
+      # Processes request and respond with Access Token
+      class Token < Base
+        class << self
+          # Processes Token request
+          def process(request, response)
+            client = authorization_verify_client!(request, response)
+
+            access_token = config.access_token_class.create_for(
+              client,
+              config.resource_owner_authenticator.call(request),
+              request.scope.join(',')
+            )
+
+            response.access_token = expose_to_bearer_token(access_token)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/uniq_token.rb

@@ -0,0 +1,20 @@
+module Simple
+  module OAuth2
+    # OAuth2 helper for generation of unique token values.
+    # Can process custom payload and options
+    module UniqToken
+      # Generates unique token value
+      #
+      # @param _payload [Hash]
+      #   payload
+      # @param options [Hash]
+      #   options for generator
+      #
+      # @return [String]
+      #   unique token value
+      def self.generate(_payload = {}, options = {})
+        SecureRandom.hex(options.delete(:size) || 32)
+      end
+    end
+  end
+end

data/lib/simple_oauth2/version.rb

@@ -0,0 +1,26 @@
+module Simple
+  # Semantic versioning
+  module OAuth2
+    # Simple::OAuth2 version
+    # @return [Gem::Version] version of the gem
+    #
+    def self.gem_version
+      Gem::Version.new VERSION::STRING
+    end
+
+    # Simple::OAuth2 semantic versioning module
+    # Contains detailed info about gem version
+    module VERSION
+      # Level changes for implementation level detail changes, such as small bug fixes
+      PATCH = 0
+      # Level changes for any backwards compatible API changes, such as new functionality/features
+      MINOR = 0
+      # Level changes for backwards incompatible API changes,
+      # such as changes that will break existing users code if they update
+      MAJOR = 0
+
+      # Full gem version string
+      STRING = [MAJOR, MINOR, PATCH].join('.')
+    end
+  end
+end