simple_oauth2 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 7457463729d7d0b17d67f13e8f0865f8340d8e59
+  data.tar.gz: 85c2c6a42f9085f0636c4fca5e72339b542c7a48
+SHA512:
+  metadata.gz: 5e0ff90478bd45cd417ef769086b492252375fcefdea551d7f853df51096c3513be1b399322f70ade0392a7a3c9cd9acc3ff05a969b9fc647acc15d859a47b0c
+  data.tar.gz: 4575200800986eac07b0bae126b44a144cbd5ebc5ff7a2cecec0da2eedba32b055e1f62445c90b3b79bd7fe16c76ad24df83190924ef9a04b86587ef45c09b14

data/.codeclimate.yml

@@ -0,0 +1,25 @@
+---
+engines:
+  duplication:
+    enabled: true
+    config:
+      languages:
+      - ruby
+      - javascript
+      - python
+      - php
+  fixme:
+    enabled: true
+  rubocop:
+    enabled: true
+ratings:
+  paths:
+  - "**.inc"
+  - "**.js"
+  - "**.jsx"
+  - "**.module"
+  - "**.php"
+  - "**.py"
+  - "**.rb"
+exclude_paths:
+- spec/

data/.coveralls.yml

@@ -0,0 +1 @@
+service_name: travis-ci

data/.gitignore

@@ -0,0 +1,26 @@
+*.gem
+*.rbc
+.rbx
+/coverage/
+Gemfile.lock
+gemfiles/*.lock
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+.bundle/
+
+rethinkdb_data
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+# .ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc

data/.hound.yml

@@ -0,0 +1,4 @@
+ruby:
+  config_file: .rubocop_todo.yml
+
+fail_on_violations: true

data/.rubocop.yml

@@ -0,0 +1,5 @@
+AllCops:
+  Exclude:
+    - rethinkdb_data
+
+inherit_from: .rubocop_todo.yml

data/.rubocop_todo.yml

@@ -0,0 +1,12 @@
+Style/FrozenStringLiteralComment:
+  Enabled: false
+Style/StringLiterals:
+  EnforcedStyle: single_quotes
+Metrics/MethodLength:
+  Max: 15
+Metrics/LineLength:
+  Max: 120
+Style/Lambda:
+  Enabled: false
+Style/DotPosition:
+  Enabled: false

data/.travis.yml

@@ -0,0 +1,31 @@
+language: ruby
+cache: bundler
+bundler_args: --without yard guard benchmarks
+notifications:
+  email: false
+addons:
+  code_climate:
+    repo_token: b06efdea32dd6768ddb83b21e07f85d439a6c725eaa97c8981324a14cbcbee17
+
+before_install:
+  - source /etc/lsb-release && echo "deb http://download.rethinkdb.com/apt $DISTRIB_CODENAME main" | sudo tee /etc/apt/sources.list.d/rethinkdb.list
+  - wget -qO- http://download.rethinkdb.com/apt/pubkey.gpg | sudo apt-key add -
+  - sudo apt-get update -q
+  - sudo apt-get install rethinkdb
+  - sudo cp /etc/rethinkdb/default.conf.sample /etc/rethinkdb/instances.d/instance1.conf
+  - sudo service rethinkdb restart
+  - gem install bundler -v '~> 1.10'
+
+matrix:
+  allow_failures:
+    - rvm: ruby-head
+  include:
+  - rvm: 2.2.6
+    gemfile: gemfiles/nobrainer.rb
+    env: ORM=nobrainer
+  - rvm: 2.3.3
+    gemfile: gemfiles/nobrainer.rb
+    env: ORM=nobrainer
+  - rvm: ruby-head
+    gemfile: gemfiles/nobrainer.rb
+    env: ORM=nobrainer

data/Gemfile

@@ -0,0 +1,18 @@
+source 'https://rubygems.org'
+
+gemspec
+
+gem 'rack-oauth2'
+
+group :test do
+  gem 'nobrainer'
+
+  gem 'coveralls', require: false
+  gem 'ffaker'
+  gem 'rack-test', require: 'rack/test'
+  gem 'rspec-rails', '~> 3.4'
+  gem 'rubocop', '~> 0.46.0', require: false
+  gem 'simplecov', require: false
+end
+
+gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

data/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2017 Volodimir Partytskyi
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,11 @@
+![Simple OAuth2 Logo](https://raw.github.com/simple-oauth2/simple_oauth2/master/logo.png)
+
+[![Build Status](https://travis-ci.org/simple-oauth2/simple_oauth2.svg?branch=master)](https://travis-ci.org/simple-oauth2/simple_oauth2)
+[![Dependency Status](https://gemnasium.com/badges/github.com/simple-oauth2/simple_oauth2.svg)](https://gemnasium.com/github.com/simple-oauth2/simple_oauth2)
+[![Coverage Status](https://coveralls.io/repos/github/simple-oauth2/simple_oauth2/badge.svg?branch=master)](https://coveralls.io/github/simple-oauth2/simple_oauth2?branch=master)
+[![Code Climate](https://codeclimate.com/github/simple-oauth2/simple_oauth2/badges/gpa.svg)](https://codeclimate.com/github/simple-oauth2/simple_oauth2)
+[![Inline docs](http://inch-ci.org/github/simple-oauth2/simple_oauth2.svg?branch=master)](http://inch-ci.org/github/simple-oauth2/simple_oauth2)
+[![security](https://hakiri.io/github/simple-oauth2/simple_oauth2/master.svg)](https://hakiri.io/github/simple-oauth2/simple_oauth2/master)
+[![License](https://img.shields.io/github/license/mashape/apistatus.svg)](https://github.com/simple-oauth2/simple_oauth2/blob/master/LICENSE)
+
+A flexible OAuth2 server authorization and endpoints protection to your API

data/Rakefile

@@ -0,0 +1,11 @@
+require 'bundler/setup'
+require 'rspec/core/rake_task'
+
+desc 'Default: run specs.'
+task default: :spec
+
+RSpec::Core::RakeTask.new(:spec) do |config|
+  config.verbose = false
+end
+
+Bundler::GemHelper.install_tasks

data/gemfiles/nobrainer.rb

@@ -0,0 +1,15 @@
+source 'https://rubygems.org'
+
+gemspec path: '../'
+
+gem 'nobrainer'
+
+group :test do
+  gem 'coveralls', require: false
+  gem 'factory_girl', '~> 4.0'
+  gem 'ffaker'
+  gem 'rack-test', require: 'rack/test'
+  gem 'rspec-rails', '~> 3.4'
+end
+
+gem 'tzinfo-data', platforms: [:mingw, :mswin, :x64_mingw, :jruby]

data/lib/simple_oauth2/configuration/class_accessors.rb

@@ -0,0 +1,36 @@
+module Simple
+  module OAuth2
+    # Simple::OAuth2 accessors for configured classes.
+    module ClassAccessors
+      # Returns Access Token class by configured name
+      def access_token_class
+        @access_token_class ||= access_token_class_name.constantize
+      end
+
+      # Returns Resource Owner class by configured name
+      def resource_owner_class
+        @resource_owner_class ||= resource_owner_class_name.constantize
+      end
+
+      # Returns Client class by configured name
+      def client_class
+        @client_class ||= client_class_name.constantize
+      end
+
+      # Returns Access Grant class by configured name
+      def access_grant_class
+        @access_grant_class ||= access_grant_class_name.constantize
+      end
+
+      # Returns Token Generator class by configured name
+      def token_generator
+        token_generator_class_name.constantize
+      end
+
+      # Returns Scopes Validator class by configured name
+      def scopes_validator
+        scopes_validator_class_name.constantize
+      end
+    end
+  end
+end

data/lib/simple_oauth2/configuration/constants.rb

@@ -0,0 +1,36 @@
+module Simple
+  module OAuth2
+    # Simple::OAuth2 default constants
+    module Constants
+      # Currently supported (by the gem) OAuth2 grant types
+      SUPPORTED_GRANT_TYPES = %w(password authorization_code refresh_token client_credentials).freeze
+
+      # Default OAuth2 response types
+      SUPPORTED_RESPONSE_TYPES = %w(code token).freeze
+
+      # Default Access Token TTL (in seconds)
+      DEFAULT_TOKEN_LIFETIME = 7200
+
+      # Default Authorization Code TTL (in seconds)
+      DEFAULT_CODE_LIFETIME = 1800
+
+      # Default realm value
+      DEFAULT_REALM = 'OAuth 2.0'.freeze
+
+      # Default Client class value
+      DEFAULT_CLIENT_CLASS = 'Client'.freeze
+
+      # Default Access Token class value
+      DEFAULT_ACCESS_TOKEN_CLASS = 'AccessToken'.freeze
+
+      # Default Resource Owner class value
+      DEFAULT_RESOURCE_OWNER_CLASS = 'User'.freeze
+
+      # Default Access Grant class value
+      DEFAULT_ACCESS_GRANT_CLASS = 'AccessGrant'.freeze
+
+      # Default option for generate refresh token
+      DEFAULT_ISSUE_REFRESH_TOKEN = false
+    end
+  end
+end

data/lib/simple_oauth2/configuration.rb

@@ -0,0 +1,169 @@
+module Simple
+  module OAuth2
+    # Simple::OAuth2 configuration class.
+    # Contains default or customized options that would be used in OAuth2 endpoints and helpers
+    class Configuration
+      include ClassAccessors
+      include Constants
+
+      # The names of the classes that represents OAuth2 roles
+      #
+      # @return [String] class name
+      #
+      attr_accessor :access_token_class_name, :access_grant_class_name,
+                    :client_class_name, :resource_owner_class_name
+
+      # Class name for the OAuth2 helper class that generates unique token values
+      #
+      # @return [String] token generator class name
+      #
+      attr_accessor :token_generator_class_name
+
+      # Class name for the OAuth2 helper class that validates requested scopes against Access Token scopes
+      #
+      # @return [String] scope validator class name
+      #
+      attr_accessor :scopes_validator_class_name
+
+      # Access Token and Authorization Code lifetime in seconds
+      #
+      # @return [Integer] lifetime in seconds
+      #
+      attr_accessor :authorization_code_lifetime, :access_token_lifetime
+
+      # OAuth2 grant types (flows) allowed to be processed
+      #
+      # @return [Array<String>] grant types
+      #
+      attr_accessor :allowed_grant_types
+
+      # OAuth2 response types (flows) allowed to be processed
+      #
+      # @return [Array<String>] response types
+      #
+      attr_accessor :allowed_response_types
+
+      # Realm value
+      #
+      # @return [String] realm
+      #
+      attr_accessor :realm
+
+      # Access Token authenticator block option for customization
+      attr_accessor :token_authenticator
+
+      # Resource Owner authenticator block option for customization
+      attr_accessor :resource_owner_authenticator
+
+      # Specifies whether to generate a Refresh Token when creating an Access Token
+      #
+      # @return [Boolean] true if need to generate refresh token
+      #
+      attr_accessor :issue_refresh_token
+
+      # Callback that would be invoked during processing of Refresh Token request for
+      # the original Access Token found by token value
+      attr_accessor :on_refresh
+
+      # Return a new instance of Configuration with default options
+      def initialize
+        setup!
+      end
+
+      # Accessor for Access Token authenticator block. Set it to proc
+      # if called with block or returns current value of the accessor.
+      def token_authenticator(&block)
+        if block_given?
+          instance_variable_set(:'@token_authenticator', block)
+        else
+          instance_variable_get(:'@token_authenticator')
+        end
+      end
+
+      # Accessor for Resource Owner authenticator block. Set it to proc
+      # if called with block or returns current value of the accessor.
+      def resource_owner_authenticator(&block)
+        if block_given?
+          instance_variable_set(:'@resource_owner_authenticator', block)
+        else
+          instance_variable_get(:'@resource_owner_authenticator')
+        end
+      end
+
+      # Indicates if on_refresh callback can be invoked.
+      #
+      # @return [Boolean]
+      #   true if callback can be invoked and false in other cases
+      #
+      def on_refresh_runnable?
+        !on_refresh.nil? && on_refresh != :nothing
+      end
+
+      # Accessor for on_refresh callback. Set callback proc
+      # if called with block or returns current value of the accessor.
+      def on_refresh(&block)
+        if block_given?
+          instance_variable_set(:'@on_refresh', block)
+        else
+          instance_variable_get(:'@on_refresh')
+        end
+      end
+
+      # Default Access Token authenticator block.
+      # Validates token value passed with the request params
+      def default_token_authenticator
+        lambda do |request|
+          access_token_class.authenticate(request.access_token) || request.invalid_token!
+        end
+      end
+
+      private
+
+      # Setup configuration to default options values
+      def setup!
+        init_classes
+        init_authenticators
+        init_represents_roles
+
+        self.access_token_lifetime = DEFAULT_TOKEN_LIFETIME
+        self.authorization_code_lifetime = DEFAULT_CODE_LIFETIME
+        self.allowed_grant_types = SUPPORTED_GRANT_TYPES
+        self.allowed_response_types = SUPPORTED_RESPONSE_TYPES
+        self.issue_refresh_token = DEFAULT_ISSUE_REFRESH_TOKEN
+        self.on_refresh = :nothing
+
+        self.realm = DEFAULT_REALM
+      end
+
+      # Default Resource Owner authenticator block
+      def default_resource_owner_authenticator
+        lambda do |_request|
+          raise(
+            'Resource Owner find failed due to '\
+            'Simple::OAuth2.configure.resource_owner_authenticator being unconfigured.'
+          )
+        end
+      end
+
+      # Sets OAuth2 helpers classes to gem defaults
+      def init_classes
+        self.token_generator_class_name = Simple::OAuth2::UniqToken.name
+        self.scopes_validator_class_name = Simple::OAuth2::Scopes.name
+      end
+
+      # Sets authenticators to gem defaults
+      def init_authenticators
+        self.token_authenticator = default_token_authenticator
+        self.resource_owner_authenticator = default_resource_owner_authenticator
+      end
+
+      # Sets OAuth2 represents roles
+      def init_represents_roles
+        self.access_token_class_name = DEFAULT_ACCESS_TOKEN_CLASS
+        self.resource_owner_class_name = DEFAULT_RESOURCE_OWNER_CLASS
+        self.client_class_name = DEFAULT_CLIENT_CLASS
+        self.access_grant_class_name = DEFAULT_ACCESS_GRANT_CLASS
+      end
+    end
+  end
+end

data/lib/simple_oauth2/generators/authorization.rb

@@ -0,0 +1,64 @@
+module Simple
+  module OAuth2
+    module Generators
+      # Authorization generator class
+      # Processes the request by required Response Type and builds the response
+      class Authorization < Base
+        class << self
+          # Generates Authorization Response based on the request
+          #
+          # @return [Simple::OAuth2::Responses] response
+          #
+          def generate_for(env, &_block)
+            authorization = Rack::OAuth2::Server::Authorize.new do |request, response|
+              request.unsupported_response_type! unless allowed_types.include?(request.response_type.to_s)
+
+              if block_given?
+                yield request, response
+              else
+                execute_default(request, response)
+              end
+            end
+
+            Simple::OAuth2::Responses.new(authorization.call(env))
+          rescue Rack::OAuth2::Server::Authorize::BadRequest => error
+            error_response(error)
+          end
+
+          private
+
+          # Returns error Rack::Response
+          def error_response(error)
+            response = Rack::Response.new
+            response.status = error.status
+            response.header['Content-Type'] = 'application/json'
+            response.write(JSON.dump(Rack::OAuth2::Util.compact_hash(error.protocol_params)))
+
+            Simple::OAuth2::Responses.new(response.finish)
+          end
+
+          # Runs default Simple::OAuth2 functionality for Authorization endpoint
+          #
+          # @param request [Rack::Request] request object
+          # @param response [Rack::Response] response object
+          #
+          def execute_default(request, response)
+            find_strategy(request.response_type).process(request, response)
+            response.approve!
+            response
+          end
+
+          # Returns Simple::OAuth2 strategy class by Response Type
+          #
+          # @param response_type [Symbol] response type value
+          #
+          # @return [Code, Token] strategy class
+          #
+          def find_strategy(response_type)
+            "Simple::OAuth2::Strategies::#{response_type.to_s.classify}".constantize
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/generators/base.rb

@@ -0,0 +1,31 @@
+module Simple
+  module OAuth2
+    module Generators
+      # Base class for Simple::OAuth2 generators
+      class Base
+        class << self
+          # Allowed grant types from the Simple::OAuth2 configuration
+          #
+          # @return [Array] allowed grant types
+          #
+          def allowed_grants
+            config.allowed_grant_types
+          end
+
+          # Allowed response types from the Simple::OAuth2 configuration
+          #
+          # @return [Array] allowed response types
+          #
+          def allowed_types
+            config.allowed_response_types
+          end
+
+          # Short getter for Simple::OAuth2 configuration.
+          def config
+            Simple::OAuth2.config
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/generators/token.rb

@@ -0,0 +1,71 @@
+module Simple
+  module OAuth2
+    module Generators
+      # Token generator class.
+      # Processes the request by required Grant Type and builds the response
+      class Token < Base
+        class << self
+          # Generates Token Response based on the request
+          #
+          # @return [Simple::OAuth2::Responses] response
+          #
+          def generate_for(env, &_block)
+            token = Rack::OAuth2::Server::Token.new do |request, response|
+              request.unsupported_grant_type! unless allowed_grants.include?(request.grant_type.to_s)
+
+              if block_given?
+                yield(request, response)
+              else
+                execute_default(request, response)
+              end
+            end
+
+            Simple::OAuth2::Responses.new(token.call(env))
+          end
+
+          # OAuth 2.0 Token Revocation - http://tools.ietf.org/html/rfc7009
+          #
+          # @return [Response] with HTTP status code 200
+          #
+          def revoke(token, env)
+            access_token = config.access_token_class.authenticate(token, 'refresh_token')
+
+            if access_token
+              request = Rack::OAuth2::Server::Token::Request.new(env)
+
+              # The authorization server, if applicable, first authenticates the client
+              # and checks its ownership of the provided token.
+              client = Simple::OAuth2::Strategies::Base.authenticate_client(request) || request.invalid_client!
+              client.id == access_token.client.id && access_token.revoke!
+            end
+            # The authorization server responds with HTTP status code 200 if the token
+            # has been revoked successfully or if the client submitted an invalid token
+            [200, {}, []]
+          end
+
+          private
+
+          # Runs default Simple::OAuth2 functionality for Token endpoint.
+          #
+          # @param request [Rack::Request] request object
+          # @param response [Rack::Response] response object
+          #
+          def execute_default(request, response)
+            strategy = find_strategy(request.grant_type) || request.invalid_grant!
+            response.access_token = strategy.process(request)
+          end
+
+          # Returns Simple::OAuth2 strategy class by Grant Type
+          #
+          # @param grant_type [Symbol] grant type value
+          #
+          # @return [Password, RefreshToken, AuthorizationCode] strategy class
+          #
+          def find_strategy(grant_type)
+            "Simple::OAuth2::Strategies::#{grant_type.to_s.camelize}".constantize
+          end
+        end
+      end
+    end
+  end
+end

data/lib/simple_oauth2/helpers.rb

@@ -0,0 +1,40 @@
+module Simple
+  module OAuth2
+    # Set of Simple::OAuth2 helpers
+    module Helpers
+      # Adds OAuth2 AccessToken protection for routes
+      #
+      # @param scopes [Array<String, Symbol>] set of scopes required to access the endpoint
+      #
+      # @raise [Rack::OAuth2::Server::Resource::Bearer::Unauthorized] invalid AccessToken value
+      # @raise [Rack::OAuth2::Server::Resource::Bearer::Forbidden]
+      #   AccessToken expired, revoked or does't have required scopes
+      #
+      def access_token_required!(*scopes)
+        raise Rack::OAuth2::Server::Resource::Bearer::Unauthorized if current_access_token.nil?
+        raise Rack::OAuth2::Server::Resource::Bearer::Forbidden unless valid_access_token?(scopes)
+      end
+
+      # Returns ResourceOwner from the AccessToken found by access_token value passed with the request
+      def current_resource_owner
+        @current_resource_owner ||= instance_eval(&Simple::OAuth2.config.resource_owner_authenticator)
+      end
+
+      # Returns AccessToken instance found by access_token value passed with the request
+      def current_access_token
+        @current_access_token ||= request.env[Rack::OAuth2::Server::Resource::ACCESS_TOKEN]
+      end
+
+      private
+
+      # Validate current access token not to be expired or revoked and has all the requested scopes
+      #
+      # @return [Boolean] true if current_access_token not expired, not revoked and scopes match
+      #
+      def valid_access_token?(scopes)
+        !current_access_token.revoked? && !current_access_token.expired? &&
+          Simple::OAuth2.config.scopes_validator.valid?(current_access_token.scopes, scopes)
+      end
+    end
+  end
+end