songkick-oauth2-provider 0.10.0

data/lib/songkick/oauth2/model/client.rb

@@ -0,0 +1,61 @@
+require 'bcrypt'
+
+module Songkick
+  module OAuth2
+    module Model
+      
+      class Client < ActiveRecord::Base
+        self.table_name = :oauth2_clients
+        
+        belongs_to :oauth2_client_owner, :polymorphic => true
+        alias :owner  :oauth2_client_owner
+        alias :owner= :oauth2_client_owner=
+            
+        has_many :authorizations, :class_name => 'Songkick::OAuth2::Model::Authorization', :dependent => :destroy
+        
+        validates_uniqueness_of :client_id
+        validates_presence_of   :name, :redirect_uri
+        validate :check_format_of_redirect_uri
+        
+        attr_accessible :name, :redirect_uri
+        
+        before_create :generate_credentials
+        
+        def self.create_client_id
+          Songkick::OAuth2.generate_id do |client_id|
+            count(:conditions => {:client_id => client_id}).zero?
+          end
+        end
+        
+        attr_reader :client_secret
+        
+        def client_secret=(secret)
+          @client_secret = secret
+          hash = BCrypt::Password.create(secret)
+          hash.force_encoding('UTF-8') if hash.respond_to?(:force_encoding)
+          self.client_secret_hash = hash
+        end
+        
+        def valid_client_secret?(secret)
+          BCrypt::Password.new(client_secret_hash) == secret
+        end
+        
+      private
+        
+        def check_format_of_redirect_uri
+          uri = URI.parse(redirect_uri)
+          errors.add(:redirect_uri, 'must be an absolute URI') unless uri.absolute?
+        rescue
+          errors.add(:redirect_uri, 'must be a URI')
+        end
+        
+        def generate_credentials
+          self.client_id = self.class.create_client_id
+          self.client_secret = Songkick::OAuth2.random_string
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/songkick/oauth2/model/client_owner.rb

@@ -0,0 +1,15 @@
+module Songkick
+  module OAuth2
+    module Model
+      
+      module ClientOwner
+        def self.included(klass)
+          klass.has_many :oauth2_clients,
+                         :class_name => 'Songkick::OAuth2::Model::Client',
+                         :as => :oauth2_client_owner
+        end
+      end
+      
+    end
+  end
+end

data/lib/songkick/oauth2/model/hashing.rb

@@ -0,0 +1,29 @@
+module Songkick
+  module OAuth2
+    module Model
+      
+      module Hashing
+        def hashes_attributes(*attributes)
+          attributes.each do |attribute|
+            define_method("#{attribute}=") do |value|
+              instance_variable_set("@#{attribute}", value)
+              __send__("#{attribute}_hash=", value && Songkick::OAuth2.hashify(value))
+            end
+            attr_reader attribute
+          end
+          
+          class_eval <<-RUBY
+            def reload(*args)
+              super
+              #{ attributes.inspect }.each do |attribute|
+                instance_variable_set('@' + attribute.to_s, nil)
+              end
+            end
+          RUBY
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/songkick/oauth2/model/resource_owner.rb

@@ -0,0 +1,54 @@
+module Songkick
+  module OAuth2
+    module Model
+      
+      module AuthorizationAssociation
+        def find_or_create_for_client(client)
+          unless client.is_a?(Client)
+            raise ArgumentError, "The argument should be a #{Client}, instead it was a #{client.class}"
+          end
+          
+          # find_or_create_by_client_id does not work across AR versions
+          authorization = find_by_client_id(client.id) || build
+          authorization.client = client
+          authorization.owner = owner
+          authorization.save
+          authorization
+        end
+
+      private
+
+        def owner
+          respond_to?(:proxy_association) ? proxy_association.owner : proxy_owner
+        end
+      end
+
+      module ResourceOwner
+        def self.included(klass)
+          klass.has_many :oauth2_authorizations,
+                         :class_name => 'Songkick::OAuth2::Model::Authorization',
+                         :as => :oauth2_resource_owner,
+                         :dependent => :destroy,
+                         :extend => AuthorizationAssociation
+        end
+        
+        def grant_access!(client, options = {})
+          authorization = oauth2_authorizations.find_or_create_for_client(client)
+
+          if scopes = options[:scopes]
+            scopes = authorization.scopes + scopes
+            authorization.scope = scopes.entries.join(' ')
+          end
+          
+          if duration = options[:duration]
+            authorization.expires_at = Time.now + duration.to_i
+          end
+          
+          authorization.save! if authorization.changed?
+          authorization
+        end
+      end
+      
+    end
+  end
+end

data/lib/songkick/oauth2/provider.rb

@@ -0,0 +1,122 @@
+require 'digest/sha1'
+require 'json'
+require 'logger'
+
+module Songkick
+  module OAuth2
+    ROOT = File.expand_path(File.dirname(__FILE__) + '/..')
+    TOKEN_SIZE = 160
+    
+    autoload :Model,  ROOT + '/oauth2/model'
+    autoload :Router, ROOT + '/oauth2/router'
+    autoload :Schema, ROOT + '/oauth2/schema'
+    
+    def self.random_string
+      rand(2 ** TOKEN_SIZE).to_s(36)
+    end
+    
+    def self.generate_id(&predicate)
+      id = random_string
+      id = random_string until predicate.call(id)
+      id
+    end
+    
+    def self.hashify(token)
+      return nil unless String === token
+      Digest::SHA1.hexdigest(token)
+    end
+    
+    ACCESS_TOKEN           = 'access_token'
+    ASSERTION              = 'assertion'
+    ASSERTION_TYPE         = 'assertion_type'
+    AUTHORIZATION_CODE     = 'authorization_code'
+    CLIENT_ID              = 'client_id'
+    CLIENT_SECRET          = 'client_secret'
+    CODE                   = 'code'
+    CODE_AND_TOKEN         = 'code_and_token'
+    DURATION               = 'duration'
+    ERROR                  = 'error'
+    ERROR_DESCRIPTION      = 'error_description'
+    EXPIRES_IN             = 'expires_in'
+    GRANT_TYPE             = 'grant_type'
+    OAUTH_TOKEN            = 'oauth_token'
+    PASSWORD               = 'password'
+    REDIRECT_URI           = 'redirect_uri'
+    REFRESH_TOKEN          = 'refresh_token'
+    RESPONSE_TYPE          = 'response_type'
+    SCOPE                  = 'scope'
+    STATE                  = 'state'
+    TOKEN                  = 'token'
+    USERNAME               = 'username'
+    
+    INVALID_REQUEST        = 'invalid_request'
+    UNSUPPORTED_RESPONSE   = 'unsupported_response_type'
+    REDIRECT_MISMATCH      = 'redirect_uri_mismatch'
+    UNSUPPORTED_GRANT_TYPE = 'unsupported_grant_type'
+    INVALID_GRANT          = 'invalid_grant'
+    INVALID_CLIENT         = 'invalid_client'
+    UNAUTHORIZED_CLIENT    = 'unauthorized_client'
+    INVALID_SCOPE          = 'invalid_scope'
+    INVALID_TOKEN          = 'invalid_token'
+    EXPIRED_TOKEN          = 'expired_token'
+    INSUFFICIENT_SCOPE     = 'insufficient_scope'
+    ACCESS_DENIED          = 'access_denied'
+    
+    class Provider
+      class << self
+        attr_accessor :realm, :enforce_ssl
+      end
+      
+      def self.clear_assertion_handlers!
+        @password_handler   = nil
+        @assertion_handlers = {}
+        @assertion_filters  = []
+      end
+      
+      clear_assertion_handlers!
+      
+      def self.handle_passwords(&block)
+        @password_handler = block
+      end
+      
+      def self.handle_password(client, username, password, scopes)
+        return nil unless @password_handler
+        @password_handler.call(client, username, password, scopes)
+      end
+      
+      def self.filter_assertions(&filter)
+        @assertion_filters.push(filter)
+      end
+      
+      def self.handle_assertions(assertion_type, &handler)
+        @assertion_handlers[assertion_type] = handler
+      end
+      
+      def self.handle_assertion(client, assertion, scopes)
+        return nil unless @assertion_filters.all? { |f| f.call(client) }
+        handler = @assertion_handlers[assertion.type]
+        handler ? handler.call(client, assertion.value, scopes) : nil
+      end
+      
+      def self.parse(*args)
+        Router.parse(*args)
+      end
+      
+      def self.access_token(*args)
+        Router.access_token(*args)
+      end
+
+      def self.access_token_from_request(*args)
+        Router.access_token_from_request(*args)
+      end
+      
+      EXPIRY_TIME            = 3600
+      
+      autoload :Authorization, ROOT + '/oauth2/provider/authorization'
+      autoload :Exchange,      ROOT + '/oauth2/provider/exchange'
+      autoload :AccessToken,   ROOT + '/oauth2/provider/access_token'
+      autoload :Error,         ROOT + '/oauth2/provider/error'
+    end
+  end
+end
+

data/lib/songkick/oauth2/provider/access_token.rb

@@ -0,0 +1,68 @@
+module Songkick
+  module OAuth2
+    class Provider
+      
+      class AccessToken
+        attr_reader :authorization
+        
+        def initialize(resource_owner = nil, scopes = [], access_token = nil, error = nil)
+          @resource_owner = resource_owner
+          @scopes         = scopes
+          @access_token   = access_token
+          @error          = error && INVALID_REQUEST
+          
+          authorize!(access_token, error)
+          validate!
+        end
+        
+        def client
+          valid? ? @authorization.client : nil
+        end
+        
+        def owner
+          valid? ? @authorization.owner : nil
+        end
+        
+        def response_headers
+          return {} if valid?
+          error_message =  "OAuth realm='#{ Provider.realm }'"
+          error_message << ", error='#{ @error }'" unless @error == ''
+          {'WWW-Authenticate' => error_message}
+        end
+        
+        def response_status
+          case @error
+            when INVALID_REQUEST, INVALID_TOKEN, EXPIRED_TOKEN then 401
+            when INSUFFICIENT_SCOPE                            then 403
+            when ''                                            then 401
+                                                               else 200
+          end
+        end
+        
+        def valid?
+          @error.nil?
+        end
+        
+      private
+        
+        def authorize!(access_token, error)
+          return unless @authorization = Model.find_access_token(access_token)
+          @authorization.update_attribute(:access_token, nil) if error
+        end
+        
+        def validate!
+          return @error = ''                 unless @access_token
+          return @error = INVALID_TOKEN      unless @authorization
+          return @error = EXPIRED_TOKEN      if @authorization.expired?
+          return @error = INSUFFICIENT_SCOPE unless @authorization.in_scope?(@scopes)
+          
+          if @resource_owner and @authorization.owner != @resource_owner
+            @error = INSUFFICIENT_SCOPE
+          end
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/songkick/oauth2/provider/authorization.rb

@@ -0,0 +1,190 @@
+require 'cgi'
+
+module Songkick
+  module OAuth2
+    class Provider
+      
+      class Authorization
+        attr_reader :owner, :client,
+                    :code, :access_token,
+                    :expires_in, :refresh_token,
+                    :error, :error_description
+        
+        REQUIRED_PARAMS = [RESPONSE_TYPE, CLIENT_ID, REDIRECT_URI]
+        VALID_PARAMS    = REQUIRED_PARAMS + [SCOPE, STATE]
+        VALID_RESPONSES = [CODE, TOKEN, CODE_AND_TOKEN]
+        
+        def initialize(resource_owner, params, transport_error = nil)
+          @owner  = resource_owner
+          @params = params
+          @scope  = params[SCOPE]
+          @state  = params[STATE]
+          
+          @transport_error = transport_error
+          
+          validate!
+          
+          return unless @owner and not @error
+          
+          @model = Model::Authorization.for(@owner, @client)
+          return unless @model and @model.in_scope?(scopes) and not @model.expired?
+          
+          @authorized = true
+          
+          if @params[RESPONSE_TYPE] =~ /code/
+            @code = @model.generate_code
+          end
+          
+          if @params[RESPONSE_TYPE] =~ /token/
+            @access_token = @model.generate_access_token
+          end
+        end
+        
+        def scopes
+          scopes = @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+          Set.new(scopes)
+        end
+        
+        def unauthorized_scopes
+          @model ? scopes.select { |s| not @model.in_scope?(s) } : scopes
+        end
+        
+        def grant_access!(options = {})
+          @model = Model::Authorization.for_response_type(@params[RESPONSE_TYPE],
+            :owner    => @owner,
+            :client   => @client,
+            :scope    => @scope,
+            :duration => options[:duration])
+          
+          @code          = @model.code
+          @access_token  = @model.access_token
+          @refresh_token = @model.refresh_token
+          @expires_in    = @model.expires_in
+          
+          unless @params[RESPONSE_TYPE] == CODE
+            @expires_in  = @model.expires_in
+          end
+          
+          @authorized = true
+        end
+        
+        def deny_access!
+          @code = @access_token = @refresh_token = nil
+          @error = ACCESS_DENIED
+          @error_description = "The user denied you access"
+        end
+        
+        def params
+          params = {}
+          VALID_PARAMS.each { |key| params[key] = @params[key] if @params.has_key?(key) }
+          params
+        end
+        
+        def redirect?
+          @client and (@authorized or not valid?)
+        end
+        
+        def redirect_uri
+          return nil unless @client
+          base_redirect_uri = @client.redirect_uri
+          
+          if not valid?
+            query = to_query_string(ERROR, ERROR_DESCRIPTION, STATE)
+            "#{ base_redirect_uri }?#{ query }"
+          
+          elsif @params[RESPONSE_TYPE] == CODE_AND_TOKEN
+            query    = to_query_string(CODE, STATE)
+            fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE)
+            "#{ base_redirect_uri }#{ query.empty? ? '' : '?' + query }##{ fragment }"
+          
+          elsif @params[RESPONSE_TYPE] == 'token'
+            fragment = to_query_string(ACCESS_TOKEN, EXPIRES_IN, SCOPE, STATE)
+            "#{ base_redirect_uri }##{ fragment }"
+          
+          else
+            query = to_query_string(CODE, SCOPE, STATE)
+            "#{ base_redirect_uri }?#{ query }"
+          end
+        end
+        
+        def response_body
+          warn "Songkick::OAuth2::Provider::Authorization no longer returns a response body "+
+               "when the request is invalid. You should call valid? to determine "+
+               "whether to render your login page or an error page."
+          nil
+        end
+        
+        def response_headers
+          redirect? ? {} : {'Cache-Control' => 'no-store'}
+        end
+        
+        def response_status
+          return 302 if redirect?
+          return 200 if valid?
+          @client ? 302 : 400
+        end
+        
+        def valid?
+          @error.nil?
+        end
+        
+      private
+        
+        def validate!
+          if @transport_error
+            @error = @transport_error.error
+            @error_description = @transport_error.error_description
+            return
+          end
+          
+          @client = @params[CLIENT_ID] && Model::Client.find_by_client_id(@params[CLIENT_ID])
+          unless @client
+            @error = INVALID_CLIENT
+            @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+          end
+          
+          REQUIRED_PARAMS.each do |param|
+            next if @params.has_key?(param)
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter #{param}"
+          end
+          return if @error
+          
+          [SCOPE, STATE].each do |param|
+            next unless @params.has_key?(param)
+            if @params[param] =~ /\r\n/
+              @error = INVALID_REQUEST
+              @error_description = "Illegal value for #{param} parameter"
+            end
+          end
+          
+          unless VALID_RESPONSES.include?(@params[RESPONSE_TYPE])
+            @error = UNSUPPORTED_RESPONSE
+            @error_description = "Response type #{@params[RESPONSE_TYPE]} is not supported"
+          end
+          
+          @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+          unless @client
+            @error = INVALID_CLIENT
+            @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+          end
+          
+          if @client and @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+            @error = REDIRECT_MISMATCH
+            @error_description = "Parameter #{REDIRECT_URI} does not match registered URI"
+          end
+        end
+        
+        def to_query_string(*ivars)
+          ivars.map { |key|
+            value = instance_variable_get("@#{key}")
+            value = value.join(' ') if Array === value
+            value ? "#{ key }=#{ CGI.escape(value.to_s) }" : nil
+          }.compact.join('&')
+        end
+      end
+      
+    end
+  end
+end
+