songkick-oauth2-provider 0.10.0

data/lib/songkick/oauth2/provider/error.rb

@@ -0,0 +1,22 @@
+module Songkick
+  module OAuth2
+    class Provider
+      
+      class Error
+        def initialize(message = nil)
+          @message = message
+        end
+        
+        def error
+          INVALID_REQUEST
+        end
+        
+        def error_description
+          'Bad request' + (@message ? ": #{@message}" : '')
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/songkick/oauth2/provider/exchange.rb

@@ -0,0 +1,227 @@
+module Songkick
+  module OAuth2
+    class Provider
+      
+      class Exchange
+        attr_reader :client, :error, :error_description
+        
+        REQUIRED_PARAMS    = [CLIENT_ID, CLIENT_SECRET, GRANT_TYPE]
+        VALID_GRANT_TYPES  = [AUTHORIZATION_CODE, PASSWORD, ASSERTION, REFRESH_TOKEN]
+        
+        REQUIRED_PASSWORD_PARAMS  = [USERNAME, PASSWORD]
+        REQUIRED_ASSERTION_PARAMS = [ASSERTION_TYPE, ASSERTION]
+        
+        RESPONSE_HEADERS = {
+          'Cache-Control' => 'no-store',
+          'Content-Type'  => 'application/json'
+        }
+        
+        def initialize(resource_owner, params, transport_error = nil)
+          @params     = params
+          @scope      = params[SCOPE]
+          @grant_type = @params[GRANT_TYPE]
+          
+          @transport_error = transport_error
+          
+          validate!
+        end
+        
+        def owner
+          @authorization && @authorization.owner
+        end
+        
+        def redirect?
+          false
+        end
+        
+        def response_body
+          return jsonize(ERROR, ERROR_DESCRIPTION) unless valid?
+          update_authorization
+          
+          response = {}
+          [ACCESS_TOKEN, REFRESH_TOKEN, SCOPE].each do |key|
+            value = @authorization.__send__(key)
+            response[key] = value if value
+          end
+          if expiry = @authorization.expires_in
+            response[EXPIRES_IN] = expiry
+          end
+          
+          JSON.unparse(response)
+        end
+        
+        def response_headers
+          RESPONSE_HEADERS
+        end
+        
+        def response_status
+          valid? ? 200 : 400
+        end
+        
+        def scopes
+          scopes = @scope ? @scope.split(/\s+/).delete_if { |s| s.empty? } : []
+          Set.new(scopes)
+        end
+
+        def update_authorization
+          return if not valid? or @already_updated
+          @authorization.exchange!
+          @already_updated = true
+        end
+        
+        def valid?
+          @error.nil?
+        end
+        
+      private
+        
+        def jsonize(*ivars)
+          hash = {}
+          ivars.each { |key| hash[key] = instance_variable_get("@#{key}") }
+          JSON.unparse(hash)
+        end
+        
+        def validate!
+          if @transport_error
+            @error = @transport_error.error
+            @error_description = @transport_error.error_description
+            return
+          end
+          
+          validate_required_params
+          
+          return if @error
+          validate_client
+          
+          unless VALID_GRANT_TYPES.include?(@grant_type)
+            @error = UNSUPPORTED_GRANT_TYPE
+            @error_description = "The grant type #{@grant_type} is not recognized"
+          end
+          return if @error
+          
+          __send__("validate_#{@grant_type}")
+          validate_scope
+        end
+        
+        def validate_required_params
+          REQUIRED_PARAMS.each do |param|
+            next if @params.has_key?(param)
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter #{param}"
+          end
+        end
+        
+        def validate_client
+          @client = Model::Client.find_by_client_id(@params[CLIENT_ID])
+          unless @client
+            @error = INVALID_CLIENT
+            @error_description = "Unknown client ID #{@params[CLIENT_ID]}"
+          end
+          
+          if @client and not @client.valid_client_secret?(@params[CLIENT_SECRET])
+            @error = INVALID_CLIENT
+            @error_description = 'Parameter client_secret does not match'
+          end
+        end
+        
+        def validate_scope
+          if @authorization and not @authorization.in_scope?(scopes)
+            @error = INVALID_SCOPE
+            @error_description = 'The request scope was never granted by the user'
+          end
+        end
+        
+        def validate_authorization_code
+          unless @params[CODE]
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter code"
+          end
+          
+          if @client.redirect_uri and @client.redirect_uri != @params[REDIRECT_URI]
+            @error = REDIRECT_MISMATCH
+            @error_description = "Parameter redirect_uri does not match registered URI"
+          end
+          
+          unless @params.has_key?(REDIRECT_URI)
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter redirect_uri"
+          end
+          
+          return if @error
+          
+          @authorization = @client.authorizations.find_by_code(@params[CODE])
+          validate_authorization
+        end
+        
+        def validate_password
+          REQUIRED_PASSWORD_PARAMS.each do |param|
+            next if @params.has_key?(param)
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter #{param}"
+          end
+          
+          return if @error
+          
+          @authorization = Provider.handle_password(@client, @params[USERNAME], @params[PASSWORD], scopes)
+          return validate_authorization if @authorization
+          
+          @error = INVALID_GRANT
+          @error_description = 'The access grant you supplied is invalid'
+        end
+        
+        def validate_assertion
+          REQUIRED_ASSERTION_PARAMS.each do |param|
+            next if @params.has_key?(param)
+            @error = INVALID_REQUEST
+            @error_description = "Missing required parameter #{param}"
+          end
+          
+          if @params[ASSERTION_TYPE]
+            uri = URI.parse(@params[ASSERTION_TYPE]) rescue nil
+            unless uri and uri.absolute?
+              @error = INVALID_REQUEST
+              @error_description = 'Parameter assertion_type must be an absolute URI'
+            end
+          end
+          
+          return if @error
+          
+          assertion = Assertion.new(@params)
+          @authorization = Provider.handle_assertion(@client, assertion, scopes)
+          return validate_authorization if @authorization
+          
+          @error = UNAUTHORIZED_CLIENT
+          @error_description = 'Client cannot use the given assertion type'
+        end
+        
+        def validate_refresh_token
+          refresh_token_hash = Songkick::OAuth2.hashify(@params[REFRESH_TOKEN])
+          @authorization = @client.authorizations.find_by_refresh_token_hash(refresh_token_hash)
+          validate_authorization
+        end
+        
+        def validate_authorization
+          unless @authorization
+            @error = INVALID_GRANT
+            @error_description = 'The access grant you supplied is invalid'
+          end
+          
+          if @authorization and @authorization.expired?
+            @error = INVALID_GRANT
+            @error_description = 'The access grant you supplied is invalid'
+          end
+        end
+      end
+      
+      class Assertion
+        attr_reader :type, :value
+        def initialize(params)
+          @type  = params[ASSERTION_TYPE]
+          @value = params[ASSERTION]
+        end
+      end
+      
+    end
+  end
+end
+

data/lib/songkick/oauth2/router.rb

@@ -0,0 +1,79 @@
+require 'base64'
+require 'rack'
+
+module Songkick
+  module OAuth2
+    class Router
+      
+      # Public methods in the namespace take either Rack env objects, or Request
+      # objects from Rails/Sinatra and an optional params hash which it then
+      # coerces to Rack requests. This is for backward compatibility; originally
+      # it only took request objects.
+      
+      class << self
+        def parse(resource_owner, env)
+          error   = detect_transport_error(env)
+          request = request_from(env)
+          params  = request.params
+          auth    = auth_params(env)
+          
+          if auth[CLIENT_ID] and auth[CLIENT_ID] != params[CLIENT_ID]
+            error ||= Provider::Error.new("#{CLIENT_ID} from Basic Auth and request body do not match")
+          end
+          
+          params = params.merge(auth)
+          
+          if params[GRANT_TYPE]
+            error ||= Provider::Error.new('must be a POST request') unless request.post?
+            Provider::Exchange.new(resource_owner, params, error)
+          else
+            Provider::Authorization.new(resource_owner, params, error)
+          end
+        end
+        
+        def access_token(resource_owner, scopes, env)
+          access_token = access_token_from_request(env)
+          Provider::AccessToken.new(resource_owner,
+                                    scopes,
+                                    access_token,
+                                    detect_transport_error(env))
+        end
+
+        def access_token_from_request(env)
+          request = request_from(env)
+          params  = request.params
+          header  = request.env['HTTP_AUTHORIZATION']
+          
+          header && header =~ /^OAuth\s+/ ?
+              header.gsub(/^OAuth\s+/, '') :
+              params[OAUTH_TOKEN]
+        end
+        
+      private
+        
+        def request_from(env_or_request)
+          env = env_or_request.respond_to?(:env) ? env_or_request.env : env_or_request
+          env = Rack::MockRequest.env_for(env['REQUEST_URI'] || '', :input => env['RAW_POST_DATA']).merge(env)
+          Rack::Request.new(env)
+        end
+        
+        def auth_params(env)
+          return {} unless basic = env['HTTP_AUTHORIZATION']
+          parts = basic.split(/\s+/)
+          username, password = Base64.decode64(parts.last).split(':')
+          {CLIENT_ID => username, CLIENT_SECRET => password}
+        end
+        
+        def detect_transport_error(env)
+          request = request_from(env)
+          
+          if Provider.enforce_ssl and not request.ssl?
+            Provider::Error.new("must make requests using HTTPS")
+          end
+        end
+      end
+      
+    end
+  end
+  end
+

data/lib/songkick/oauth2/schema.rb

@@ -0,0 +1,17 @@
+module Songkick
+  module OAuth2
+    
+    class Schema
+      def self.up
+        ActiveRecord::Base.logger ||= Logger.new(StringIO.new)
+        ActiveRecord::Migrator.up(migrations_path)
+      end
+      
+      def self.migrations_path
+        File.expand_path('../schema', __FILE__)
+      end
+    end
+    
+  end
+end
+

data/lib/songkick/oauth2/schema/20120828112156_songkick_oauth2_schema_original_schema.rb

@@ -0,0 +1,36 @@
+class SongkickOauth2SchemaOriginalSchema < ActiveRecord::Migration
+  def self.up
+    create_table :oauth2_clients do |t|
+      t.timestamps
+      t.string     :oauth2_client_owner_type
+      t.integer    :oauth2_client_owner_id
+      t.string     :name
+      t.string     :client_id
+      t.string     :client_secret_hash
+      t.string     :redirect_uri
+    end
+    add_index :oauth2_clients, :client_id
+    
+    create_table :oauth2_authorizations do |t|
+      t.timestamps
+      t.string     :oauth2_resource_owner_type
+      t.integer    :oauth2_resource_owner_id
+      t.belongs_to :client
+      t.string     :scope
+      t.string     :code,               :limit => 40
+      t.string     :access_token_hash,  :limit => 40
+      t.string     :refresh_token_hash, :limit => 40
+      t.datetime   :expires_at
+    end
+    add_index :oauth2_authorizations, [:client_id, :code]
+    add_index :oauth2_authorizations, [:access_token_hash]
+    add_index :oauth2_authorizations, [:client_id, :access_token_hash]
+    add_index :oauth2_authorizations, [:client_id, :refresh_token_hash]
+  end
+  
+  def self.down
+    drop_table :oauth2_clients
+    drop_table :oauth2_authorizations
+  end
+end
+

data/spec/factories.rb

@@ -0,0 +1,27 @@
+require 'factory_girl'
+
+Factory.sequence :client_name do |n|
+  "Client ##{n}"
+end
+
+Factory.sequence :user_name do |n|
+  "User ##{n}"
+end
+
+Factory.define :owner, :class => TestApp::User do |u|
+  u.name { Factory.next :user_name }
+end
+
+Factory.define :client, :class => Songkick::OAuth2::Model::Client do |c|
+  c.client_id     { Songkick::OAuth2.random_string }
+  c.client_secret { Songkick::OAuth2.random_string }
+  c.name          { Factory.next :client_name }
+  c.redirect_uri  'https://client.example.com/cb'
+end
+
+Factory.define :authorization, :class => Songkick::OAuth2::Model::Authorization do |ac|
+  ac.client     Factory(:client)
+  ac.code       { Songkick::OAuth2.random_string }
+  ac.expires_at nil
+end
+

data/spec/request_helpers.rb

@@ -0,0 +1,52 @@
+module RequestHelpers
+  require 'net/http'
+  
+  def get(query_params)
+    qs  = params.map { |k,v| "#{ CGI.escape k.to_s }=#{ CGI.escape v.to_s }" }.join('&')
+    uri = URI.parse('http://localhost:8000/authorize?' + qs)
+    Net::HTTP.get_response(uri)
+  end
+  
+  def allow_or_deny(query_params)
+    Net::HTTP.post_form(URI.parse('http://localhost:8000/allow'), query_params)
+  end
+  
+  def post_basic_auth(auth_params, query_params)
+    url = "http://#{ auth_params['client_id'] }:#{ auth_params['client_secret'] }@localhost:8000/authorize"
+    Net::HTTP.post_form(URI.parse(url), query_params)
+  end
+  
+  def post(query_params)
+    Net::HTTP.post_form(URI.parse('http://localhost:8000/authorize'), query_params)
+  end
+  
+  def validate_response(response, status, body)
+    response.code.to_i.should == status
+    response.body.should == body
+    response['Cache-Control'].should == 'no-store'
+  end
+  
+  def validate_json_response(response, status, body)
+    response.code.to_i.should == status
+    JSON.parse(response.body).should == body
+    response['Content-Type'].should == 'application/json'
+    response['Cache-Control'].should == 'no-store'
+  end
+  
+  def mock_request(request_class, stubs = {})
+    mock_request = mock(request_class)
+    method_stubs = {
+      :redirect?        => false,
+      :response_body    => nil,
+      :response_headers => {},
+      :response_status  => 200
+    }.merge(stubs)
+    
+    method_stubs.each do |method, value|
+      mock_request.should_receive(method).and_return(value)
+    end
+    
+    mock_request
+  end
+end
+