stormpath-sdk 1.1.5 → 1.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 46abd12e70ce4548e31d07ce66c71ba8dab69f2f
-  data.tar.gz: 78fad31579495fabac7d82f64116ea20bd2bd6dc
+  metadata.gz: 23386924f0b6cb041d80e4900d5cba99cc93da80
+  data.tar.gz: 7e9d14180ef6f5e6fadfcb11836cf4e3ceca7ba5
 SHA512:
-  metadata.gz: 9b73fa8bebef8366861da8e42a728d3a08bb505454d54240656cea0e013d5800e414c585ced352ea9bcb77b8f145277d95ac1fba737b11040c5616224afcd33b
-  data.tar.gz: ba78d09dfed54133aa832f5853e79258f48216f726d25d4aa3942b7fba1654e4bf7a425f87f3947ca51dc99742061da79fba996970cf44f233a9b51b9e2394b7
+  metadata.gz: 15039329aa8f769f5b73bd763e2bb29df905a26f06782f7dcaac8cc17a5140f5244e2fb42d66d19afb4613d4dc833536c1e55994bc1e545e003a8252a858ffea
+  data.tar.gz: be5240dbe085d0566b3a1e1fb4a8cc39c0b566d7b7958fa655b373834a7c98be4f4885d7cb74547e9f4158cccc595540d04bcf4859033d840e8186caa8638e5f

data/.travis.yml

@@ -4,6 +4,7 @@ rvm:
 - 2.3.1
 services:
 - redis-server
+- memcached
 before_install:
   - gem install bundler
 env:

data/CHANGES.md

@@ -1,6 +1,26 @@
 stormpath-sdk-ruby Changelog
 ============================
 
+Version 1.2.0
+-------------
+
+Released on October 27, 2016
+
+- Add memcached store as option for the cache store
+- Implement http basic and bearer access token validation
+- Add get and create method on organizations accounts collection
+- Implement option to verify access_token locally and adjust current interface for it
+- Fix bug with searching accounts by custom data attributes
+- Fix bug when loading application that has a forward slash in client_id or client_secret
+- Add organizations endpoint on directory
+- Add option to exchange stormpath_token for an access_token with the registered status
+- Add support for organizationNameKey for oauth token exchange
+- Create social grant request as a new type of grant requests
+- Add request id to error resources
+- Support blacklisting/whitelisting domains in account creation policies for directories
+- Add 'Organization' as a valid type of account store
+
+
 Version 1.1.5
 -------------
 

data/README.md

@@ -10,7 +10,7 @@ application.
 ## Install
 
 ```sh
-$ gem install stormpath-sdk --pre
+$ gem install stormpath-sdk
 ```
 
 ## Provision Your Stormpath Account
@@ -193,6 +193,25 @@ in the hash of values passed on Client initialization:
   client = application.client
   ```
 
+To change the base_url for the Enterprise product, pass the following option to `Stormpath::Client.new()` :
+
+  ```ruby
+  client = Stormpath::Client.new(
+    api_key_file_location: '/some/path/to/apiKey.properties',
+    base_url: 'https://enterprise.stormpath.io/v1'
+  )
+  ```
+
+* By passing a composite application url to `Application.load`:
+
+  ```ruby
+  composite_url = "http://#{api_key_id}:#{api_key_secret}@api.stormpath.com/v1/applications/#{application_id}"
+
+  application = Stormpath::Resource::Application.load composite_url
+  client = application.client
+  ```
+
+
 ### Accessing Resources
 
 Most of the work you do with Stormpath is done through the applications
@@ -378,6 +397,22 @@ Again, with all these methods, You will want your application to link to an inte
 > NOTE:
 > A JWT will expire after 60 seconds of creation.
 
+#### Fetch Stormpath Access Token with username and password
+Stormpath can generate a brand new Access Token using the password grant type: User's credentials.
+
+To fetch the oauth token use the following snippet
+```ruby
+grant_request = Stormpath::Oauth::PasswordGrantRequest.new(email, password)
+response = application.authenticate_oauth(grant_request)
+```
+
+Just like with logging-in a user, it is possible to generate a token against a particular Application’s Account Store or Organization. To do so, specify the Account Store’s href or Organization’s nameKey as a parameter in the request:
+
+```ruby
+grant_request = Stormpath::Oauth::PasswordGrantRequest.new(email, password, organization_name_key: 'my-stormpath-organization')
+response = application.authenticate_oauth(grant_request)
+```
+
 #### Exchange ID Site token for a Stormpath Access Token
 After the user has been authenticated via ID Site, a developer may want to control their authorization with an OAuth 2.0 Token.
 This is done by passing the JWT similar to the way we passed the user’s credentials as described in [Generating an OAuth 2.0 Access Token][generate-oauth-access-token].
@@ -414,6 +449,45 @@ puts authentication_result.access_token
 puts authentication_result.refresh_token
 ```
 
+### Exchange ID site token for a Stormpath Access Token
+
+As a developer, I want to authenticate the user on ID Site but get an access token that I can store on the client to use to access my API.
+The oauth token endpoint will validate that:
+* the JWT is not tampered
+* has not expired
+* the account is still associated with the application and will return an access token
+* the status claim is either AUTHENTICATED or REGISTERED
+
+If you want to create a stormpath grant request with status <code>authenticated</code> you need to pass the account, application and api key id:
+
+```ruby
+stormpath_grant_request = Stormpath::Oauth::StormpathGrantRequest.new(
+  account,
+  application,
+  api_key_id
+)
+```
+
+If you have the status attribute set to <code>registered</code> then create the request like so:
+
+```ruby
+stormpath_grant_request = Stormpath::Oauth::StormpathGrantRequest.new(
+  account,
+  application,
+  api_key_id,
+  :registered
+)
+```
+
+And lastly authenticate with the created request instance:
+
+```ruby
+authentication_result = application.authenticate_oauth(stormpath_grant_request)
+
+puts authentication_result.access_token
+puts authentication_result.refresh_token
+```
+
 ### Registering Accounts
 
 Accounts are created on a directory instance. They can be created in two
@@ -478,8 +552,9 @@ end
 If you are moving from an existing user repository to Stormpath, you may have existing password hashes that you want to reuse to provide a seamless upgrade path for your end users.
 More info about this feature can be found [here][mcf-hash-password-doc]
 
-Example of creating an account with existing SHA-512 password hash. For details on other hashing algorithms chech the [documentation][stormpaht-hash-algorithm]
+Example of creating an account with existing SHA-512 password hash. For details on other hashing algorithms check the [documentation][stormpath-hash-algorithm]
 
+```ruby
 directory.accounts.create({
   username: "jlucpicard",
   email: "captain@enterprise.com",
@@ -487,6 +562,7 @@ directory.accounts.create({
   surname: "Picard",
   password: "$stormpath2$SHA-512$1$ZFhBRmpFSnEwVEx2ekhKS0JTMDJBNTNmcg==$Q+sGFg9e+pe9QsUdfnbJUMDtrQNf27ezTnnGllBVkQpMRc9bqH6WkyE3y0svD/7cBk8uJW9Wb3dolWwDtDLFjg=="
 }, password_format: 'mcf')
+```
 
 ### Authentication
 

data/lib/stormpath-sdk/auth/http_basic_authentication.rb

@@ -0,0 +1,47 @@
+module Stormpath
+  module Authentication
+    class HttpBasicAuthentication
+      BASIC_PATTERN = /^Basic /
+      attr_reader :application, :authorization_header
+
+      def initialize(application, authorization_header)
+        @application = application
+        @authorization_header = authorization_header
+        raise Stormpath::Error if authorization_header.nil?
+      end
+
+      def authenticate!
+        raise Stormpath::Error if fetched_api_key.nil?
+        raise Stormpath::Error if fetched_api_key.secret != api_key_secret
+        fetched_api_key
+      end
+
+      private
+
+      def fetched_api_key
+        @fetched_api_key ||= application.api_keys.search(id: api_key_id).first
+      end
+
+      def api_key_id
+        decoded_authorization_header.first
+      end
+
+      def api_key_secret
+        decoded_authorization_header.last
+      end
+
+      def decoded_authorization_header
+        @decoded_authorization_header ||= begin
+          api_key_and_secret = Base64.decode64(basic_authorization_header).split(':')
+          raise Stormpath::Error if api_key_and_secret.count != 2
+          api_key_and_secret
+        end
+      end
+
+      def basic_authorization_header
+        raise Stormpath::Error unless authorization_header =~ BASIC_PATTERN
+        authorization_header.gsub(BASIC_PATTERN, '')
+      end
+    end
+  end
+end

data/lib/stormpath-sdk/auth/http_bearer_authentication.rb

@@ -0,0 +1,27 @@
+module Stormpath
+  module Authentication
+    class HttpBearerAuthentication
+      BEARER_PATTERN = /^Bearer /
+      attr_reader :application, :authorization_header, :local
+
+      def initialize(application, authorization_header, options = {})
+        @application = application
+        @authorization_header = authorization_header
+        @local = options[:local] || false
+        raise Stormpath::Error if authorization_header.nil?
+      end
+
+      def authenticate!
+        Stormpath::Oauth::VerifyAccessToken.new(application, local: local)
+                                           .verify(bearer_access_token)
+      end
+
+      private
+
+      def bearer_access_token
+        raise Stormpath::Error unless authorization_header =~ BEARER_PATTERN
+        authorization_header.gsub(BEARER_PATTERN, '')
+      end
+    end
+  end
+end

data/lib/stormpath-sdk/cache/memcached_store.rb

@@ -0,0 +1,37 @@
+require 'memcached'
+
+module Stormpath
+  module Cache
+    class MemcachedStore
+      def initialize(opts = {})
+        options = nil if opts.blank?
+        @memcached = Memcached.new(options)
+      end
+
+      def get(key)
+        begin
+          entry = @memcached.get(key)
+          entry && Stormpath::Cache::CacheEntry.from_h(MultiJson.load(entry))
+        rescue Memcached::NotFound
+          nil
+        end
+      end
+
+      def put(key, entry)
+        @memcached.set(key, MultiJson.dump(entry.to_h))
+      end
+
+      def delete(key)
+        @memcached.delete(key)
+      end
+
+      def clear
+        @memcached.flush
+      end
+
+      def size
+        @memcached.stats[:curr_items]
+      end
+    end
+  end
+end

data/lib/stormpath-sdk/data_store.rb

@@ -63,6 +63,7 @@ class Stormpath::DataStore
   def create(parent_href, resource, return_type, options = {})
     #TODO assuming there is no ? in url
     parent_href = "#{parent_href}?#{URI.encode_www_form(options)}" unless options.empty?
+
     save_resource(parent_href, resource, return_type).tap do |returned_resource|
       if resource.kind_of? return_type
         resource.set_properties returned_resource.properties

data/lib/stormpath-sdk/error.rb

@@ -15,15 +15,15 @@
 #
 module Stormpath
   class Error < RuntimeError
+    attr_reader :status, :code, :developer_message, :more_info, :request_id
 
-    attr_reader :status, :code, :developer_message, :more_info
-
-    def initialize error = NilError.new
+    def initialize(error = NilError.new)
       super error.message
       @status = error.status
       @code = error.code
       @developer_message = error.developer_message
       @more_info = error.more_info
+      @request_id = error.request_id
     end
 
     private
@@ -34,7 +34,7 @@ module Stormpath
         def code; -1 end
         def developer_message; end
         def more_info; end
+        def request_id; end
       end
-
   end
-end
+end

data/lib/stormpath-sdk/http/http_client_request_executor.rb

@@ -36,8 +36,8 @@ module Stormpath
                  else
                    request.href
                  end
-  
-        if request.http_headers["Content-Type"] == "application/x-www-form-urlencoded" 
+
+        if request.http_headers["Content-Type"] == "application/x-www-form-urlencoded"
           @http_client.set_auth(request.href, request.api_key.id, request.api_key.secret)
         end
 
@@ -60,4 +60,3 @@ module Stormpath
     end
   end
 end
-

data/lib/stormpath-sdk/http/request.rb

@@ -21,12 +21,11 @@ module Stormpath
       attr_accessor :http_method, :href, :query_string, :http_headers, :body, :api_key
 
       def initialize(http_method, href, query_string, http_headers, body, api_key)
-
         splitted = href.split '?'
 
         @query_string = query_string || {}
 
-        if splitted and splitted.length > 1
+        if splitted && splitted.length > 1
           @href = splitted[0]
           query_string_str = splitted[1]
           query_string_arr = query_string_str.split '&'
@@ -43,33 +42,36 @@ module Stormpath
         @body = body
         @api_key = api_key
 
-        if body
-          @http_headers.store 'Content-Length', @body.bytesize
-        end
-
+        @http_headers.store 'Content-Length', @body.bytesize if body
       end
 
       def resource_uri
         URI href
       end
 
-      def to_s_query_string canonical
+      def to_s_query_string(canonical)
         result = ''
 
         unless @query_string.empty?
-          Hash[@query_string.sort].each do |key, value|
-
+          Hash[@query_string.sort_by(&:to_s)].each do |key, value|
             enc_key = encode_url key, false, canonical
             enc_value = encode_url value, false, canonical
 
             result << '&' unless result.empty?
-            result << enc_key.camelize(:lower) << '='<< enc_value
+            result << camelize(enc_key) << '=' << enc_value
           end
         end
 
         result
       end
 
+      def camelize(key)
+        custom_data_params?(key) ? key : key.camelize(:lower)
+      end
+
+      def custom_data_params?(key)
+        key.starts_with?('customData.')
+      end
     end
   end
 end

data/lib/stormpath-sdk/http/utils.rb

@@ -16,24 +16,27 @@
 module Stormpath
   module Http
     module Utils
-
       def default_port?(uri)
         scheme = uri.scheme.downcase
         port = uri.port
-        port <= 0 || (port == 80 && scheme.eql?("http")) || (port == 443 && scheme.eql?("https"))
+        port <= 0 || (port == 80 && scheme.eql?('http')) || (port == 443 && scheme.eql?('https'))
       end
 
       def encode_url(value, path, canonical)
-        return URI.escape(value.to_s) if path
+        value = value.to_s
+        return encoded_chars?(value) ? URI.encode(URI.decode(value)) : URI.encode(value) if path
 
         CGI.escape(value.to_s).tap do |encoded|
-          str_map = {'+' => '%20', '%7E' => '~' }
+          str_map = { '+' => '%20', '%7E' => '~' }
           str_map.each do |key, str_value|
             encoded.gsub!(key, str_value) if encoded.include? key
           end
         end
       end
 
+      def encoded_chars?(string)
+        string.include?('%2E')
+      end
     end
   end
-end
+end

data/lib/stormpath-sdk/oauth/authenticator.rb

@@ -23,7 +23,8 @@ module Stormpath
         refresh_token: RefreshToken,
         id_site_token: IdSiteGrant,
         stormpath_token: StormpathTokenGrant,
-        client_credentials: ClientCredentialsGrant
+        client_credentials: ClientCredentialsGrant,
+        stormpath_social: SocialGrant
       }.freeze
     end
   end

data/lib/stormpath-sdk/oauth/error.rb

@@ -1,13 +1,14 @@
 module Stormpath
   module Oauth
     class Error < Stormpath::Error
-      attr_accessor :status, :code, :message, :developer_message, :more_info
+      attr_accessor :status, :code, :message, :developer_message, :more_info, :request_id
 
       def initialize(type)
         @status  = errors[type][:status]
         @code    = errors[type][:code]
         @message = errors[type][:message]
         @developer_message = errors[type][:developer_message]
+        @request_id = errors[type][:request_id]
         super(self)
       end
 
@@ -18,21 +19,24 @@ module Stormpath
           jwt_cb_uri_incorrect: {
             status: 400,
             code: 400,
-            message: "The specified callback URI (cb_uri) is not valid",
-            developer_message: "The specified callback URI (cb_uri) is not valid. Make "\
-              "sure the callback URI specified in your ID Site configuration matches the value specified."
+            message: 'The specified callback URI (cb_uri) is not valid',
+            developer_message: 'The specified callback URI (cb_uri) is not valid. Make '\
+              'sure the callback URI specified in your ID Site configuration matches the value specified.',
+            request_id: 'Oauth error UUID'
           },
           jwt_expired: {
             status: 400,
             code: 10011,
-            message: "Token is invalid",
-            developer_message: "Token is no longer valid because it has expired"
+            message: 'Token is invalid',
+            developer_message: 'Token is no longer valid because it has expired',
+            request_id: 'Oauth error UUID'
           },
           jwt_invalid: {
             status: 400,
             code: 10012,
-            message: "Token is invalid",
-            developer_message: "Token is invalid because the issued at time (iat) is after the current time"
+            message: 'Token is invalid',
+            developer_message: 'Token is invalid because the issued at time (iat) is after the current time',
+            request_id: 'Oauth error UUID'
           }
         }
       end

data/lib/stormpath-sdk/oauth/local_access_token_verification.rb

@@ -0,0 +1,45 @@
+module Stormpath
+  module Oauth
+    class LocalAccessTokenVerification
+      attr_reader :application, :access_token
+
+      def initialize(application, access_token)
+        @application = application
+        @access_token = access_token
+      end
+
+      def verify
+        validate_jwt_is_an_access_token
+        validate_jwt_has_a_valid_issuer
+        LocalAccessTokenVerificationResult.new(application, decoded_jwt)
+      end
+
+      private
+
+      def decoded_jwt
+        begin
+          @decoded_jwt ||= JWT.decode(access_token, application.client.data_store.api_key.secret)
+        rescue JWT::ExpiredSignature
+          raise Stormpath::Oauth::Error, :jwt_expired
+        end
+      end
+
+      def validate_jwt_is_an_access_token
+        return if decoded_jwt.second['stt'] == 'access'
+        raise ArgumentError, 'Token is not an access token'
+      end
+
+      def validate_jwt_has_a_valid_issuer
+        return if decoded_jwt.first['iss'] == application.href
+        raise ArgumentError, 'Token issuer is invalid'
+      end
+    end
+
+    class LocalAccessTokenVerificationResult
+      attr_reader :account
+      def initialize(application, decoded_jwt)
+        @account = application.client.accounts.get(decoded_jwt.first['sub'])
+      end
+    end
+  end
+end

data/lib/stormpath-sdk/oauth/password_grant.rb

@@ -1,20 +1,22 @@
 module Stormpath
   module Oauth
     class PasswordGrant < Stormpath::Resource::Base
-      prop_accessor :grant_type, :username, :password
+      prop_accessor :grant_type, :username, :password, :organization_name_key
 
       def form_properties
-        {
-          grant_type: grant_type,
-          username: username,
-          password: password
-        }
+        {}.tap do |form|
+          form[:grant_type] = grant_type
+          form[:username] = username
+          form[:password] = password
+          form[:organizationNameKey] = organization_name_key if organization_name_key.present?
+        end
       end
 
       def set_options(request)
+        set_property :grant_type, request.grant_type
         set_property :username, request.username
         set_property :password, request.password
-        set_property :grant_type, request.grant_type
+        set_property :organization_name_key, request.organization_name_key
       end
 
       def form_data?

data/lib/stormpath-sdk/oauth/password_grant_request.rb

@@ -1,12 +1,13 @@
 module Stormpath
   module Oauth
     class PasswordGrantRequest
-      attr_accessor :grant_type, :username, :password
+      attr_accessor :grant_type, :username, :password, :organization_name_key
 
-      def initialize(username, password)
+      def initialize(username, password, options = {})
         @username = username
         @password = password
         @grant_type = "password"
+        @organization_name_key = options[:organization_name_key]
       end
     end
   end