the_garage 2.0.0

data/lib/garage/resource_casting_responder.rb

@@ -0,0 +1,13 @@
+module Garage::ResourceCastingResponder
+  def initialize(*args)
+    super
+    @caster = Garage.configuration.cast_resource
+  end
+
+  def display(resource, given_options={})
+    if @caster
+      resource = @caster.call(resource)
+    end
+    super(resource, given_options)
+  end
+end

data/lib/garage/restful_actions.rb

@@ -0,0 +1,219 @@
+# Public: mixes in CRUD controller actions to your Action Controller
+# classes to provide a simple RESTful actions that provides
+# resource-based permissions with built-in integrations with
+# Doorkeeper scopes.
+#
+# Examples
+#
+#   class PostsController < ApiController
+#     include Garage::RestfulActions
+#
+#     def require_resources
+#       @resources = Post.all
+#     end
+#
+#     def require_resource
+#       @resource = Post.find(params[:id])
+#     end
+#   end
+module Garage
+  module RestfulActions
+    extend ActiveSupport::Concern
+
+    included do
+      before_action :require_resource, :only => [:show, :update, :destroy]
+      before_action :require_resources, :only => [:index, :create]
+      before_action :require_action_permission_crud, :only => [:index, :create, :show, :update, :destroy], :if => -> (_) { verify_permission? }
+    end
+
+    module ClassMethods
+      def resource_class=(klass)
+        @resource_class = klass
+      end
+
+      def resource_class
+        @resource_class ||= name.sub(/Controller\z/, '').demodulize.singularize.constantize
+      end
+    end
+
+    # Public: List resources
+    # Renders `@resources` with options specified with `respond_with_resources_options`
+    # Requires `:read` permission on `resource_class` specified for `@resources`
+    def index
+      respond_with @resources, respond_with_resources_options
+    end
+
+    # Public: Get the resource
+    # Renders `@resource` with options specified with `respond_with_resource_options`
+    # Requries `:read` permission on `@resource`
+    def show
+      respond_with @resource, respond_with_resource_options
+    end
+
+    # Public: Create a new resource
+    # Calls `create_resource` in your controller to create a new resource
+    # Requires `:write` permission on `resource_class` specified for `@resources`
+    def create
+      @resource = create_resource
+      respond_with @resource, :location => location
+    end
+
+    # Public: Update the resource
+    # Calls `update_resource` in your controller to update `@resource`
+    # Requires `:write` permission on `@resource`
+    def update
+      @resource = update_resource
+      respond_with @resource, respond_with_resource_options
+    end
+
+    # Public: Delete the resource
+    # Calls `destroy_resource` in your controller to destroy `@resource`
+    # Requires `:write` permission on `@resource`
+    def destroy
+      @resource = destroy_resource
+      respond_with @resource, respond_with_resource_options
+    end
+
+    private
+
+    # Private: returns either `:read` or `:write`, depending on the current action name
+    def current_operation
+      if %w[create update destroy].include?(action_name)
+        :write
+      else
+        :read
+      end
+    end
+
+    # Private: Call this method to require additional permission on
+    # extra resource your controller handles. It will check if the
+    # current request user has permission to perform the operation
+    # (`:read` or `:write`) on the resource.
+    #
+    # Examples
+    #
+    #   before_action :require_recipe
+    #   def require_recipe
+    #     @recipe = Recipe.find(params[:recipe_id])
+    #     require_permission! @recipe, :read
+    #   end
+    def require_permission!(resource, operation = nil)
+      operation ||= current_operation
+      resource.authorize!(current_resource_owner, operation)
+    end
+
+    # Private: Call this method to require additional access on extra
+    # resource class your controller needs access to. It will check if
+    # the current request token has an access permission (scope) to
+    # perform the operation (`:read` or `:write`) on the resource
+    # class.
+    #
+    # Examples
+    #
+    #   before_action :require_stream
+    #   def require_stream
+    #     require_access! PostStream, :read
+    #   end
+    def require_access!(resource, operation = nil)
+      operation ||= current_operation
+      ability_from_token.access!(resource.resource_class, operation)
+    end
+
+    # Private: Call this method to require additional access and
+    # permission on extra resource your controller performs operation
+    # on.
+    def require_access_and_permission!(resource, operation = nil)
+      require_permission!(resource, operation)
+      require_access!(resource, operation)
+    end
+
+    def require_action_permission_crud
+      if operated_resource
+        require_access_and_permission!(operated_resource, current_operation)
+      else
+        Rails.logger.debug "skipping permissions check since there's no @resource(s) set"
+      end
+    end
+
+    alias :require_action_permission :require_action_permission_crud
+
+    # Private: Call this method if you need to *change* the target
+    # resource to provision access and permission.
+    #
+    #   def require_resources
+    #     @resources = Post.where(user_id: @user.id)
+    #   end
+    #
+    # By default, in `index` and `create` actions, Garage will check
+    # `:read` and `:write` access respectively on the default
+    # `resource_class` of `@resources`, in this case Post class.  If
+    # you need more fine grained control than that, you should specify
+    # the optional parameters here, such as:
+    #
+    #   def require_resources
+    #     @resources = Post.where(user_id: @user.id)
+    #     protect_source_as PrivatePost, user: @user
+    #   end
+    #
+    # This way, the token should require access scope to `PrivatePost`
+    # (instead of `Post`), and the authorized user should have a
+    # permission to operate the action on resources owned by `@user`
+    # (instead of public). The `:user` option will be passed as
+    # parameters to `build_permissions` class method.
+    def protect_resource_as(klass, args = {})
+      if klass.is_a?(Hash)
+        klass, args = self.class.resource_class, klass
+      end
+      @operated_resource = MetaResource.new(klass, args)
+    end
+
+    def operated_resource
+      if @operated_resource
+        @operated_resource
+      elsif @resources
+        MetaResource.new(self.class.resource_class)
+      else
+        @resource
+      end
+    end
+
+    # Override to set @resource
+    def require_resource
+      raise NotImplementedError, "#{self.class}#require_resource is not implemented"
+    end
+
+    # Override to set @resources
+    def require_resources
+      raise NotImplementedError, "#{self.class}#require_resources is not implemented"
+    end
+
+    # Override to create a new resource
+    def create_resource
+      raise NotImplementedError, "#{self.class}#create_resource is not implemented"
+    end
+
+    # Override to update @resource
+    def update_resource
+      raise NotImplementedError, "#{self.class}#update_resource is not implemented"
+    end
+
+    # Override to destroy @resource
+    def destroy_resource
+      raise NotImplementedError, "#{self.class}#destroy_resource is not implemented"
+    end
+
+    # Override this if you want to pass options to respond_with in index action
+    def respond_with_resources_options
+      {}
+    end
+
+    # Override this if you want to pass options to respond_with in show, update and destroy actions
+    def respond_with_resource_options
+      {}
+    end
+
+    def location
+      { action: :show, id: @resource.id } if @resource.try(:respond_to?, :id)
+    end
+  end
+end

data/lib/garage/strategy/access_token.rb

@@ -0,0 +1,57 @@
+module Garage
+  module Strategy
+    class AccessToken
+      attr_reader :scope, :token, :token_type
+
+      def initialize(attrs)
+        @scope, @token, @token_type = attrs[:scope], attrs[:token], attrs[:token_type]
+        @application_id, @resource_owner_id = attrs[:application_id], attrs[:resource_owner_id]
+        @expired_at, @revoked_at = attrs[:expired_at], attrs[:revoked_at]
+      end
+
+      def application_id
+        @application_id.try(:to_i)
+      end
+
+      def resource_owner_id
+        @resource_owner_id.try(:to_i)
+      end
+
+      def expired_at
+        @expired_at.present? ? Time.zone.parse(@expired_at) : nil
+      rescue ArgumentError, TypeError
+        nil
+      end
+
+      def revoked_at
+        @revoked_at.present? ? Time.zone.parse(@revoked_at) : nil
+      rescue ArgumentError, TypeError
+        nil
+      end
+
+      def scopes
+        scope.try(:split, ' ')
+      end
+
+      def acceptable?(required_scopes)
+        accessible? && includes_scope?(required_scopes)
+      end
+
+      def accessible?
+        !expired? && !revoked?
+      end
+
+      def revoked?
+        !!revoked_at.try(:past?)
+      end
+
+      def expired?
+        !!expired_at.try(:past?)
+      end
+
+      def includes_scope?(required_scopes)
+        required_scopes.blank? || required_scopes.any? { |s| scopes.exists?(s) }
+      end
+    end
+  end
+end

data/lib/garage/strategy/auth_server.rb

@@ -0,0 +1,200 @@
+require 'json'
+require 'net/http'
+require 'uri'
+
+module Garage
+  module Strategy
+    module AuthServer
+      extend ActiveSupport::Concern
+
+      included do
+        before_action :verify_auth, if: -> (_) { verify_permission? }
+      end
+
+      def access_token
+        if defined?(@access_token)
+          @access_token
+        else
+          @access_token = AccessTokenFetcher.fetch(request)
+        end
+      end
+
+      def verify_permission?
+        true
+      end
+
+      module Cache
+        def self.with_cache(key)
+          return yield unless Garage.configuration.cache_acceess_token_validation?
+
+          cached_token = Rails.cache.read(key)
+          return cached_token if cached_token && !cached_token.expired?
+
+          token = yield
+          Rails.cache.write(key, token, expires_in: default_ttl) if token && token.accessible?
+          token
+        end
+
+        def self.default_ttl
+          Garage.configuration.ttl_for_access_token_cache
+        end
+      end
+
+      # Returns an AccessToken from request object or returns nil if failed.
+      class AccessTokenFetcher
+        READ_TIMEOUT = 1
+        OPEN_TIMEOUT = 1
+        USER_AGENT = "Garage #{Garage::VERSION}"
+
+        def self.fetch(*args)
+          new(*args).fetch
+        end
+
+        def initialize(request)
+          @request = request
+        end
+
+        def fetch
+          if has_any_valid_credentials?
+            if has_cacheable_credentials?
+              fetch_with_cache
+            else
+              fetch_without_cache
+            end
+          else
+            nil
+          end
+        rescue Timeout::Error
+          raise AuthBackendTimeout.new(OPEN_TIMEOUT, read_timeout)
+        end
+
+        private
+
+        def get
+          raw = http_client.get(path_with_query, header)
+          Response.new(raw)
+        end
+
+        def header
+          {
+            'Authorization' => @request.authorization,
+            'Host' => Garage.configuration.auth_server_host,
+            'Resource-Owner-Id' => @request.headers['Resource-Owner-Id'],
+            'Scopes' => @request.headers['Scopes'],
+            'User-Agent' => USER_AGENT,
+          }.reject {|_, v| v.nil? }
+        end
+
+        def path_with_query
+          result = uri.path
+          result << "?" + query unless query.empty?
+          result
+        end
+
+        def query
+          @query ||= @request.params.slice(:access_token, :bearer_token).to_query
+        end
+
+        def uri
+          @uri ||= URI.parse(auth_server_url)
+        end
+
+        def http_client
+          client = Net::HTTP.new(uri.host, uri.port)
+          client.use_ssl = true if uri.scheme == 'https'
+          client.read_timeout = read_timeout
+          client.open_timeout = OPEN_TIMEOUT
+          client
+        end
+
+        def auth_server_url
+          Garage.configuration.auth_server_url or raise NoUrlError
+        end
+
+        def read_timeout
+          Garage.configuration.auth_server_timeout or READ_TIMEOUT
+        end
+
+        def has_any_valid_credentials?
+          @request.authorization.present? ||
+            @request.params[:access_token].present? ||
+            @request.params[:bearer_token].present?
+        end
+
+        # Cacheable requests are:
+        #   - Bearer token request with `Authorization` header.
+        #
+        # We don't cache these requests because they are less requested:
+        #   - Bearer token request with query parameter which has been deprecated.
+        #   - Any other token type.
+        def has_cacheable_credentials?
+          bearer_token.present?
+        end
+
+        def bearer_token
+          @bearer_token ||= @request.authorization.try {|o| o.slice(/\ABearer\s+(.+)\z/, 1) }
+        end
+
+        def fetch_with_cache
+          Cache.with_cache("garage_gem/token_cache/#{Garage::VERSION}/#{bearer_token}") do
+            fetch_without_cache
+          end
+        end
+
+        def fetch_without_cache
+          response = get
+          if response.valid?
+            Garage::Strategy::AccessToken.new(response.to_hash)
+          else
+            if response.status_code == 401
+              nil
+            else
+              raise AuthBackendError.new(response)
+            end
+          end
+        end
+      end
+
+      class Response
+        def initialize(raw)
+          @raw = raw
+        end
+
+        def valid?
+          status_code == 200 && json? && parsed_body.is_a?(Hash)
+        end
+
+        def to_hash
+          parsed_body.symbolize_keys
+        end
+
+        def status_code
+          @raw.code.to_i
+        end
+
+        def body
+          @raw.body
+        end
+
+        private
+
+        def json?
+          parsed_body
+          true
+        rescue JSON::ParserError
+          false
+        end
+
+        def parsed_body
+          @parsed_body ||= JSON.parse(body)
+        end
+      end
+
+      class NoUrlError < StandardError
+        def message
+          'You must set Garage.configuration.auth_server_url'
+        end
+      end
+    end
+  end
+end