tpitale-rack-oauth2-server 2.2.1

data/lib/rack/oauth2/server/admin.rb

@@ -0,0 +1,250 @@
+require "sinatra/base"
+require "json"
+require "rack/oauth2/server"
+require "rack/oauth2/sinatra"
+
+module Rack
+  module OAuth2
+    class Server
+      class Admin < ::Sinatra::Base
+
+        class << self
+
+          # Rack module that mounts the specified class on the specified path,
+          # and passes all other request to the application.
+          class Mount
+            class << self
+              def mount(klass, path)
+                @klass = klass
+                @path = path
+                @match = /^#{Regexp.escape(path)}(\/.*|$)?/
+              end
+
+              attr_reader :klass, :path, :match
+            end
+
+            def initialize(app)
+              @pass = app
+              @admin = self.class.klass.new
+            end
+
+            def call(env)
+              path = env["PATH_INFO"].to_s
+              script_name = env['SCRIPT_NAME']
+              if path =~ self.class.match && rest = $1
+                env.merge! "SCRIPT_NAME"=>(script_name + self.class.path), "PATH_INFO"=>rest
+                return @admin.call(env)
+              else
+                return @pass.call(env)
+              end
+            end
+          end
+
+          # Returns Rack handle that mounts Admin on the specified path, and
+          # forwards all other requests back to the application.
+          #
+          # @param [String, nil] path The path to mount on, defaults to
+          # /oauth/admin
+          # @return [Object] Rack module
+          #
+          # @example To include Web admin in Rails 2.x app:
+          #   config.middleware.use Rack::OAuth2::Server::Admin.mount
+          def mount(path = "/oauth/admin")
+            mount = Class.new(Mount)
+            mount.mount Admin, "/oauth/admin"
+            mount
+          end
+
+        end
+
+
+        # Client application identified, require to authenticate.
+        set :client_id, nil
+        # Client application secret, required to authenticate.
+        set :client_secret, nil
+        # Endpoint for requesing authorization, defaults to /oauth/admin.
+        set :authorize, nil
+        # Will map an access token identity into a URL in your application,
+        # using the substitution value "{id}", e.g.
+        # "http://example.com/users/#{id}")
+        set :template_url, nil
+        # Forces all requests to use HTTPS (true by default except in
+        # development mode).
+        set :force_ssl, !development?
+        # Common scope shown and added by default to new clients.
+        set :scope, []
+
+
+        set :logger, ::Rails.logger if defined?(::Rails)
+        # Number of tokens to return in each page.
+        set :tokens_per_page, 100
+        set :public, ::File.dirname(__FILE__) + "/../admin"
+        set :method_override, true
+        mime_type :js, "text/javascript"
+        mime_type :tmpl, "text/x-jquery-template"
+
+        register Rack::OAuth2::Sinatra
+
+        # Force HTTPS except for development environment.
+        before do
+          redirect request.url.sub(/^http:/, "https:") if settings.force_ssl && request.scheme != "https"
+        end
+
+
+        # -- Static content --
+
+        # It's a single-page app, this is that single page.
+        get "/" do
+          send_file settings.public + "/views/index.html"
+        end
+
+        # Service JavaScript, CSS and jQuery templates from the gem.
+        %w{js css views}.each do |path|
+          get "/#{path}/:name" do
+            send_file settings.public + "/#{path}/" + params[:name]
+          end
+        end
+
+
+        # -- Getting an access token --
+
+        # To get an OAuth token, you need client ID and secret, two values we
+        # didn't pass on to the JavaScript code, so it has no way to request
+        # authorization directly. Instead, it redirects to this URL which in turn
+        # redirects to the authorization endpoint. This redirect does accept the
+        # state parameter, which will be returned after authorization.
+        get "/authorize" do
+          redirect_uri = "#{request.scheme}://#{request.host}:#{request.port}#{request.script_name}"
+          query = { :client_id=>settings.client_id, :client_secret=>settings.client_secret, :state=>params[:state],
+                    :response_type=>"token", :scope=>"oauth-admin", :redirect_uri=>redirect_uri }
+          auth_url = settings.authorize || "#{request.scheme}://#{request.host}:#{request.port}/oauth/authorize"
+          redirect "#{auth_url}?#{Rack::Utils.build_query(query)}"
+        end
+
+
+        # -- API --
+       
+        oauth_required "/api/clients", "/api/client/:id", "/api/client/:id/revoke", "/api/token/:token/revoke", :scope=>"oauth-admin"
+
+        get "/api/clients" do
+          content_type "application/json"
+          json = { :list=>Server::Client.all.map { |client| client_as_json(client) },
+                   :scope=>Server::Utils.normalize_scope(settings.scope),
+                   :history=>"#{request.script_name}/api/clients/history",
+                   :tokens=>{ :total=>Server::AccessToken.count, :week=>Server::AccessToken.count(:days=>7),
+                              :revoked=>Server::AccessToken.count(:days=>7, :revoked=>true) } }
+          json.to_json
+        end
+
+        # get "/api/clients/history" do
+        #   content_type "application/json"
+        #   { :data=>Server::AccessToken.historical }.to_json
+        # end
+
+        post "/api/clients" do
+          begin
+            client = Server::Client.create(validate_params(params))
+            redirect "#{request.script_name}/api/client/#{client.id}"
+          rescue
+            halt 400, $!.message
+          end
+        end
+
+        get "/api/client/:id" do
+          content_type "application/json"
+          client = Server::Client.find(params[:id])
+          json = client_as_json(client, true)
+
+          page = [params[:page].to_i, 1].max
+          offset = (page - 1) * settings.tokens_per_page
+          total = Server::AccessToken.count(:client_id=>client.id)
+          tokens = Server::AccessToken.for_client(params[:id], offset, settings.tokens_per_page)
+          json[:tokens] = { :list=>tokens.map { |token| token_as_json(token) } }
+          json[:tokens][:total] = total
+          json[:tokens][:page] = page
+          json[:tokens][:next] = "#{request.script_name}/client/#{params[:id]}?page=#{page + 1}" if total > page * settings.tokens_per_page
+          json[:tokens][:previous] = "#{request.script_name}/client/#{params[:id]}?page=#{page - 1}" if page > 1
+          json[:tokens][:total] = Server::AccessToken.count(:client_id=>client.id)
+          json[:tokens][:week] = Server::AccessToken.count(:client_id=>client.id, :days=>7)
+          json[:tokens][:revoked] = Server::AccessToken.count(:client_id=>client.id, :days=>7, :revoked=>true)
+
+          json.to_json
+        end
+
+        # get "/api/client/:id/history" do
+        #   content_type "application/json"
+        #   client = Server::Client.find(params[:id])
+        #   { :data=>Server::AccessToken.historical(:client_id=>client.id) }.to_json
+        # end
+
+        put "/api/client/:id" do
+          client = Server::Client.find(params[:id])
+          begin
+            client.update validate_params(params)
+            redirect "#{request.script_name}/api/client/#{client.id}"
+          rescue
+            halt 400, $!.message
+          end
+        end
+
+        delete "/api/client/:id" do
+          Server::Client.delete(params[:id])
+          200
+        end
+
+        post "/api/client/:id/revoke" do
+          client = Server::Client.find(params[:id])
+          client.revoke!
+          200
+        end
+
+        post "/api/token/:token/revoke" do
+          token = Server::AccessToken.from_token(params[:token])
+          token.revoke!
+          200
+        end
+
+        helpers do
+          def validate_params(params)
+            display_name = params[:displayName].to_s.strip
+            halt 400, "Missing display name" if display_name.empty?
+            link = URI.parse(params[:link].to_s.strip).normalize rescue nil
+            halt 400, "Link is not a URL (must be http://....)" unless link
+            halt 400, "Link must be an absolute URL with HTTP/S scheme" unless link.absolute? && %{http https}.include?(link.scheme)
+            redirect_uri = URI.parse(params[:redirectUri].to_s.strip).normalize rescue nil
+            halt 400, "Redirect URL is not a URL (must be http://....)" unless redirect_uri
+            halt 400, "Redirect URL must be an absolute URL with HTTP/S scheme" unless
+              redirect_uri.absolute? && %{http https}.include?(redirect_uri.scheme)
+            unless params[:imageUrl].nil? || params[:imageUrl].to_s.empty?
+              image_url = URI.parse(params[:imageUrl].to_s.strip).normalize rescue nil
+              halt 400, "Image URL must be an absolute URL with HTTP/S scheme" unless
+                image_url.absolute? && %{http https}.include?(image_url.scheme)
+            end
+            scope = Server::Utils.normalize_scope(params[:scope])
+            { :display_name=>display_name, :link=>link.to_s, :image_url=>image_url.to_s,
+              :redirect_uri=>redirect_uri.to_s, :scope=>scope, :notes=>params[:notes] }
+          end
+
+          def client_as_json(client, with_stats = false)
+            { "id"=>client.id.to_s, "secret"=>client.secret, :redirectUri=>client.redirect_uri,
+              :displayName=>client.display_name, :link=>client.link, :imageUrl=>client.image_url,
+              :notes=>client.notes, :scope=>client.scope,
+              :url=>"#{request.script_name}/api/client/#{client.id}",
+              :revoke=>"#{request.script_name}/api/client/#{client.id}/revoke",
+              :history=>"#{request.script_name}/api/client/#{client.id}/history",
+              :created=>client.created_at, :revoked=>client.revoked }
+          end
+
+          def token_as_json(token)
+            { :token=>token.token, :identity=>token.identity, :scope=>token.scope, :created=>token.created_at,
+              :expired=>token.expires_at, :revoked=>token.revoked,
+              :link=>settings.template_url && settings.template_url.gsub("{id}", token.identity),
+              :last_access=>token.last_access,
+              :revoke=>"#{request.script_name}/api/token/#{token.token}/revoke" }
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/errors.rb

@@ -0,0 +1,104 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Base class for all OAuth errors. These map to error codes in the spec.
+      class OAuthError < StandardError
+
+        def initialize(code, message)
+          super message
+          @code = code.to_sym
+        end
+
+        # The OAuth error code.
+        attr_reader :code
+      end
+
+      # The end-user or authorization server denied the request.
+      class AccessDeniedError < OAuthError
+        def initialize
+          super :access_denied, "You are now allowed to access this resource."
+        end
+      end
+
+      # Access token expired, client expected to request new one using refresh
+      # token.
+      class ExpiredTokenError < OAuthError
+        def initialize
+          super :expired_token, "The access token has expired."
+        end
+      end
+
+      # The client identifier provided is invalid, the client failed to
+      # authenticate, the client did not include its credentials, provided
+      # multiple client credentials, or used unsupported credentials type.
+      class InvalidClientError < OAuthError
+        def initialize
+          super :invalid_client, "Client ID and client secret do not match."
+        end
+      end
+     
+      # The provided access grant is invalid, expired, or revoked (e.g.  invalid
+      # assertion, expired authorization token, bad end-user password credentials,
+      # or mismatching authorization code and redirection URI).
+      class InvalidGrantError < OAuthError
+        def initialize(message = nil)
+          super :invalid_grant, message || "This access grant is no longer valid."
+        end
+      end
+
+      # Invalid_request, the request is missing a required parameter, includes an
+      # unsupported parameter or parameter value, repeats the same parameter, uses
+      # more than one method for including an access token, or is otherwise
+      # malformed.
+      class InvalidRequestError < OAuthError
+        def initialize(message)
+          super :invalid_request, message || "The request has the wrong parameters."
+        end
+      end
+
+      # The requested scope is invalid, unknown, or malformed.
+      class InvalidScopeError < OAuthError
+        def initialize
+          super :invalid_scope, "The requested scope is not supported."
+        end
+      end
+
+      # Access token expired, client cannot refresh and needs new authorization.
+      class InvalidTokenError < OAuthError
+        def initialize
+          super :invalid_token, "The access token is no longer valid."
+        end
+      end
+
+      # The redirection URI provided does not match a pre-registered value.
+      class RedirectUriMismatchError < OAuthError
+        def initialize
+          super :redirect_uri_mismatch, "Must use the same redirect URI you registered with us."
+        end
+      end
+
+      # The authenticated client is not authorized to use the access grant type provided.
+      class UnauthorizedClientError < OAuthError
+        def initialize
+          super :unauthorized_client, "You are not allowed to access this resource."
+        end
+      end
+
+      # This access grant type is not supported by this server.
+      class UnsupportedGrantType < OAuthError
+        def initialize
+          super :unsupported_grant_type, "This access grant type is not supported by this server."
+        end
+      end
+
+      # The requested response type is not supported by the authorization server.
+      class UnsupportedResponseTypeError < OAuthError
+        def initialize
+          super :unsupported_response_type, "The requested response type is not supported."
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/server/helper.rb

@@ -0,0 +1,147 @@
+module Rack
+  module OAuth2
+    class Server
+
+      # Helper methods that provide access to the OAuth state during the
+      # authorization flow, and from authenticated requests. For example:
+      #
+      #   def show
+      #     logger.info "#{oauth.client.display_name} accessing #{oauth.scope}"
+      #   end
+      class Helper
+
+        def initialize(request, response)
+          @request, @response = request, response
+        end
+
+        # Returns the access token. Only applies if client authenticated.
+        #
+        # @return [String, nil] Access token, if authenticated
+        def access_token
+          @access_token ||= @request.env["oauth.access_token"]
+        end
+
+        # True if client authenticated.
+        #
+        # @return [true, false] True if authenticated
+        def authenticated?
+          !!access_token
+        end
+
+        # Returns the authenticated identity. Only applies if client
+        # authenticated.
+        #
+        # @return [String, nil] Identity, if authenticated
+        def identity
+          @identity ||= @request.env["oauth.identity"]
+        end
+
+        # Returns the Client object associated with this request. Available if
+        # client authenticated, or while processing authorization request.
+        #
+        # @return [Client, nil] Client if authenticated, or while authorizing
+        def client
+          if access_token
+            @client ||= Server.get_access_token(access_token).client
+          elsif authorization
+            @client ||= Server.get_auth_request(authorization).client
+          end
+        end
+
+        # Returns scope associated with this request. Available if client
+        # authenticated, or while processing authorization request.
+        #
+        # @return [Array<String>, nil] Scope names, e.g ["read, "write"]
+        def scope
+          if access_token
+            @scope ||= Server.get_access_token(access_token).scope
+          elsif authorization
+            @scope ||= Server.get_auth_request(authorization).scope
+          end
+        end
+
+        # Rejects the request and returns 401 (Unauthorized). You can just
+        # return 401, but this also sets the WWW-Authenticate header the right
+        # value.
+        #
+        # @return 401
+        def no_access!
+          @response["oauth.no_access"] = "true"
+          @response.status = 401
+        end
+        
+        # Rejects the request and returns 403 (Forbidden). You can just
+        # return 403, but this also sets the WWW-Authenticate header the right
+        # value. Indicates which scope the client needs to make this request.
+        #
+        # @param [String] scope The missing scope, e.g. "read"
+        # @return 403
+        def no_scope!(scope)
+          @response["oauth.no_scope"] = scope.to_s
+          @response.status = 403
+        end
+
+        # Returns the authorization request handle. Available when starting an
+        # authorization request (i.e. /oauth/authorize).
+        #
+        # @return [String] Authorization handle
+        def authorization
+          @request_id ||= @request.env["oauth.authorization"] || @request.params["authorization"]
+        end
+
+        # Sets the authorization request handle. Use this during the
+        # authorization flow.
+        #
+        # @param [String] authorization handle
+        def authorization=(authorization)
+          @scope, @client = nil
+          @request_id = authorization
+        end
+
+        # Grant authorization request. Call this at the end of the authorization
+        # flow to signal that the user has authorized the client to access the
+        # specified identity. Don't render anything else.  Argument required if
+        # authorization handle is not passed in the request parameter
+        # +authorization+.
+        #
+        # @param [String, nil] authorization Authorization handle
+        # @param [String] identity Identity string
+        # @return 200
+        def grant!(auth, identity = nil)
+          auth, identity = authorization, auth unless identity
+          @response["oauth.authorization"] = auth.to_s
+          @response["oauth.identity"] = identity.to_s
+          @response.status = 200
+        end
+
+        # Deny authorization request. Call this at the end of the authorization
+        # flow to signal that the user has not authorized the client. Don't
+        # render anything else. Argument required if authorization handle is not
+        # passed in the request parameter +authorization+.
+        #
+        # @param [String, nil] auth Authorization handle
+        # @return 401
+        def deny!(auth = nil)
+          auth ||= authorization
+          @response["oauth.authorization"] = auth.to_s
+          @response.status = 403
+        end
+
+        # Returns all access tokens associated with this identity.
+        #
+        # @param [String] identity Identity string
+        # @return [Array<AccessToken>]
+        def list_access_tokens(identity)
+          Rack::OAuth2::Server.list_access_tokens(identity)
+        end
+
+        def inspect
+          authorization ? "Authorization request for #{Utils.normalize_scope(scope).join(",")} on behalf of #{client.display_name}" :
+          authenticated? ? "Authenticated as #{identity}" : nil
+        end
+
+      end
+
+    end
+  end
+end