tpitale-rack-oauth2-server 2.2.1

data/lib/rack/oauth2/server/practice.rb

@@ -0,0 +1,79 @@
+require "rack/oauth2/server/admin"
+
+module Rack
+  module OAuth2
+    class Server
+      
+      class Practice < ::Sinatra::Base
+        register Rack::OAuth2::Sinatra
+
+        get "/" do
+          <<-HTML
+<html>
+  <head>
+    <title>OAuth 2.0 Practice Server</title>
+  </head>
+  <body>
+    <h1>Welcome to OAuth 2.0 Practice Server</h1>
+    <p>This practice server is for testing your OAuth 2.0 client library.</p>
+    <dl>
+      <dt>Authorization end-point:</dt>
+      <dd>http://#{request.host}:#{request.port}/oauth/authorize</dd>
+      <dt>Access token end-point:<//dt>
+      <dd>http://#{request.host}:#{request.port}/oauth/access_token</dd>
+      <dt>Resource requiring authentication:</dt>
+      <dd>http://#{request.host}:#{request.port}/secret</dd>
+      <dt>Resource requiring authorization and scope "sudo":</dt>
+      <dd>http://#{request.host}:#{request.port}/make</dd>
+    </dl>
+    <p>The scope can be "nobody", "sudo", "oauth-admin" or combination of the three.</p>
+    <p>You can manage client applications and tokens from the <a href="/oauth/admin">OAuth console</a>.</p>
+  </body>
+</html>
+          HTML
+        end
+
+        # -- Simple authorization --
+
+        get "/oauth/authorize" do
+          <<-HTML
+<html>
+  <head>
+    <title>OAuth 2.0 Practice Server</title>
+  </head>
+  <body>
+    <h1><a href="#{oauth.client.link}">#{oauth.client.display_name}</a> wants to access your account with the scope #{oauth.scope.join(", ")}</h1>
+    <form action="/oauth/grant" method="post" style="display:inline-block">
+      <button>Grant</button>
+      <input type="hidden" name="authorization" value="#{oauth.authorization}">
+    </form>
+    <form action="/oauth/deny" method="post" style="display:inline-block">
+      <button>Deny</button>
+      <input type="hidden" name="authorization" value="#{oauth.authorization}">
+    </form>
+  </body>
+</html>
+          HTML
+        end
+        post "/oauth/grant" do
+          oauth.grant! "Superman"
+        end
+        post "/oauth/deny" do
+          oauth.deny!
+        end
+
+        # -- Protected resources --
+
+        oauth_required "/secret"
+        get "/private" do
+          "You're awesome!"
+        end
+
+        oauth_required "/make", :scope=>"sudo"
+        get "/write" do
+          "Sandwhich"
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/railtie.rb

@@ -0,0 +1,24 @@
+require "rack/oauth2/server"
+require "rack/oauth2/rails"
+require "rails"
+
+module Rack
+  module OAuth2
+    class Server
+      # Rails 3.x integration.
+      class Railtie < ::Rails::Railtie # :nodoc:
+        config.oauth = Server::Options.new
+
+        initializer "rack-oauth2-server" do |app|
+          app.middleware.use ::Rack::OAuth2::Server, app.config.oauth
+          config.oauth.logger ||= ::Rails.logger
+          class ::ActionController::Base
+            helper ::Rack::OAuth2::Rails::Helpers
+            include ::Rack::OAuth2::Rails::Helpers
+            extend ::Rack::OAuth2::Rails::Filters
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rack/oauth2/server/utils.rb

@@ -0,0 +1,30 @@
+module Rack
+  module OAuth2
+    class Server
+
+      module Utils
+        module_function
+
+        # Parses the redirect URL, normalizes it and returns a URI object.
+        #
+        # Raises InvalidRequestError if not an absolute HTTP/S URL.
+        def parse_redirect_uri(redirect_uri)
+          raise InvalidRequestError, "Missing redirect URL" unless redirect_uri
+          uri = URI.parse(redirect_uri).normalize rescue nil
+          raise InvalidRequestError, "Redirect URL looks fishy to me" unless uri
+          raise InvalidRequestError, "Redirect URL must be absolute URL" unless uri.absolute? && uri.host
+          raise InvalidRequestError, "Redirect URL must point to HTTP/S location" unless uri.scheme == "http" || uri.scheme == "https"
+          uri
+        end
+
+        # Given scope as either array or string, return array of same names,
+        # unique and sorted.
+        def normalize_scope(scope)
+          (Array === scope ? scope.join(" ") : scope || "").split(/\s+/).compact.uniq.sort
+        end
+
+      end
+
+    end
+  end
+end

data/lib/rack/oauth2/sinatra.rb

@@ -0,0 +1,71 @@
+require "rack/oauth2/server"
+
+module Rack
+  module OAuth2
+
+    # Sinatra support.
+    #
+    # Adds oauth instance method that returns Rack::OAuth2::Helper, see there for
+    # more details.
+    #
+    # Adds oauth_required class method. Use this filter with paths that require
+    # authentication, and with paths that require client to have a specific
+    # access scope.
+    #
+    # Adds oauth setting you can use to configure the module (e.g. setting
+    # available scope, see example).
+    #
+    # @example
+    #   require "rack/oauth2/sinatra"
+    #   class MyApp < Sinatra::Base
+    #     register Rack::OAuth2::Sinatra
+    #     oauth[:scope] = %w{read write}
+    #
+    #     oauth_required "/api"
+    #     oauth_required "/api/edit", :scope=>"write"
+    #
+    #     before { @user = User.find(oauth.identity) if oauth.authenticated? }
+    #   end
+    #
+    # @see Helpers
+    module Sinatra
+
+      # Adds before filter to require authentication on all the listed paths.
+      # Use the :scope option if client must also have access to that scope.
+      #
+      # @param [String, ...] path One or more paths that require authentication
+      # @param [optional, Hash] options Currently only :scope is supported.
+      def oauth_required(*args)
+        options = args.pop if Hash === args.last
+        scope = options[:scope] if options
+        args.each do |path|
+          before path do
+            if oauth.authenticated?
+              if scope && !oauth.scope.include?(scope)
+                halt oauth.no_scope! scope
+              end
+            else
+              halt oauth.no_access!
+            end
+          end
+        end
+      end
+
+      module Helpers
+        # Returns the OAuth helper.
+        #
+        # @return [Server::Helper]
+        def oauth
+          @oauth ||= Server::Helper.new(request, response)
+        end
+      end
+
+      def self.registered(base)
+        base.helpers Helpers
+        base.set :oauth, Server::Options.new
+        base.use Server, base.settings.oauth
+      end
+
+    end
+  end
+end

data/rack-oauth2-server.gemspec

@@ -0,0 +1,24 @@
+$: << File.dirname(__FILE__) + "/lib"
+
+Gem::Specification.new do |spec|
+  spec.name           = "tpitale-rack-oauth2-server"
+  spec.version        = IO.read("VERSION")
+  spec.author         = "Assaf Arkin"
+  spec.email          = "assaf@labnotes.org"
+  spec.homepage       = "http://github.com/flowtown/#{spec.name}"
+  spec.summary        = "OAuth 2.0 Authorization Server as a Rack module for ActiveRecord"
+  spec.description    = "Because you don't allow strangers into your app, and OAuth 2.0 is the new awesome."
+  spec.post_install_message = "To get started, run the command oauth2-server"
+
+  spec.files          = Dir["{bin,lib,rails,test}/**/*", "CHANGELOG", "VERSION", "MIT-LICENSE", "README.rdoc", "Rakefile", "Gemfile", "*.gemspec"]
+  spec.executable     = "oauth2-server"
+
+  spec.extra_rdoc_files = "README.rdoc", "CHANGELOG"
+  spec.rdoc_options     = "--title", "tpitale-rack-oauth2-server #{spec.version}", "--main", "README.rdoc",
+                          "--webcvs", "http://github.com/tpitale/rack-oauth2-server"
+  spec.license          = "MIT"
+
+  spec.required_ruby_version = '>= 1.8.7'
+  spec.add_dependency "rack", "~>1.1"
+  spec.add_dependency "rails", ">= 2.3.11"
+end

data/rails/init.rb

@@ -0,0 +1,11 @@
+# Rails 2.x initialization.
+require "rack/oauth2/rails"
+
+config.extend ::Rack::OAuth2::Rails::Configuration
+config.oauth.logger ||= Rails.logger
+config.middleware.use ::Rack::OAuth2::Server, config.oauth
+class ActionController::Base
+  helper ::Rack::OAuth2::Rails::Helpers
+  include ::Rack::OAuth2::Rails::Helpers
+  extend ::Rack::OAuth2::Rails::Filters
+end

data/test/admin/api_test.rb

@@ -0,0 +1,228 @@
+require "test/setup"
+
+class AdminApiTest < Test::Unit::TestCase
+  module Helpers
+    def should_fail_authentication
+      should "respond with status 401 (Unauthorized)" do
+        assert_equal 401, last_response.status
+      end
+    end
+
+    def should_forbid_access
+      should "respond with status 403 (Forbidden)" do
+        assert_equal 403, last_response.status
+      end
+    end
+  end
+  extend Helpers
+
+
+  def without_scope
+    token = Server.token_for("Superman", client.id, "nobody")
+    header "Authorization", "OAuth #{token}"
+  end
+
+  def with_scope
+    token = Server.token_for("Superman", client.id, "oauth-admin")
+    header "Authorization", "OAuth #{token}"
+  end
+
+  def json
+    JSON.parse(last_response.body)
+  end
+
+
+  context "force SSL" do
+    setup do
+      Server::Admin.force_ssl = true
+      with_scope
+    end
+
+    context "HTTP request" do
+      setup { get "/oauth/admin/api/clients" }
+
+      should "redirect to HTTPS" do
+        assert_equal 302, last_response.status
+        assert_equal "https://example.org/oauth/admin/api/clients", last_response.location
+      end
+    end
+
+    context "HTTPS request" do
+      setup { get "https://example.org/oauth/admin/api/clients" }
+
+      should "serve request" do
+        assert_equal 200, last_response.status
+        assert Array === json["list"]
+      end
+    end
+
+    teardown { Server::Admin.force_ssl = false }
+  end
+
+
+  # -- /oauth/admin/api/clients
+
+  context "all clients" do
+    context "without authentication" do
+      setup { get "/oauth/admin/api/clients" }
+      should_fail_authentication
+    end
+
+    context "without scope" do
+      setup { without_scope ; get "/oauth/admin/api/clients" }
+      should_forbid_access
+    end
+
+    context "proper request" do
+      setup { with_scope ; get "/oauth/admin/api/clients" }
+      should "return OK" do
+        assert_equal 200, last_response.status
+      end
+      should "return JSON document" do
+        assert_equal "application/json", last_response.content_type.split(";").first
+      end
+      should "return list of clients" do
+        assert Array === json["list"]
+      end
+      should "return known scope" do
+        assert_equal %w{read write}, json["scope"]
+      end
+    end
+
+    context "client list" do
+      setup do
+        with_scope
+        get "/oauth/admin/api/clients"
+        @first = json["list"].first
+      end
+
+      should "provide client identifier" do
+        assert_equal client.id.to_s, @first["id"]
+      end
+      should "provide client secret" do
+        assert_equal client.secret, @first["secret"]
+      end
+      should "provide redirect URI" do
+        assert_equal client.redirect_uri, @first["redirectUri"]
+      end
+      should "provide display name" do
+        assert_equal client.display_name, @first["displayName"]
+      end
+      should "provide site URL" do
+        assert_equal client.link, @first["link"]
+      end
+      should "provide image URL" do
+        assert_equal client.image_url, @first["imageUrl"]
+      end
+      should "provide created timestamp" do
+        assert_equal client.created_at.to_i, @first["created"]
+      end
+      should "provide link to client resource"do
+        assert_equal ["/oauth/admin/api/client", client.id].join("/"), @first["url"]
+      end
+      should "provide link to revoke resource"do
+        assert_equal ["/oauth/admin/api/client", client.id, "revoke"].join("/"), @first["revoke"]
+      end
+      should "provide scope for client" do
+        assert_equal %w{oauth-admin read write}, @first["scope"]
+      end
+      should "tell if not revoked" do
+        assert @first["revoked"].nil?
+      end
+    end
+
+    context "revoked client" do
+      setup do
+        client.revoke!
+        with_scope
+        get "/oauth/admin/api/clients"
+        @first = json["list"].first
+      end
+
+      should "provide revoked timestamp" do
+        assert_equal client.revoked.to_i, @first["revoked"]
+      end
+    end
+
+    context "tokens" do
+      setup do
+        tokens = []
+        1.upto(10).map do |days|
+          Timecop.travel -days*86400 do
+            tokens << Server.token_for("Superman#{days}", client.id)
+          end
+        end
+        # Revoke one token today (within past 7 days), one 10 days ago (beyond)
+        Timecop.travel -7 * 86400 do
+          Server.get_access_token(tokens[0]).revoke!
+        end
+        Server.get_access_token(tokens[1]).revoke!
+        with_scope ; get "/oauth/admin/api/clients"
+      end
+
+      should "return total number of tokens" do
+        assert_equal 11, json["tokens"]["total"]
+      end
+      should "return number of tokens created past week" do
+        assert_equal 7, json["tokens"]["week"]
+      end
+      should "return number of revoked token past week" do
+        assert_equal 1, json["tokens"]["revoked"]
+      end
+    end
+  end
+
+
+  # -- /oauth/admin/api/client/:id
+
+  context "single client" do
+    context "without authentication" do
+      setup { get "/oauth/admin/api/client/#{client.id}" }
+      should_fail_authentication
+    end
+
+    context "without scope" do
+      setup { without_scope ; get "/oauth/admin/api/client/#{client.id}" }
+      should_forbid_access
+    end
+
+    context "with scope" do
+      setup { with_scope ; get "/oauth/admin/api/client/#{client.id}" }
+
+      should "return OK" do
+        assert_equal 200, last_response.status
+      end
+      should "return JSON document" do
+        assert_equal "application/json", last_response.content_type.split(";").first
+      end
+      should "provide client identifier" do
+        assert_equal client.id.to_s, json["id"]
+      end
+      should "provide client secret" do
+        assert_equal client.secret, json["secret"]
+      end
+      should "provide redirect URI" do
+        assert_equal client.redirect_uri, json["redirectUri"]
+      end
+      should "provide display name" do
+        assert_equal client.display_name, json["displayName"]
+      end
+      should "provide site URL" do
+        assert_equal client.link, json["link"]
+      end
+      should "provide image URL" do
+        assert_equal client.image_url, json["imageUrl"]
+      end
+      should "provide created timestamp" do
+        assert_equal client.created_at.to_i, json["created"]
+      end
+      should "provide link to client resource"do
+        assert_equal ["/oauth/admin/api/client", client.id].join("/"), json["url"]
+      end
+      should "provide link to revoke resource"do
+        assert_equal ["/oauth/admin/api/client", client.id, "revoke"].join("/"), json["revoke"]
+      end
+    end
+  end
+
+end