warden-github 0.12.1 → 0.13.0

data/.gitignore

@@ -6,3 +6,5 @@ Gemfile.lock
 vendor/gems
 *.gem
 .rbenv-version
+bin/
+tags

data/Gemfile

@@ -1,9 +1,7 @@
 source :rubygems
 
-gem 'ruby-debug19',     :platforms => :ruby_19
-gem 'ruby-debug',       :platforms => :ruby_18
+gem 'debugger',   :platforms => :ruby_19, :require => false
+gem 'ruby-debug', :platforms => :ruby_18, :require => false
 
 # Specify your gem's dependencies in warden-github.gemspec
 gemspec
-
-# vim:ft=ruby

data/README.md

@@ -1,11 +1,11 @@
 warden-github
 =============
 
-A [warden](http://github.com/hassox/warden) strategy that provides oauth authentication to github.  Find out more about enabling your application at github's [oauth quickstart](http://gist.github.com/419219).
+A [warden](/hassox/warden) strategy that provides oauth authentication to github.  Find out more about enabling your application at github's [oauth quickstart](http://gist.github.com/419219).
 
-To test it out on localhost set your callback url to 'http://localhost:9292/auth/github/callback'
+To test it out on localhost set your callback url to 'http://localhost:9292/'.
 
-There's an example app in [spec/app.rb](/atmos/warden-github/blob/master/spec/app.rb).
+There's an example app in [example/app.rb](/atmos/warden-github/blob/master/example/app.rb).
 
 Using with GitHub Enterprise
 ============================
@@ -14,6 +14,5 @@ Export the `OCTOKIT_API_ENDPOINT` environmental variable to the URL of your ente
 
 The Extension in Action
 =======================
-    % gem install bundler
-    % bundle install
-    % GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup -p9393 -E none
+
+    % GITHUB_CLIENT_ID="<from GH>" GITHUB_CLIENT_SECRET="<from GH>" bundle exec rackup

data/config.ru

@@ -8,13 +8,13 @@ rescue LoadError
   Bundler.setup
 end
 
-Bundler.require(:runtime, :test)
-require "ruby-debug"
+begin
+  require 'debugger'
+rescue LoadError
+  require 'ruby-debug'
+end
 
-$LOAD_PATH << File.dirname(__FILE__) + '/lib'
-require File.expand_path(File.join(File.dirname(__FILE__), 'lib', 'warden-github'))
-require File.expand_path(File.join(File.dirname(__FILE__), 'spec', 'app'))
+require 'warden/github'
+require File.expand_path('../example/app', __FILE__)
 
 run Example.app
-
-# vim:ft=ruby

data/example/app.rb

@@ -0,0 +1,98 @@
+require 'sinatra'
+require 'yajl/json_gem'
+
+module Example
+  class App < Sinatra::Base
+    enable  :sessions
+    enable  :raise_errors
+    disable :show_exceptions
+
+    use Warden::Manager do |manager|
+      manager.default_strategies :github
+      manager.failure_app = BadAuthentication
+
+      manager[:github_client_id]    = ENV['GITHUB_CLIENT_ID']     || 'ee9aa24b64d82c21535a'
+      manager[:github_secret]       = ENV['GITHUB_CLIENT_SECRET'] || 'ed8ff0c54067aefb808dab1ca265865405d08d6f'
+
+      manager[:github_scopes]       = ''
+    end
+
+    helpers do
+      def ensure_authenticated
+        unless env['warden'].authenticate!
+          throw(:warden)
+        end
+      end
+
+      def user
+        env['warden'].user
+      end
+    end
+
+    get '/' do
+      if user
+        <<-EOS
+        <h2>Hello #{user.name}!</h2>
+        <ul>
+          <li><a href='/profile'>View profile</a></li>
+          <li><a href='/logout'>Sign out</a></li>
+        </ul>
+        EOS
+      else
+        <<-EOS
+        <h2>Hello stranger!</h2>
+        <ul>
+          <li><a href='/profile'>View profile</a> (implicit sign in)</li>
+          <li><a href='/login'>Sign in</a> (explicit sign in)</li>
+        </ul>
+        EOS
+      end
+    end
+
+    get '/profile' do
+      ensure_authenticated
+      <<-EOS
+      <h2>Hello #{user.name}!</h2>
+      <ul>
+        <li><a href='/'>Home</a></li>
+        <li><a href='/logout'>Sign out</a></li>
+      </ul>
+      <h3>Profile</h3>
+      <h4>Rails Org Member: #{user.organization_member?('rails')}.</h4>
+      <h4>Publicized Rails Org Member: #{user.organization_public_member?('rails')}.</h4>
+      <h4>Rails Committer Team Member: #{user.team_member?(632)}.</h4>
+      EOS
+    end
+
+    get '/login' do
+      ensure_authenticated
+      redirect '/'
+    end
+
+    get '/logout' do
+      env['warden'].logout
+      redirect '/'
+    end
+
+    get '/debug' do
+      content_type :text
+      env['rack.session'].to_yaml
+    end
+  end
+
+  class BadAuthentication < Sinatra::Base
+    get '/unauthenticated' do
+      status 403
+      <<-EOS
+      <h2>Unable to authenticate, sorry bud.</h2>
+      <p>#{env['warden'].message}</p>
+      EOS
+    end
+  end
+
+  def self.app
+    @app ||= Rack::Builder.new do
+      run App
+    end
+  end
+end

data/lib/warden/github.rb

@@ -0,0 +1,10 @@
+require 'warden'
+
+require 'warden/github/user'
+require 'warden/github/oauth'
+require 'warden/github/version'
+require 'warden/github/strategy'
+require 'warden/github/hook'
+
+require 'yajl'
+require 'securerandom'

data/lib/warden/github/hook.rb

@@ -0,0 +1,6 @@
+Warden::Manager.after_authentication do |user, auth, opts|
+  scope = opts.fetch(:scope)
+  strategy = auth.winning_strategies[scope]
+
+  strategy.finalize_flow!  if strategy.class == Warden::GitHub::Strategy
+end

data/lib/warden/github/oauth.rb

@@ -0,0 +1,97 @@
+require 'uri'
+require 'net/https'
+
+module Warden
+  module GitHub
+    class OAuth
+      BadVerificationCode = Class.new(StandardError)
+
+      attr_reader :code,
+                  :state,
+                  :scope,
+                  :client_secret,
+                  :client_id,
+                  :redirect_uri
+
+      def initialize(attrs={})
+        @code = attrs[:code]
+        @state = attrs[:state]
+        @scope = attrs[:scope]
+        @client_id = attrs.fetch(:client_id)
+        @client_secret = attrs.fetch(:client_secret)
+        @redirect_uri = attrs.fetch(:redirect_uri)
+      end
+
+      def authorize_uri
+        @authorize_uri ||= build_uri(
+          '/login/oauth/authorize',
+          :client_id => client_id,
+          :redirect_uri => redirect_uri,
+          :scope => scope,
+          :state => state)
+      end
+
+      def access_token
+        @access_token ||= load_access_token
+      end
+
+      private
+
+      def load_access_token
+        http = Net::HTTP.new(access_token_uri.host, access_token_uri.port)
+        http.use_ssl = access_token_uri.scheme == 'https'
+
+        request = Net::HTTP::Post.new(access_token_uri.path)
+        request.body = access_token_uri.query
+
+        response = http.request(request)
+        decode_params(response.body).fetch('access_token')
+      rescue IndexError
+        fail BadVerificationCode, 'Bad verification code'
+      end
+
+      def access_token_uri
+        @access_token_uri ||= build_uri(
+          '/login/oauth/access_token',
+          :client_id => client_id,
+          :client_secret => client_secret,
+          :code => code)
+      end
+
+      def build_uri(path, params)
+        URI(Octokit::Configuration::DEFAULT_WEB_ENDPOINT).tap do |uri|
+          uri.path = path
+          uri.query = encode_params(normalize_params(params))
+        end
+      end
+
+      def normalize_params(params)
+        params.reject { |_,v| v.nil? || v == '' }
+      end
+
+      def encode_params(params)
+        if URI.respond_to? :encode_www_form
+          return URI.encode_www_form(params)
+        end
+
+        params.map { |*kv|
+          kv.flatten.map { |i|
+            URI.encode(i.to_s, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))
+          }.join('=')
+        }.join('&')
+      end
+
+      def decode_params(params)
+        if URI.respond_to? :decode_www_form
+          return Hash[URI.decode_www_form(params)]
+        end
+
+        Hash[
+          params.split('&').map { |i|
+            i.split('=').map { |i| URI.decode(i) }
+          }
+        ]
+      end
+    end
+  end
+end

data/lib/warden/github/strategy.rb

@@ -0,0 +1,122 @@
+module Warden
+  module GitHub
+    class Strategy < ::Warden::Strategies::Base
+      SESSION_KEY = 'warden.github.oauth'
+
+      # The first time this is called, the flow gets set up, stored in the
+      # session and the user gets redirected to GitHub to perform the login.
+      #
+      # When this is called a second time, the flow gets evaluated, the code
+      # gets exchanged for a token, and the user gets loaded and passed to
+      # warden.
+      #
+      # If anything goes wrong, the flow is aborted and reset, and warden gets
+      # notified about the failure.
+      #
+      # Once the user gets set, warden invokes the after_authentication callback
+      # that handles the redirect to the originally requested url and cleans up
+      # the flow. Note that this is done in a hook because setting a user
+      # (through #success!) and redirecting (through #redirect!) inside the
+      # #authenticate! method are mutual exclusive.
+      def authenticate!
+        if in_flow?
+          continue_flow!
+        else
+          begin_flow!
+        end
+      end
+
+      def in_flow?
+        !custom_session.empty? &&
+          params['state'] &&
+          (params['code'] || params['error'])
+      end
+
+      # This is called by the after_authentication hook which is invoked after
+      # invoking #success!.
+      def finalize_flow!
+        redirect!(custom_session['return_to'])
+        teardown_flow
+        throw(:warden)
+      end
+
+      private
+
+      def begin_flow!
+        custom_session['state'] = state
+        custom_session['return_to'] = request.url
+        redirect!(oauth.authorize_uri.to_s)
+        throw(:warden)
+      end
+
+      def continue_flow!
+        validate_flow!
+        success!(load_user)
+      end
+
+      def abort_flow!(message)
+        teardown_flow
+        fail!(message)
+        throw(:warden)
+      end
+
+      def teardown_flow
+        session.delete(SESSION_KEY)
+      end
+
+      def validate_flow!
+        if params['state'] != state
+          abort_flow!('State mismatch')
+        elsif (error = params['error']) && !error.blank?
+          abort_flow!(error.gsub(/_/, ' '))
+        end
+      end
+
+      def custom_session
+        session[SESSION_KEY] ||= {}
+      end
+
+      def load_user
+        User.load(oauth.access_token)
+      rescue OAuth::BadVerificationCode => e
+        abort_flow!(e.message)
+      end
+
+      def state
+        @state ||= custom_session['state'] || SecureRandom.hex(20)
+      end
+
+      def oauth
+        @oauth ||= OAuth.new(
+          :code          => params['code'],
+          :state         => state,
+          :scope         => env['warden'].config[:github_scopes],
+          :client_id     => env['warden'].config[:github_client_id],
+          :client_secret => env['warden'].config[:github_secret],
+          :redirect_uri  => redirect_uri)
+      end
+
+      def redirect_uri
+        absolute_uri(request, callback_path, env['HTTP_X_FORWARDED_PROTO'])
+      end
+
+      def callback_path
+        env['warden'].config[:github_callback_url] || request.path
+      end
+
+      def absolute_uri(request, suffix = nil, proto = "http")
+        port_part = case request.scheme
+                    when "http"
+                      request.port == 80 ? "" : ":#{request.port}"
+                    when "https"
+                      request.port == 443 ? "" : ":#{request.port}"
+                    end
+
+        proto = "http" if proto.nil?
+        "#{proto}://#{request.host}#{port_part}#{suffix}"
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:github, Warden::GitHub::Strategy)

data/lib/warden/github/user.rb

@@ -0,0 +1,81 @@
+require 'octokit'
+
+module Warden
+  module GitHub
+    class User < Struct.new(:attribs, :token)
+      ATTRIBUTES = %w[id login name gravatar_id email company].freeze
+
+      def self.load(access_token)
+        api = Octokit::Client.new(:oauth_token => access_token)
+        data = Hash[api.user.to_hash.select { |k,_| ATTRIBUTES.include?(k) }]
+
+        new(data, access_token)
+      end
+
+      def marshal_dump
+        Hash[members.zip(values)]
+      end
+
+      def marshal_load(hash)
+        hash.each { |k,v| send("#{k}=", v) }
+      end
+
+      ATTRIBUTES.each do |name|
+        define_method(name) { attribs[name] }
+      end
+
+      # See if the user is a public member of the named organization
+      #
+      # name - the organization name
+      #
+      # Returns: true if the user is publicized as an org member
+      def organization_public_member?(org_name)
+        api.organization_public_member?(org_name, login)
+      end
+
+      # Backwards compatibility:
+      alias_method :publicized_organization_member?, :organization_public_member?
+
+      # See if the user is a member of the named organization
+      #
+      # name - the organization name
+      #
+      # Returns: true if the user has access, false otherwise
+      def organization_member?(org_name)
+        api.organization_member?(org_name, login)
+      end
+
+      # See if the user is a member of the team id
+      #
+      # team_id - the team's id
+      #
+      # Returns: true if the user has access, false otherwise
+      def team_member?(team_id)
+        # TODO: Use next line as method body once pengwynn/octokit#206 is public.
+        # api.team_member?(team_id, login)
+
+        # If the user is able to query the team member
+        # A user is only able to query for team members if they're a member.
+        # Thus, if querying does succeed, they will be in the list and checking
+        # the list won't be necessary.
+        api.team_members(team_id)
+        true
+      rescue Octokit::NotFound
+        false
+      end
+
+      # Access the GitHub API from Octokit
+      #
+      # Octokit is a robust client library for the GitHub API
+      # https://github.com/pengwynn/octokit
+      #
+      # Returns a cached client object for easy use
+      def api
+        # Don't cache instance for now because of a ruby marshaling bug present
+        # in MRI 1.9.3 (Bug #7627) that causes instance variables to be
+        # marshaled even when explicitly specifying #marshal_dump.
+        Octokit::Client.new(:login => login, :oauth_token => token)
+      end
+    end
+  end
+end