warden-oauth2-strategies 0.0.2

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9e885487f2c3e237d8a7cffa9020ea86671d015e
+  data.tar.gz: 9b6d3b51466a0861cf876fa606d407fd9fd2da18
+SHA512:
+  metadata.gz: f3fd02b16da09b9454a707f3d8843e969d907239f824caa136892c80734e63ac37b20befd927c4b5b6985fa87ca0dfcaca25228bd5c8672c8d57c3bbe743b69d
+  data.tar.gz: 4a1ddb4c062dec57fbb06ea3e3a7d8da582baba7063d267bef97d2e404f0fa35b07d1ff07955d73a612bc21065e9fb55d46503c0c95d92ee8a5a8475eaa538f5

data/.gitignore

@@ -0,0 +1,18 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp
+.idea/

data/.rspec

@@ -0,0 +1 @@
+--colour

data/.travis.yml

@@ -0,0 +1,7 @@
+rvm:
+  - 1.9.3
+  - 1.9.2
+  - 1.8.7
+  - jruby
+  - rbx
+script: "bundle exec rake"

data/Gemfile

@@ -0,0 +1,13 @@
+source 'http://rubygems.org'
+
+# Specify your gem's dependencies in warden-oauth2.gemspec
+gemspec
+
+group :development, :test do
+  gem 'guard'
+  gem 'guard-rspec'
+  gem 'guard-bundler'
+  gem 'rb-fsevent'
+  gem 'growl'
+  gem 'pry'
+end

data/Guardfile

@@ -0,0 +1,11 @@
+guard 'rspec', :version => 2 do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end
+
+
+guard 'bundler' do
+  watch('Gemfile')
+  watch(/^.+\.gemspec/)
+end

data/README.md

@@ -0,0 +1,196 @@
+# Warden::OAuth2 [![CI Status](https://secure.travis-ci.org/opperator/warden-oauth2.png)](http://travis-ci.org/opperator/warden-oauth2)
+
+This is a fork of [original project](https://github.com/opperator/warden-oauth2) which is actually maintained.
+This library provides a robust set of authorization strategies for
+Warden meant to be used to implement an OAuth 2.0 (targeting RFC6749)
+provider.
+
+## Usage
+
+### Grape API Example
+
+```ruby
+require 'grape'
+require 'warden-oauth2'
+
+class MyAPI < Grape::API
+  use Warden::Manager do |config|
+    strategies.add :bearer, Warden::OAuth2::Strategies::Bearer
+    strategies.add :client_credentials, Warden::OAuth2::Strategies::ClientCredentials
+    strategies.add :resource_owner_password_credentials, Warden::OAuth2::Strategies::ResourceOwnerPasswordCredentials
+    strategies.add :public, Warden::OAuth2::Strategies::Public
+
+    config.default_strategies :bearer, :client_credentials, :resource_owner_password_credentials, :public
+    config.failure_app Warden::OAuth2::FailureApp
+  end
+
+  helpers do
+    def warden; env['warden'] end
+  end
+
+  resources :hamburgers do
+    before do
+      warden.authenticate! scope: :hamburgers
+    end
+  end
+end
+```
+
+## Configuration
+
+You can configure Warden::OAuth2 like so:
+
+```ruby
+Warden::OAuth2.configure do |config|
+  config.some_option = some_value
+end
+```
+
+### Configurable Options
+
+* **client_credentials_model:** A client application class used for client credentials authentication. See **Models** below.
+  Defaults to `ClientCredentialsApplication`.
+* **resource_owner_password_credentials_model:** A client application class used for resource owner password authentication. See **Models** below.
+  Defaults to `ResourceOwnerPasswordCredentialsApplication`.
+* **token_model:** An access token class. See **Models** below. Defaults
+  to `AccessToken`.
+
+## Models
+
+You will need to supply data models to back up the persistent facets of
+your OAuth 2.0 implementation. Below are examples of the interfaces that
+each require.
+
+### Client Credentials Application
+
+```ruby
+class ClientCredentialsApplication
+  # REQUIRED
+  def self.locate(client_id, client_secret = nil)
+    # Should return a client application matching the client_id
+    # provided, but should ONLY match client_secret if it is
+    # provided.
+  end
+
+  # OPTIONAL
+  def scope?(scope)
+    # True if the client should be able to access the scope passed
+    # (usually a symbol) without having an access token.
+  end
+end
+```
+
+### Resource Owner Password Credentials Application
+
+```ruby
+class ResourceOwnerPasswordCredentialsApplication
+  # REQUIRED
+  def self.locate(client_id, client_secret = nil)
+    # Should return a client application matching the client_id
+    # provided, but should ONLY match client_secret if it is
+    # provided.
+  end
+  #REQUIRED
+  def valid?(options={})
+    # Use options[:username] and options[:password] to check
+    # that specified credentials are valid
+  end
+
+  # OPTIONAL
+  def scope?(scope)
+    # True if the client should be able to access the scope passed
+    # (usually a symbol) without having an access token.
+  end
+end
+```
+
+### Access Token
+
+```ruby
+class AccessToken
+  # REQUIRED
+  def self.locate(token_string)
+    # Should return an access token matching the string provided.
+    # Note that you MAY include expired access tokens in the result
+    # of this method so long as you implement an instance #expired?
+    # method.
+  end
+
+  # OPTIONAL
+  def expired?
+    # True if the access token has reached its expiration.
+  end
+
+  # OPTIONAL
+  def scope?(scope)
+    # True if the scope passed in (usually a symbol) has been authorized
+    # for this access token.
+  end
+end
+```
+
+## Strategies
+
+### Bearer
+
+This strategy authenticates by trying to find an access token that is
+supplied according to the OAuth 2.0 Bearer Token specification
+([draft 8][oauth2-bearer]). It does this by first extracting the access
+token in string form and then calling the `.locate` method on your
+access token model (see **Configuration** above).
+
+Token-based strategies will also fail if they are expired or lack
+sufficient scope. See **Models** above.
+
+**User:** The Warden user is set to the client application returned by
+`.locate`.
+
+### Client credentials
+
+This strategy authenticates an OAuth 2.0 client application directly for
+endpoints that don't require a specific user. You might use this
+strategy when you want to create an API for client statistics or if you
+wish to rate limit based on a client application even for publicly
+accessible endpoints.
+
+**User:** The Warden user is set to the access token returned by `.locate`.
+
+### Resource Owner Password Credential
+
+This strategy creates an access token for a user with matching credentials.
+Use `.valid?` on the client application to determine if user credentials are correct.
+
+**User:** The Warden user is set to the access token returned by `.locate`.
+
+### Public
+
+This strategy succeeds by default and only fails if the authentication
+scope is set and is something other than `:public`.
+
+**User:** The Warden user is set to `nil`.
+
+[oauth2]: http://tools.ietf.org/html/draft-ietf-oauth-v2-22
+[oauth2-bearer]: http://tools.ietf.org/html/draft-ietf-oauth-v2-bearer-08
+
+## License
+The MIT License
+
+Copyright (c) 2014 AirService Pty Ltd. http://www.airservice.com
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,8 @@
+#!/usr/bin/env rake
+require "bundler/gem_tasks"
+
+require 'rspec/core/rake_task'
+desc "Run specs."
+RSpec::Core::RakeTask.new
+
+task :default => :spec

data/lib/warden/oauth2/error_app.rb

@@ -0,0 +1,23 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    class ErrorApp
+      def self.call(env)
+        new.call(env)
+      end
+
+      def call(env)
+        warden = env['warden']
+        strategy = warden.winning_strategy
+        status = strategy.respond_to?(:error_status) ? strategy.error_status : 401
+        error_description = strategy.respond_to?(:error_description) ? strategy.error_description : ''
+        headers = {'Content-Type' => 'application/json'}
+        headers['X-Accepted-OAuth-Scopes'] = (strategy.scope || :public).to_s
+        body = %Q{"error":"#{strategy.message}", "error_description":"#{error_description}"}
+
+        Rack::Response.new(body, status, headers).finish
+      end
+    end
+  end
+end

data/lib/warden/oauth2/failure_app.rb

@@ -0,0 +1,22 @@
+module Warden
+  module OAuth2
+    class FailureApp
+      def self.call(env)
+        new.call(env)
+      end
+
+      def call(env)
+        warden = env['warden']
+        strategy = warden.winning_strategy
+
+        body = '{"error":"' + strategy.message.to_s + '"}'
+        status = strategy.error_status rescue 401
+        headers = {'Content-Type' => 'application/json'}
+
+        headers['X-Accepted-OAuth-Scopes'] = (strategy.scope || :public).to_s
+
+        [status, headers, [body]]
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/base.rb

@@ -0,0 +1,17 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class Base < Warden::Strategies::Base
+        def store?
+          false
+        end
+
+        def error_status
+          400
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/bearer.rb

@@ -0,0 +1,30 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class Bearer < Token
+        def valid?
+          !!token_string
+        end
+
+        def token_string
+          token_string_from_header || token_string_from_request_params
+        end
+
+        def token_string_from_header
+          Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |key|
+            if env.key?(key) && token_string = env[key][/^Bearer (.*)/, 1]
+              return token_string
+            end
+          end
+          nil
+        end
+
+        def token_string_from_request_params
+          params[:access_token]
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/client.rb

@@ -0,0 +1,57 @@
+require 'warden-oauth2'
+require 'base64'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class Client < Base
+        attr_reader :client, :client_id, :client_secret, :error_description
+
+        def authenticate!
+          @client = client_from_http_basic || client_from_request_params
+
+          if self.client
+            fail "invalid_scope" and return if scope && client.respond_to?(:scope) && !client.scope?(scope)
+            client_authenticated
+          else
+            fail "invalid_client"
+          end
+        end
+
+        def client_from_http_basic
+          return nil unless (env.keys & Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS).any?
+          @client_id, @client_secret = *Rack::Auth::Basic::Request.new(env).credentials
+          model.locate(self.client_id, self.client_secret)
+        end
+
+        def client_from_request_params
+          @client_id, @client_secret = params['client_id'], params['client_secret']
+          return nil unless self.client_id
+          model.locate(@client_id, @client_secret)
+        end
+
+        def public_client?
+          client && !client_secret
+        end
+
+        def error_status
+          case message
+            when "invalid_client" then 401
+            when "invalid_scope" then 403
+            else 400
+          end
+        end
+
+        protected
+        attr_writer :error_description
+        def model
+          raise 'Model should be defined in a child strategy'
+        end
+
+        def client_authenticated
+          success! self.client
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/client_credentials.rb

@@ -0,0 +1,16 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class ClientCredentials < Client
+        def model
+          Warden::OAuth2.config.client_credentials_model
+        end
+        def valid?
+          params['grant_type'] == 'client_credentials'
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/public.rb

@@ -0,0 +1,21 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class Public < Base
+        def authenticate!
+          if scope && scope.to_sym != :public
+            fail! "invalid_scope" and return
+          end
+
+          success! nil
+        end
+
+        def error_status
+          401
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/resource_owner_password_credentials.rb

@@ -0,0 +1,28 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class ResourceOwnerPasswordCredentials< Client
+        def valid?
+          params['grant_type'] == 'password'
+        end
+
+        protected
+        def model
+          Warden::OAuth2.config.resource_owner_password_credentials_model
+        end
+
+        def client_authenticated
+          if params['username'] && params['password']
+            valid_client = client.valid?(username: params['username'], password: params['password'])
+            valid_client ? super : fail("invalid_client")
+          else
+            fail "invalid_request"
+            self.error_description = "username or password are not provided"
+          end
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/strategies/token.rb

@@ -0,0 +1,40 @@
+require 'warden-oauth2'
+
+module Warden
+  module OAuth2
+    module Strategies
+      class Token < Base
+        def valid?
+          !!token_string
+        end
+
+        def authenticate!
+          if token
+            fail! "invalid_token" and return if token.respond_to?(:expired?) && token.expired?
+            fail! "invalid_scope" and return if scope && token.respond_to?(:scope?) && !token.scope?(scope)
+            success! token
+          else
+            fail! "invalid_request" and return unless token
+          end
+        end
+
+        def token
+          Warden::OAuth2.config.token_model.locate(token_string)
+        end
+
+        def token_string
+          raise NotImplementedError
+        end
+
+        def error_status
+          case message
+            when "invalid_token" then 401
+            when "invalid_scope" then 403
+            when "invalid_request" then 400
+            else 400
+          end
+        end
+      end
+    end
+  end
+end

data/lib/warden/oauth2/version.rb

@@ -0,0 +1,5 @@
+module Warden
+  module OAuth2
+    VERSION = "0.0.2"
+  end
+end

data/lib/warden/oauth2.rb

@@ -0,0 +1,35 @@
+require 'warden'
+require 'warden/oauth2/version'
+
+module Warden
+  module OAuth2
+    class Configuration
+      attr_accessor :client_credentials_model, :resource_owner_password_credentials_model, :token_model
+
+      def initialize
+        self.client_credentials_model = ClientCredentialsApplication if defined?(ClientCredentialsApplication)
+        self.resource_owner_password_credentials_model = ResourceOwnerPasswordCredentialsApplication if defined?(ResourceOwnerPasswordCredentialsApplication)
+        self.token_model = AccessToken if defined?(AccessToken)
+      end
+    end
+
+    def self.config
+      @@config ||= Configuration.new
+    end
+
+    def self.configure
+      yield config
+    end
+
+    autoload :FailureApp, 'warden/oauth2/failure_app'
+    module Strategies
+      autoload :Base,   'warden/oauth2/strategies/base'
+      autoload :Public, 'warden/oauth2/strategies/public'
+      autoload :Token,  'warden/oauth2/strategies/token'
+      autoload :Client, 'warden/oauth2/strategies/client'
+      autoload :ClientCredentials, 'warden/oauth2/strategies/client_credentials'
+      autoload :ResourceOwnerPasswordCredentials, 'warden/oauth2/strategies/resource_owner_password_credentials'
+      autoload :Bearer, 'warden/oauth2/strategies/bearer'
+    end
+  end
+end

data/lib/warden-oauth2.rb

@@ -0,0 +1 @@
+require 'warden/oauth2'

data/spec/spec_helper.rb

@@ -0,0 +1,12 @@
+require 'rubygems'
+require 'bundler'
+Bundler.setup :default, :test
+
+require 'rspec'
+require 'rack/test'
+
+require 'warden-oauth2'
+
+RSpec.configure do |config|
+  config.include Rack::Test::Methods
+end

data/spec/warden/oauth2/failure_app_spec.rb

@@ -0,0 +1,30 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::FailureApp do
+  let(:app){ subject }
+  let(:warden){ double(:winning_strategy => @strategy || strategy) }
+  let(:strategy){ double(:message => 'invalid_request') }
+
+  context 'with all info' do
+    before do
+      @strategy = double(:error_status => 502, :message => 'custom', :scope => 'random')
+      get '/unauthenticated', {}, 'warden' => warden
+    end
+
+    it 'should set the status from error_status if there is one' do
+      last_response.status.should == 502
+    end
+
+    it 'should set the message from the message' do
+      last_response.body.should == '{"error":"custom"}'
+    end
+
+    it 'should set the content type' do
+      last_response.headers['Content-Type'].should == 'application/json'
+    end
+
+    it 'should set the X-OAuth-Accepted-Scopes header' do
+      last_response.headers['X-Accepted-OAuth-Scopes'].should == 'random'
+    end
+  end
+end

data/spec/warden/oauth2/strategies/bearer_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::Bearer do
+  let(:strategy){ Warden::OAuth2::Strategies::Bearer }
+  let(:token_model){ double(:AccessToken) }
+  subject{ strategy.new({'rack.input' => {}}) }
+
+  before do
+    Warden::OAuth2.config.token_model = token_model
+  end
+
+  describe '#token_string_from_header' do
+    Rack::Auth::AbstractRequest::AUTHORIZATION_KEYS.each do |key|
+      it "should recognize a bearer token in the #{key} environment key" do
+        subject.stub(:env).and_return({key => "Bearer abc"})
+        subject.token_string_from_header.should == 'abc'
+      end
+    end
+
+    it 'should ignore a non-bearer authorization header' do
+      subject.stub(:env).and_return('HTTP_AUTHORIZATION' => 'Other do do do')
+      subject.token_string_from_header.should be_nil
+    end
+  end
+
+  describe '#token_string_from_request_params' do
+    it 'should pull the :access_token param' do
+      subject.stub(:params).and_return(:access_token => 'abc')
+      subject.token_string_from_request_params.should == 'abc'
+    end
+  end
+end

data/spec/warden/oauth2/strategies/client_credentials_spec.rb

@@ -0,0 +1,28 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::ClientCredentials do
+  let(:strategy){ described_class }
+  let(:client_credentials_model){ double(:ClientApplication) }
+  subject{ strategy.new({'rack.input' => {}}) }
+
+  before do
+    Warden::OAuth2.config.client_credentials_model = client_credentials_model
+  end
+
+  describe '#valid?' do
+    it 'returns false if the grant type is not specified' do
+      subject.stub(:params).and_return({})
+      subject.should_not be_valid
+    end
+
+    it 'returns true if the grant type is client_credentials' do
+      subject.stub(:params).and_return({'grant_type' => 'client_credentials'})
+      subject.should be_valid
+    end
+
+    it 'returns false if the grant type is not client_credentials' do
+      subject.stub(:params).and_return({'grant_type' => 'whatever'})
+      subject.should_not be_valid
+    end
+  end
+end

data/spec/warden/oauth2/strategies/client_spec.rb

@@ -0,0 +1,73 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::Client do
+  let(:strategy){ Warden::OAuth2::Strategies::Client }
+  let(:client_model){ double(:ClientApplication) }
+  subject{ strategy.new({'rack.input' => {}}) }
+
+  before do
+    subject.stub(:model).and_return(client_model)
+  end
+
+  describe '#client_from_http_basic' do
+    it 'should call through to the client application class locate method' do
+      subject.stub(:env).and_return({
+        'HTTP_AUTHORIZATION' => "Basic #{Base64.encode64('id:secret')}"
+      })
+
+      client_model.should_receive(:locate).with('id','secret').and_return("booya")
+      subject.client_from_http_basic.should == "booya"
+    end
+
+    it 'should return nil if no HTTP Basic credentials are provided' do
+      subject.client_from_http_basic.should be_nil
+    end
+  end
+
+  describe '#client_from_request_params' do
+    it 'should be nil if no client_id is provided' do
+      subject.stub(:params).and_return({'client_secret' => 'abc'})
+      subject.client_from_request_params.should be_nil
+    end
+
+    it 'should call through to locate if a client_id is present' do
+      subject.stub(:params).and_return({'client_id' => 'abc'})
+      client_model.should_receive(:locate).with('abc',nil)
+      subject.client_from_request_params
+    end
+
+    it 'should call through to locate if a client_id and secret are present' do
+      subject.stub(:params).and_return({'client_id' => 'abc', 'client_secret' => 'def'})
+      client_model.should_receive(:locate).with('abc','def')
+      subject.client_from_request_params
+    end
+  end
+
+  describe '#authorize!' do
+    it 'should succeed if a client is around' do
+      client_instance = double
+      client_model.stub(:locate).and_return(client_instance)
+      subject.stub(:params).and_return('client_id' => 'awesome')
+      subject._run!
+      subject.user.should == client_instance
+      subject.result.should == :success
+    end
+
+    it 'should fail if no credentials are passed' do
+      subject._run!
+      subject.result.should == :failure
+      subject.message.should == "invalid_client"
+      subject.error_status.should == 401
+    end
+
+    it 'should fail if insufficient scope is provided' do
+      client_model.stub(:locate).and_return(double(:respond_to? => true, :scope? => false))
+      subject.stub(:params).and_return('client_id' => 'abc')
+      subject.stub(:scope).and_return(:confidential_client)
+      subject._run!
+      subject.result.should == :failure
+      subject.message.should == "invalid_scope"
+      subject.error_status.should == 403
+    end
+  end
+end

data/spec/warden/oauth2/strategies/public_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::Public do
+  let(:env){ {'PATH_INFO' => '/resource'} }
+  let(:strategy){ Warden::OAuth2::Strategies::Public }
+  subject{ strategy.new(env) }
+
+  it 'should succeed with no scope' do
+    subject._run!
+    subject.result.should == :success
+  end
+
+  it 'should succeed with a :public scope' do
+    subject.stub(:scope).and_return(:public)
+    subject._run!
+    subject.result.should == :success
+  end
+
+  it 'should fail and halt with another scope' do
+    subject.stub(:scope).and_return(:user)
+    subject._run!
+    subject.should be_halted
+    subject.message.should == "invalid_scope"
+    subject.result.should == :failure
+  end
+end

data/spec/warden/oauth2/strategies/resource_owner_password_credentials_spec.rb

@@ -0,0 +1,64 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::ResourceOwnerPasswordCredentials do
+  let(:strategy){ described_class }
+  let(:client_model){ double(:ClientApplication) }
+  subject{ strategy.new({'rack.input' => {}}) }
+
+  before do
+    Warden::OAuth2.config.resource_owner_password_credentials_model = client_model
+  end
+
+  describe '#valid?' do
+    it 'returns false if the grant type is not specified' do
+      subject.stub(:params).and_return({})
+      subject.should_not be_valid
+    end
+
+    it 'returns true if the grant type is password' do
+      subject.stub(:params).and_return({'grant_type' => 'password'})
+      subject.should be_valid
+    end
+
+    it 'returns false if the grant type is not password' do
+      subject.stub(:params).and_return({'grant_type' => 'whatever'})
+      subject.should_not be_valid
+    end
+  end
+
+  describe '#authorize!' do
+    it 'should fail if a client is around but not valid' do
+      client_instance = double(:client_instance, valid?: false)
+      client_model.stub(locate: client_instance)
+      subject.stub(:params).and_return('client_id' => 'awesome', 'username' => 'someuser', 'password' => 'incorrect')
+      subject._run!
+      subject.message.should == "invalid_client"
+      subject.error_status.should == 401
+    end
+    it 'should fail if username and password are not provided' do
+      client_model.stub(locate: double)
+      subject.stub(:params).and_return('client_id' => 'awesome')
+      subject._run!
+      subject.message.should == "invalid_request"
+      subject.error_status.should == 400
+      subject.error_description.should_not be_empty
+    end
+    it 'should pass username and password to validation check' do
+      client_instance = double(:client_instance)
+      client_model.stub(locate: client_instance)
+      subject.stub(:params).and_return('client_id' => 'awesome', 'username' => 'username', 'password' => 'password')
+
+      client_instance.should_receive(:valid?).with(username: 'username', password: 'password').and_return(false)
+
+      subject._run!
+    end
+    it 'should succeed if a client is around and valid' do
+      client_instance = double(:client_instance, valid?: true)
+      client_model.stub(locate: client_instance)
+      subject.stub(:params).and_return('client_id' => 'awesome', 'username' => 'username', 'password' => 'correct')
+      subject._run!
+      subject.user.should == client_instance
+      subject.result.should == :success
+    end
+  end
+end

data/spec/warden/oauth2/strategies/token_spec.rb

@@ -0,0 +1,56 @@
+require 'spec_helper'
+
+describe Warden::OAuth2::Strategies::Token do
+  let(:token_model){ double }
+  let(:strategy){ Warden::OAuth2::Strategies::Token }
+  subject{ strategy.new({'rack.input' => {}}) }
+
+  before do
+    Warden::OAuth2.config.token_model = token_model
+  end
+
+  describe '#token' do
+    it 'should call through to .locate on the token_class with the token string' do
+      token_model.should_receive(:locate).with('abc')
+      subject.stub(:token_string).and_return('abc')
+      subject.token
+    end
+  end
+
+  describe '#authenticate!' do
+    it 'should be successful if there is a token' do
+      token_instance = double
+      subject.stub(:token).and_return(token_instance)
+      subject._run!
+      subject.result.should == :success
+      subject.user.should == token_instance
+    end
+
+    it 'should fail if there is not a token' do
+      subject.stub(token: nil)
+      subject._run!
+      subject.result.should == :failure
+      subject.message.should == "invalid_request"
+      subject.error_status.should == 400
+    end
+
+    it 'should fail if the access token is expired' do
+      token_instance = double(:respond_to? => true, :expired? => true, :scope? => true)
+      subject.stub(:token).and_return(token_instance)
+      subject._run!
+      subject.result.should == :failure
+      subject.message.should == "invalid_token"
+      subject.error_status.should == 401
+    end
+
+    it 'should fail if there is insufficient scope' do
+      token_instance = double(:respond_to? => true, :expired? => false, :scope? => false)
+      subject.stub(:token).and_return(token_instance)
+      subject.stub(:scope).and_return(:secret)
+      subject._run!
+      subject.result.should == :failure
+      subject.message.should == "invalid_scope"
+      subject.error_status.should == 403
+    end
+  end
+end

data/warden-oauth2.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+require File.expand_path('../lib/warden/oauth2/version', __FILE__)
+
+Gem::Specification.new do |gem|
+  gem.authors       = ["AirService"]
+  gem.email         = ["devs@airservice.co"]
+  gem.description   = %q{OAuth 2.0 strategies for Warden}
+  gem.summary       = %q{OAuth 2.0 strategies for Warden}
+  gem.homepage      = "https://github.com/airservice/warden-oauth2"
+
+  gem.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  gem.files         = `git ls-files`.split("\n")
+  gem.test_files    = `git ls-files -- {test,spec,features}/*`.split("\n")
+  gem.name          = "warden-oauth2-strategies"
+  gem.require_paths = ["lib"]
+  gem.version       = Warden::OAuth2::VERSION
+
+  gem.add_dependency 'warden'
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'rack-test'
+end

metadata

@@ -0,0 +1,135 @@
+--- !ruby/object:Gem::Specification
+name: warden-oauth2-strategies
+version: !ruby/object:Gem::Version
+  version: 0.0.2
+platform: ruby
+authors:
+- AirService
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-03-18 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rack-test
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: OAuth 2.0 strategies for Warden
+email:
+- devs@airservice.co
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- .gitignore
+- .rspec
+- .travis.yml
+- Gemfile
+- Guardfile
+- README.md
+- Rakefile
+- lib/warden-oauth2.rb
+- lib/warden/oauth2.rb
+- lib/warden/oauth2/error_app.rb
+- lib/warden/oauth2/failure_app.rb
+- lib/warden/oauth2/strategies/base.rb
+- lib/warden/oauth2/strategies/bearer.rb
+- lib/warden/oauth2/strategies/client.rb
+- lib/warden/oauth2/strategies/client_credentials.rb
+- lib/warden/oauth2/strategies/public.rb
+- lib/warden/oauth2/strategies/resource_owner_password_credentials.rb
+- lib/warden/oauth2/strategies/token.rb
+- lib/warden/oauth2/version.rb
+- spec/spec_helper.rb
+- spec/warden/oauth2/failure_app_spec.rb
+- spec/warden/oauth2/strategies/bearer_spec.rb
+- spec/warden/oauth2/strategies/client_credentials_spec.rb
+- spec/warden/oauth2/strategies/client_spec.rb
+- spec/warden/oauth2/strategies/public_spec.rb
+- spec/warden/oauth2/strategies/resource_owner_password_credentials_spec.rb
+- spec/warden/oauth2/strategies/token_spec.rb
+- warden-oauth2.gemspec
+homepage: https://github.com/airservice/warden-oauth2
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.1
+signing_key: 
+specification_version: 4
+summary: OAuth 2.0 strategies for Warden
+test_files:
+- spec/spec_helper.rb
+- spec/warden/oauth2/failure_app_spec.rb
+- spec/warden/oauth2/strategies/bearer_spec.rb
+- spec/warden/oauth2/strategies/client_credentials_spec.rb
+- spec/warden/oauth2/strategies/client_spec.rb
+- spec/warden/oauth2/strategies/public_spec.rb
+- spec/warden/oauth2/strategies/resource_owner_password_credentials_spec.rb
+- spec/warden/oauth2/strategies/token_spec.rb