warden_oauth_provider 1.0.0

data/.gitignore

@@ -0,0 +1,4 @@
+*.gem
+.bundle
+Gemfile.lock
+pkg/*

data/Gemfile

@@ -0,0 +1,4 @@
+source "http://rubygems.org"
+
+# Specify your gem's dependencies in warden_oauth_provider.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (C) 2011 by Edwin Vlieg, Berend van Bruijnsvoort and BlueTools B.V.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.textile

@@ -0,0 +1,58 @@
+h1. WardenOauthProvider
+
+This gem allows you to start an oauth server and allow your customers to consume your application through oauth. It is based on Warden and can easily be added to the Warden authentication stack. It uses the "oauth gem":http://rubygems.org/gems/oauth to implement the oauth protocol for Warden.
+
+h2. Installation
+
+# Add this gem to your Gemfile
+  <pre>gem 'warden_oauth_provider'</pre>
+# Run the generator to create a migration for the required database tables
+  <pre>$ rails generate warden_oauth_provider
+$ rake db:migrate</pre>
+# Make sure you have installed the Warden gem for your authentication
+# Add the @:oauth_provider@ strategy to your Warden middleware and define the oauth paths
+  <pre>YourApp::Application.config.middleware.use Warden::Manager do |manager|
+    manager.default_strategies :oauth_provider, :http_basic, :password
+    manager.failure_app              = SessionsController
+    manager.oauth_request_token_path = "/oauth/request_token"
+    manager.oauth_access_token_path  = "/oauth/access_token"
+  end</pre>
+
+At this point your application responds on the @/oauth/request_token@ and @/oauth/access_token@ paths and provides request and access tokens based on the request. Before you can make any requests, you should create a client application.
+
+h3. Creating client applications
+
+Before a client can connect to the oauth provider, it should be registered as a client application in the database. This can be done through a Rails console or you can create a dedicated controller for this purpose:
+
+<pre>WardenOauthProvider::ClientApplication.create!(:name => "My client application", :url => "http://myapplication.com", :callback_url => "http://myapplication.com/callback")</pre>
+
+The @:callback_url@ is an optional argument, because the callback url can also be provided when requesting a request token. The @key@ and @secret@ attributes are automatically filled and are the consumer key and consumer secret that should be used to connect to the oauth server.
+
+h3. Creating the authorize interface
+
+During the oauth process, the end-user is redirected to your application to authorize the oauth request. You should write create controller, views and routes for this. You use the @WardenOauthProvider::TokenStrategy@ to verify and authorize the token:
+
+<pre>def authorize
+  @token = WardenOauthProvider::Token::Request.find_by_token(params[:oauth_token])
+  if request.post? 
+    if params[:authorize] == "1"  # Something based on your user interface
+      if warden.authenticate?(:oauth_token, :scope => :oauth_token)
+        redirect_to env['oauth.redirect_url']
+      else
+        # Render a template to display failure
+        render :authorize_failure 
+      end
+    else
+      # Render a template to display failure
+      render :authorize_failure
+    end
+  end
+end</pre>
+
+h2. Reporting bugs
+
+Please report bugs in this gem via Github Issues: https://github.com/bluetools/warden_oauth_provider/issues
+
+h2. License
+
+This code is free to use under the terms of the MIT license and stated in the LICENSE file.

data/Rakefile

@@ -0,0 +1,2 @@
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/lib/generators/warden_oauth_provider/install/install_generator.rb

@@ -0,0 +1,27 @@
+require 'rails/generators'
+require 'rails/generators/migration'
+
+class WardenOauthProvider::InstallGenerator < Rails::Generators::Base
+  
+  include Rails::Generators::Migration
+  
+  def self.source_root
+     @source_root ||= File.join(File.dirname(__FILE__), 'templates')
+  end
+  
+  def self.next_migration_number(dirname) #:nodoc:
+    next_migration_number = current_migration_number(dirname) + 1
+    if ActiveRecord::Base.timestamped_migrations
+      [Time.now.utc.strftime("%Y%m%d%H%M%S"), "%.14d" % next_migration_number].max
+    else
+      "%.3d" % next_migration_number
+    end
+  end
+  
+  def create_migration_file
+    if defined?(ActiveRecord)
+      migration_template 'migration.rb', 'db/migrate/create_oauth_tables.rb'
+    end
+  end
+  
+end

data/lib/generators/warden_oauth_provider/install/templates/migration.rb

@@ -0,0 +1,45 @@
+class CreateOauthTables < ActiveRecord::Migration
+  def self.up
+    create_table :client_applications do |t|
+      t.string :name
+      t.string :url
+      t.string :support_url
+      t.string :callback_url
+      t.string :key, :limit => 20
+      t.string :secret, :limit => 40
+      t.integer :user_id
+
+      t.timestamps
+    end
+    add_index :client_applications, :key, :unique => true
+    
+    create_table :oauth_tokens do |t|
+      t.integer :user_id
+      t.string :type, :limit => 20
+      t.integer :client_application_id
+      t.string :token, :limit => 20
+      t.string :secret, :limit => 40
+      t.string :callback_url
+      t.string :verifier, :limit => 20
+      t.timestamp :authorized_at, :invalidated_at
+      t.timestamps
+    end
+    add_index :oauth_tokens, :token, :unique => true
+    
+    create_table :oauth_nonces do |t|
+      t.string :nonce
+      t.integer :timestamp
+
+      t.timestamps
+    end
+    add_index :oauth_nonces,[:nonce, :timestamp], :unique => true
+    
+  end
+
+  def self.down
+    drop_table :client_applications
+    drop_table :oauth_tokens
+    drop_table :oauth_nonces
+  end
+
+end

data/lib/warden_oauth_provider.rb

@@ -0,0 +1,19 @@
+require 'warden'
+require 'oauth'
+require 'active_record'
+
+require 'warden_oauth_provider/provider_strategy'
+require 'warden_oauth_provider/token_strategy'
+
+require 'warden_oauth_provider/token/base'
+require 'warden_oauth_provider/token/request'
+require 'warden_oauth_provider/token/access'
+
+Warden::Strategies.add(:oauth_provider, WardenOauthProvider::ProviderStrategy)
+Warden::Strategies.add(:oauth_token, WardenOauthProvider::TokenStrategy)
+
+module Warden
+  class Config
+    hash_accessor :oauth_request_token_path, :oauth_access_token_path
+  end
+end

data/lib/warden_oauth_provider/client_application.rb

@@ -0,0 +1,21 @@
+module WardenOauthProvider
+  class ClientApplication < ActiveRecord::Base
+
+    has_many :tokens, :class_name => "WardenOauthProvider::Token::Base", :dependent => :destroy
+    has_many :access_tokens
+    has_many :oauth_tokens
+    
+    validates_presence_of :name, :url, :key, :secret
+    validates_uniqueness_of :key
+
+    before_validation(:on => :create) do
+      self.key    = OAuth::Helper.generate_key(40)[0,40]
+      self.secret = OAuth::Helper.generate_key(40)[0,40]
+    end
+
+    validates_format_of :url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i
+    validates_format_of :support_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
+    validates_format_of :callback_url, :with => /\Ahttp(s?):\/\/(\w+:{0,1}\w*@)?(\S+)(:[0-9]+)?(\/|\/([\w#!:.?+=&%@!\-\/]))?/i, :allow_blank=>true
+    
+  end
+end

data/lib/warden_oauth_provider/nonce.rb

@@ -0,0 +1,15 @@
+module WardenOauthProvider
+  class Nonce < ActiveRecord::Base
+    set_table_name "oauth_nonces"
+    
+    validates_presence_of :nonce, :timestamp
+    validates_uniqueness_of :nonce, :scope => :timestamp
+  
+    # Remembers a nonce and it's associated timestamp. It returns false if it has already been used
+    def self.remember(nonce, timestamp)
+      Nonce.create!(:nonce => nonce, :timestamp => timestamp)
+    rescue ActiveRecord::RecordInvalid
+      false
+    end
+  end
+end

data/lib/warden_oauth_provider/provider_strategy.rb

@@ -0,0 +1,82 @@
+require 'oauth/request_proxy/rack_request'
+require 'oauth/signature/plaintext'
+
+require 'warden_oauth_provider/client_application'
+require 'warden_oauth_provider/nonce'
+
+module WardenOauthProvider
+  
+  class ProviderStrategy < Warden::Strategies::Base
+    include OAuth::Helper
+    
+    def valid?
+      oauth_request.oauth_parameters.length > 1
+    end
+    
+    def authenticate!
+      fail!("Invalid signature or nonce") and return if !verify_request
+
+      case request.path
+      when warden.config.oauth_request_token_path
+        
+        # Return a request token for the client application
+        request_token = WardenOauthProvider::Token::Request.create!(:client_application => client_application, :callback_url => oauth_request.oauth_callback)
+        custom! [200, {}, ["oauth_token=#{escape(request_token.token)}&oauth_token_secret=#{escape(request_token.secret)}&oauth_callback_confirmed=true"]]
+      when warden.config.oauth_access_token_path
+
+        # Exchange the access token and return it
+        if access_token = (current_token && current_token.exchange!(oauth_request.oauth_verifier))
+          custom! [200, {}, ["oauth_token=#{escape(access_token.token)}&oauth_token_secret=#{escape(access_token.secret)}"]]
+        else
+          fail!("Request token exchange failed")
+        end
+      else
+        
+        # Validate the current token as an access token and allow access to the resources
+        if current_token and current_token.is_a?(WardenOauthProvider::Token::Access)
+          success!(current_token.user)
+        else
+          fail!("Invalid access token")
+        end          
+      end
+    end
+    
+  private
+  
+    def request
+      @request ||= Rack::Request.new(env)
+    end
+    
+    def oauth_request
+      @oauth_request ||= OAuth::RequestProxy.proxy(request)
+    end
+    
+    # Find the signature for the current request and match it with the information in the database.
+    # Also adds the current client application and token to the environment
+    def signature
+      @signature ||= OAuth::Signature.build(oauth_request, :consumer => client_application, :token => current_token)
+    end
+    
+    # Verify the request by checking the nonce and the signature
+    def verify_request
+      WardenOauthProvider::Nonce.remember(oauth_request.nonce, oauth_request.timestamp) && signature && signature.verify
+    end
+    
+    # Returns the current token in the database, based on the token provided in the request
+    def current_token
+      return nil if oauth_request.token.nil? or client_application.nil?
+      env['oauth.token'] ||= client_application.tokens.validated.find_by_token(oauth_request.token)
+    end
+    
+    # Returns the current client application, based on the consumer key in the request
+    def client_application
+      env['oauth.client_application'] ||= WardenOauthProvider::ClientApplication.find_by_key(oauth_request.consumer_key)
+    end
+    
+    def warden
+      env['warden']
+    end
+    
+  end
+  
+end

data/lib/warden_oauth_provider/token/access.rb

@@ -0,0 +1,11 @@
+module WardenOauthProvider
+  module Token
+    class Access < Base
+      validates_presence_of :user, :secret
+    
+      before_create do
+        self.authorized_at = Time.now
+      end
+    end
+  end
+end

data/lib/warden_oauth_provider/token/base.rb

@@ -0,0 +1,32 @@
+module WardenOauthProvider
+  module Token
+    class Base < ActiveRecord::Base
+      set_table_name "oauth_tokens"
+      
+      belongs_to :client_application
+      belongs_to :user
+      
+      validates_uniqueness_of :token
+      validates_presence_of :client_application, :token
+
+      scope :validated, where("authorized_at IS NOT NULL and invalidated_at IS NULL")
+
+      before_validation(:on => :create) do
+        self.token = OAuth::Helper.generate_key(40)[0,40]
+        self.secret = OAuth::Helper.generate_key(40)[0,40]
+      end
+
+      def invalidated?
+        invalidated_at != nil
+      end
+
+      def invalidate!
+        update_attribute(:invalidated_at, Time.now)
+      end
+
+      def authorized?
+        authorized_at != nil && !invalidated?
+      end
+    end
+  end
+end

data/lib/warden_oauth_provider/token/request.rb

@@ -0,0 +1,29 @@
+module WardenOauthProvider
+  module Token
+    class Request < Base
+
+      def authorize!(user)
+        return false if authorized? or user.nil?
+        self.user          = user
+        self.authorized_at = Time.now
+        self.verifier      = OAuth::Helper.generate_key(20)[0,20]
+        self.save
+      end
+
+      def exchange!(verifier)
+        return false unless authorized?
+        return false if self.verifier != verifier
+        self::class.transaction do
+          access_token = WardenOauthProvider::Token::Access.create!(:user => user, :client_application => client_application)
+          invalidate!
+          access_token
+        end
+      end
+
+      # TODO: check what the requirements for OOB are
+      def oob?
+        self.callback_url.blank? || self.callback_url == 'oob'
+      end
+    end
+  end
+end

data/lib/warden_oauth_provider/token_strategy.rb

@@ -0,0 +1,40 @@
+module WardenOauthProvider
+  class TokenStrategy < Warden::Strategies::Base
+    
+    def valid?
+      true
+    end
+    
+    def authenticate!
+      request_token = WardenOauthProvider::Token::Request.find_by_token(request.params["oauth_token"])
+      
+      if !request_token or request_token.invalidated?
+        fail!
+      else
+        if request_token.authorize!(env['warden'].user)
+          redirect_url = URI.parse(request_token.oob? ? request_token.client_application.callback_url : request_token.callback_url)
+          redirect_url.query ||= ""
+          redirect_url.query += "&" unless redirect_url.query.blank?
+          redirect_url.query += "oauth_token=#{request_token.token}&oauth_verifier=#{request_token.verifier}"
+          env['oauth.redirect_url'] = redirect_url.to_s
+        
+          success!(env['warden'].user)
+        else
+          fail!("Token authorization failed!")
+        end
+      end
+    end
+
+    # This is just a single check for the token, don't store any result in the session
+    def store?
+      false
+    end
+    
+  private
+
+    def request
+      @request ||= Rack::Request.new(env)
+    end  
+    
+  end
+end

data/lib/warden_oauth_provider/version.rb

@@ -0,0 +1,3 @@
+module WardenOauthProvider
+  VERSION = "1.0.0"
+end

data/spec/access_token_spec.rb

@@ -0,0 +1,214 @@
+require 'spec_helper'
+
+describe "Access token" do
+
+  context "Success" do
+
+    before(:all) do
+      @user = Factory(:user)
+      @client_application = Factory.create(:client_application)
+      @request_token = Factory.create(:request_token, :client_application => @client_application)
+      @request_token.authorize!(@user)
+      
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret
+      })
+      
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @oauth_response = Hash[*@response.last.first.split("&").collect { |v| v.split("=") }.flatten]
+    end
+    
+    it "should have an oauth access token" do
+      @oauth_response.keys.should include("oauth_token")
+      @oauth_response["oauth_token"].should_not be_nil
+    end
+    
+    it "should have an oauth access token secret" do
+      @oauth_response.keys.should include("oauth_token_secret")
+      @oauth_response["oauth_token_secret"].should_not be_nil
+    end
+    
+    it "should have stored an access token with the token and secret" do
+      WardenOauthProvider::Token::Access.where(:token => @oauth_response["oauth_token"], :secret => @oauth_response["oauth_token_secret"]).count.should == 1
+    end
+
+  end
+  
+  context "Success GET" do
+
+    before(:all) do
+      @user = Factory(:user)
+      @client_application = Factory.create(:client_application)
+      @request_token = Factory.create(:request_token, :client_application => @client_application)
+      @request_token.authorize!(@user)
+      
+      auth_params = {
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "&" + @request_token.secret
+      }
+      
+      env = env_with_params("/oauth/access_token", auth_params, {})
+      @response = setup_rack.call(env)
+      @oauth_response = Hash[*@response.last.first.split("&").collect { |v| v.split("=") }.flatten]
+    end
+    
+    it "should have an oauth access token" do
+      @oauth_response.keys.should include("oauth_token")
+      @oauth_response["oauth_token"].should_not be_nil
+    end
+    
+    it "should have an oauth access token secret" do
+      @oauth_response.keys.should include("oauth_token_secret")
+      @oauth_response["oauth_token_secret"].should_not be_nil
+    end
+    
+    it "should have stored an access token with the token and secret" do
+      WardenOauthProvider::Token::Access.where(:token => @oauth_response["oauth_token"], :secret => @oauth_response["oauth_token_secret"]).count.should == 1
+    end
+
+  end
+  
+  context "Failure" do
+    
+    before(:all) do
+      @user = Factory(:user)
+      @client_application = Factory.create(:client_application)
+      @request_token = Factory.create(:request_token, :client_application => @client_application)
+      @request_token.authorize!(@user)
+    end
+    
+    it "should response with a 401 if the second request contains the same nonce" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret
+      })
+      env1 = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      env2 = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      
+      @response1 = setup_rack.call(env1)
+      @response2 = setup_rack.call(env2)
+      @response2.first.should == 401
+    end
+    
+    it "should response with a 401 if the consumer key is invalid" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key + "invalid",
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret
+      })
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+
+    it "should response with a 401 if the token is invalid" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token + "invalid",
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret
+      })
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+
+    it "should response with a 401 if the verifier is invalid" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier + "invalid",
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret
+      })
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+
+    it "should response with a 401 if the signature is invalid" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key,
+        :oauth_token => @request_token.token,
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier,
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret + "invalid"
+      })
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+
+    it "should response with a 401 if consumer key or signature are invalid" do    
+      auth_str = oauth_header({
+        :realm => "MoneyBird",
+        :oauth_consumer_key => @client_application.key + "invalid",
+        :oauth_token => @request_token.token + "invalid",
+        :oauth_signature_method => "PLAINTEXT",
+        :oauth_timestamp => Time.now.to_i,
+        :oauth_nonce => Time.now.to_f,
+        :oauth_verifier => @request_token.verifier + "invalid",
+        :oauth_signature => @client_application.secret + "%26" + @request_token.secret + "invalid"
+      })
+      
+      env = env_with_params("/oauth/access_token", {}, {
+        "HTTP_AUTHORIZATION" => auth_str
+      })
+      @response = setup_rack.call(env)
+      @response.first.should == 401
+    end
+  end  
+end