# This module covers Brightbox's partial implementation of OAuth 2.0 # and enables fog clients to implement several authentictication strategies # # @see http://tools.ietf.org/html/draft-ietf-oauth-v2-10 # module Fog::Brightbox::OAuth2 # This builds the simplest form of requesting an access token # based on the arguments passed in # # @param [Fog::Connection] connection # @param [CredentialSet] credentials # # @return [Excon::Response] def request_access_token(connection, credentials) token_strategy = credentials.best_grant_strategy header_content = "#{credentials.client_id}:#{credentials.client_secret}" encoded_credentials = Base64.encode64(header_content).chomp connection.request({ :path => "/token", :expects => 200, :headers => { 'Authorization' => "Basic #{encoded_credentials}", 'Content-Type' => 'application/json' }, :method => 'POST', :body => Fog::JSON.encode(token_strategy.authorization_body_data) }) end # Encapsulates credentials required to request access tokens from the # Brightbox authorisation servers # # @todo Interface to update certain credentials (after password change) # class CredentialSet attr_reader :client_id, :client_secret, :username, :password attr_reader :access_token, :refresh_token # # @param [String] client_id # @param [String] client_secret # @param [Hash] options # @option options [String] :username # @option options [String] :password # def initialize(client_id, client_secret, options = {}) @client_id = client_id @client_secret = client_secret @username = options[:username] @password = options[:password] @access_token = options[:access_token] @refresh_token = options[:refresh_token] end # Returns true if user details are available # @return [Boolean] def user_details? !!(@username && @password) end # Is an access token available for these credentials? def access_token? !!@access_token end # Is a refresh token available for these credentials? def refresh_token? !!@refresh_token end # Updates the credentials with newer tokens def update_tokens(access_token, refresh_token = nil) @access_token = access_token @refresh_token = refresh_token end # Based on available credentials returns the best strategy # # @todo Add a means to dictate which should or shouldn't be used # def best_grant_strategy if refresh_token? RefreshTokenStrategy.new(self) elsif user_details? UserCredentialsStrategy.new(self) else ClientCredentialsStrategy.new(self) end end end # This strategy class is the basis for OAuth2 grant types # # @abstract Need to implement {#authorization_body_data} to return a # Hash matching the expected parameter form for the OAuth request # # @todo Strategies should be able to validate if credentials are suitable # so just client credentials cannot be used with user strategies # class GrantTypeStrategy def initialize(credentials) @credentials = credentials end def authorization_body_data raise "Not implemented" end end # This implements client based authentication/authorization # based on the existing trust relationship using the `none` # grant type. # class ClientCredentialsStrategy < GrantTypeStrategy def authorization_body_data { "grant_type" => "none", "client_id" => @credentials.client_id } end end # This passes user details through so the returned token # carries the privileges of the user not account limited # by the client # class UserCredentialsStrategy < GrantTypeStrategy def authorization_body_data { "grant_type" => "password", "client_id" => @credentials.client_id, "username" => @credentials.username, "password" => @credentials.password } end end # This strategy attempts to use a refresh_token gained during an earlier # request to reuse the credentials given originally # class RefreshTokenStrategy < GrantTypeStrategy def authorization_body_data { "grant_type" => "refresh_token", "client_id" => @credentials.client_id, "refresh_token" => @credentials.refresh_token } end end private # This updates the current credentials if passed a valid response # # @param [CredentialSet] credentials Credentials to update # @param [Excon::Response] response Response object to parse value from # def update_credentials_from_response(credentials, response) response_data = Fog::JSON.decode(response.body) credentials.update_tokens(response_data["access_token"], response_data["refresh_token"]) end end