File Coverage

blib/lib/Net/OAuth2/Scheme/Mixin/Bearer.pm

Criterion	Covered	Total	%
statement	16	109	14.6
branch	0	48	0.0
condition	0	3	0.0
subroutine	6	19	31.5
pod	0	4	0.0
total	22	183	12.0

line	stmt	bran	cond	sub	pod	time	code
1	2			2		745	use warnings;
	2					2
	2					48
2	2			2		6	use strict;
	2					3
	2					55
3
4							package Net::OAuth2::Scheme::Mixin::Bearer;
5							BEGIN {
6	2			2		23	$Net::OAuth2::Scheme::Mixin::Bearer::VERSION = '0.020002_099';
7							}
8							# ABSTRACT: implement bearer token schemes
9
10	2			2		6	use Net::OAuth2::Scheme::Option::Defines;
	2					1
	2					76
11	2			2		6	use parent 'Net::OAuth2::Scheme::Mixin::Current_Secret';
	2					2
	2					10
12
13							use Net::OAuth2::Scheme::HmacUtil
14	2					1947	qw(encode_base64url decode_base64url
15							sign_binary unsign_binary
16	2			2		985	hmac_name_to_len_fn);
	2					4
17
18
19							# Bearer tokens
20							#
21
22							# IMPLEMENTATION (transport_)bearer
23							# (bearer_)header = 'Authorization';
24							# (bearer_)header_re = '^Authorization$';
25							# (bearer_)scheme = 'Bearer';
26							# (bearer_)scheme_re = '^Bearer$';
27							# (bearer_)allow_body = 1;
28							# (bearer_)allow_uri = 0;
29							# (bearer_)param = 'access_token';
30							# (bearer_)param_re = '^access_token$';
31							# (bearer_)client_uses_param = 0;
32							# SUMMARY
33							# Bearer token, handle-style
34
35
36							Default_Value bearer_token_type => 'Bearer';
37							Default_Value bearer_scheme => 'Bearer';
38							Default_Value bearer_allow_body => 1;
39							Default_Value bearer_allow_uri => 0;
40							Default_Value bearer_param => 'access_token'; #as per draft 15 of the bearer spec
41							Default_Value bearer_client_uses_param => 0;
42
43							Define_Group bearer_param_re_set => 'default',
44							qw(bearer_param_re);
45
46							sub pkg_bearer_param_re_set_default {
47	0			0	0		my __PACKAGE__ $self = shift;
48	0						my $param = $self->uses('bearer_param');
49	0						$self->install(bearer_param_re => qr(\A\Q$param\E\z));
50	0						return $self;
51							}
52
53							sub pkg_transport_bearer {
54	0			0	0		my __PACKAGE__ $self = shift;
55	0						$self->parameter_prefix(bearer_ => @_);
56	0						$self->make_alias(bearer_header => 'transport_header');
57	0						$self->make_alias(bearer_header_re => 'transport_header_re');
58	0						$self->make_alias(bearer_scheme => 'transport_auth_scheme');
59	0						$self->make_alias(bearer_scheme_re => 'transport_auth_scheme_re');
60
61	0						$self->install(token_type => $self->uses('bearer_token_type'));
62
63	0						my $allow_body = $self->uses('bearer_allow_body');
64	0						my $allow_uri = $self->uses('bearer_allow_uri');
65	0	0					my $body_or_uri =
		0
		0
66							($allow_body ? ($allow_uri ? 'dontcare' : 'body') : ($allow_uri ? 'query' : ''));
67
68	0	0					if ($self->is_client) {
69	0						$self->install( accept_needs => [] );
70	0			0			$self->install( accept_hook => sub {return ()} );
	0
71	0	0					if ($self->uses('bearer_client_uses_param')) {
72	0	0					$self->croak("bearer_client_uses_param requires bearer_allow_(body\|uri)")
73							unless $body_or_uri;
74	0						my $param_name = $self->uses('bearer_param');
75	0			0			$self->http_parameter_inserter($body_or_uri, $param_name, sub { $_[0] });
	0
76							}
77							else {
78	0						$self->http_header_inserter();
79							}
80							}
81
82	0	0					if ($self->is_resource_server) {
83	0						my $header_extractor = $self->http_header_extractor();
84
85	0	0					if ($body_or_uri) {
86
87	0						my $param_re = $self->uses('bearer_param_re');
88	0	0					$param_re = qr{$param_re}is unless ref($param_re);
89
90	0						my $param_name = $self->installed('bearer_param');
91	0	0	0				$self->croak("bearer_param_re does not match bearer_param")
92							if (defined($param_name) && $param_name !~ $param_re);
93
94	0						my $param_extractor = $self->http_parameter_extractor($body_or_uri, $param_re);
95							$self->install( psgi_extract => sub {
96	0			0			my $env = shift;
97	0						return ($header_extractor->($env), $param_extractor->($env));
98	0						});
99							}
100							else {
101	0						$self->install( psgi_extract => $header_extractor );
102							}
103							}
104							}
105
106							# IMPLEMENTATION (format_)bearer_handle
107							# SUMMARY
108							# Bearer token, handle-style
109							# REQUIRES
110							# v_id_next (v_id_is_random)
111							# v_table_insert
112
113							sub pkg_format_bearer_handle {
114	0			0	0		my __PACKAGE__ $self = shift;
115
116							# yes, we can use this for authcodes and refresh tokens
117	0						$self->install(format_no_params => 1);
118
119	0	0					if ($self->is_auth_server) {
120	0						$self->uses(v_id_suggest => 'random');
121	0						my ( $v_id_next, $vtable_insert) = $self->uses_all
122							(qw(v_id_next vtable_insert));
123
124							# Enforce requirements on v_id_next.
125							# Since, for this token format, v_ids are used directly,
126							# they MUST NOT be predictable.
127	0						$self->ensure(v_id_is_random => 1,
128							'bearer_handle tokens must use random identifiers');
129
130	0	0					my $token_type = ($self->is_access ? $self->uses('token_type') : ());
131							$self->install( token_create => sub {
132	0			0			my ($now, $expires_in, @bindings) = @_;
133	0						my $v_id = $v_id_next->();
134	0						my $error = $vtable_insert->($v_id, $expires_in + $now, $now, @bindings);
135	0	0					return ($error,
		0
136							($error ? () :
137							(encode_base64url($v_id),
138							($token_type ? (token_type => $token_type) : ()),
139							)));
140	0						});
141							}
142
143	0	0					if ($self->is_resource_server) {
144							# handle token has no @payload
145							$self->install( token_parse => sub {
146	0			0			return (decode_base64url($_[0]));
147	0						});
148							$self->install( token_finish => sub {
149	0			0			my ($v) = @_; # ($validator, @payload)
150	0	0					return ('unrecognized')
151							unless my ($expiration, $issuance, @bindings) = @$v;
152	0						return (undef, $issuance, $expiration - $issuance, @bindings);
153	0						});
154							}
155	0						return $self;
156							}
157
158
159							# IMPLEMENTATION format_bearer_signed FOR format
160							# (bearer_signed_)hmac
161							# (bearer_signed_)nonce_length [=hmac length/2]
162							# (bearer_signed_)fixed
163							# SUMMARY
164							# Bearer token, signed-assertion-style
165							# REQUIRES
166							# current_secret
167							# random
168							#
169							# Access_token value contains a key identifying a shared secret
170							# (and possibly also the authserver and the resource), a set
171							# of values specifying expiration and scope, and a HMAC value to sign
172							# everything. Only the shared secret needs to be separately
173							# communicated.
174
175							Default_Value bearer_signed_hmac => 'hmac_sha224';
176							Default_Value bearer_signed_fixed => [];
177
178							sub pkg_format_bearer_signed {
179	0			0	0		my __PACKAGE__ $self = shift;
180	0						$self->parameter_prefix(bearer_signed_ => @_);
181
182							# yes, we can use this for authcodes and refresh tokens
183	0						$self->install(format_no_params => 1);
184
185	0	0					if ($self->is_auth_server) {
186	0						my $hmac = $self->uses('bearer_signed_hmac');
187	0	0					my ($hlen,undef) = hmac_name_to_len_fn($hmac)
188							or $self->croak("unknown/unavailable hmac function: $hmac");
189	0						my $nonce_len = $self->uses(bearer_signed_nonce_length => $hlen/2);
190
191	0						$self->uses(current_secret_length => $hlen);
192	0						$self->uses(current_secret_payload => $self->uses('bearer_signed_fixed'));
193
194	0						my $secret = $self->uses('current_secret');
195	0						my $auto_rekey_check = $self->uses('current_secret_rekey_check');
196	0						my $random = $self->uses('random');
197
198	0	0					my $token_type = ($self->is_access ? $self->uses('token_type') : ());
199
200							$self->install( token_create => sub {
201	0			0			my ($now, $expires_in, @bindings) = @_;
202	0						my ($error) = $auto_rekey_check->($now);
203	0	0					return (rekey_failed => $error)
204							if $error;
205
206	0						my ($v_id, $v_secret, undef, @fixed) = @{$secret};
	0
207	0						for my $f (@fixed) {
208	0						my $given = shift @bindings;
209	0	0					return (fixed_parameter_mismatch => $f,$given)
210							if $f ne $given;
211							}
212	0						my $nonce = $random->($nonce_len);
213							return (undef,
214	0	0					encode_base64url(pack 'w/aa', $v_id,
215							sign_binary($v_secret,
216							pack('w/aww(w/a)*', $nonce,
217							$now, $expires_in,
218							@bindings),
219							hmac => $hmac,
220							extra => $v_id)),
221							($token_type ? (token_type => $token_type) : ()),
222							);
223	0						});
224							}
225	0	0					if ($self->is_resource_server) {
226							# On the resource side we cannot use 'current_secret'
227							# since token may have been created with a previous secret,
228							# so we just have to take whatever we get from the vtable
229							$self->install( token_parse => sub {
230	0			0			my ($token) = @_; # bearer token, no additional attributes
231	0						my ($v_id, $bin) = unpack 'w/aa', decode_base64url($token);
232	0						return ($v_id, $v_id, $bin)
233	0						});
234							$self->install( token_finish => sub {
235	0			0			my ($validator, $v_id, $bin) = @_;
236	0						my (undef, undef, $v_secret, @fixed) = @$validator;
237	0						my ($payload, $error) = unsign_binary($v_secret, $bin, $v_id);
238	0	0					return ($error) if $error;
239	0						my ($now, $expires_in, @bindings) = unpack 'w/xww(w/a)', $payload;
240	0						return (undef, $now, $expires_in, @fixed, @bindings);
241	0						});
242							}
243	0						return $self;
244							}
245
246
247							1;
248
249
250							__END__