♻️ SASL XOAUTH2: inherit, move, test, document

* ♻️  Inherit from Authenticator base class
* 🚚 Move to SASL module and rename file
* ✅ Add new tests
* 📖 Add many many docs
* ✨ Add `initial_response? => true`

Author: nevans

lib/net/imap/authenticators/xoauth2.rb

@@ -33,7 +33,7 @@ class IMAP
     # +PLAIN+::       See PlainAuthenticator.
     #                 Login using clear-text username and password.
     #
-    # +XOAUTH2+::     See XOauth2Authenticator.
+    # +XOAUTH2+::     See XOAuth2Authenticator.
     #                 Login using a username and OAuth2 access token.
     #                 Non-standard and obsoleted by +OAUTHBEARER+, but widely
     #                 supported.
@@ -63,12 +63,13 @@ module SASL
       autoload :Authenticator,            "#{sasl_dir}/authenticator"
       autoload :Authenticators,           "#{sasl_dir}/authenticators"
       autoload :PlainAuthenticator,       "#{sasl_dir}/plain_authenticator"
+      autoload :XOAuth2Authenticator,     "#{sasl_dir}/xoauth2_authenticator"
 
       # Authenticators are all lazy loaded
       def self.authenticators
         @authenticators ||= SASL::Authenticators.new.tap do |registry|
           registry.add_authenticator "Plain"
-          registry.add_authenticator "XOauth2",    XOauth2Authenticator
+          registry.add_authenticator "XOAuth2"
           registry.add_authenticator "Login",      LoginAuthenticator     # deprecated
           registry.add_authenticator "Cram-MD5",   CramMD5Authenticator   # deprecated
           registry.add_authenticator "Digest-MD5", DigestMD5Authenticator # deprecated
@@ -109,4 +110,3 @@ def initial_response?(mechanism)
 require_relative "authenticators/login"
 require_relative "authenticators/cram_md5"
 require_relative "authenticators/digest_md5"
-require_relative "authenticators/xoauth2"

lib/net/imap/sasl.rb

@@ -28,7 +28,7 @@ def authenticators; @authenticators.dup end
     # The authenticator session must respond to +#process+, receiving the server's
     # challenge and returning the client's response.
     #
-    # See PlainAuthenticator, XOauth2Authenticator, and DigestMD5Authenticator for
+    # See PlainAuthenticator, XOAuth2Authenticator, and DigestMD5Authenticator for
     # examples.
     def add_authenticator(mechanism, authenticator = nil, warn_overwrite: true)
       mechanism = mechanism.to_str

lib/net/imap/sasl/authenticators.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require_relative "authenticator"
+
+module Net
+  class IMAP < Protocol
+    module SASL
+
+      # Authenticator for the "+XOAUTH2+" SASL mechanism.  This mechanism was
+      # originally created for GMail and widely adopted by hosted email providers.
+      # +XOAUTH2+ has been documented by
+      # Google[https://developers.google.com/gmail/imap/xoauth2-protocol],
+      # Microsoft[https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth],
+      # and Yahoo[https://senders.yahooinc.com/developer/documentation].
+      #
+      # This mechanism requires an OAuth2 +access_token+ which has been authorized
+      # with the appropriate OAuth2 scopes to access IMAP.  These scopes are not
+      # standardized---consult each email service provider's documentation.
+      #
+      # Although this mechanism was never standardized and has been obsoleted by
+      # "+OAUTHBEARER+", it is still very widely supported.
+      class XOAuth2Authenticator < Authenticator
+
+        ##
+        # :call-seq:
+        #   new(username,  oauth2_token,  **)       -> auth_ctx
+        #   new(authcid:,  oauth2_token:, **)       -> auth_ctx
+        #   new(**) {|propname, auth_ctx| propval } -> auth_ctx
+        #
+        # Creates an Authenticator for the "+XOAUTH2+" SASL mechanism, as
+        # specified by
+        # Google[https://developers.google.com/gmail/imap/xoauth2-protocol], and
+        # also documented by
+        # Microsoft[https://learn.microsoft.com/en-us/exchange/client-developer/legacy-protocols/how-to-authenticate-an-imap-pop-smtp-application-by-using-oauth],
+        # and Yahoo[https://senders.yahooinc.com/developer/documentation].  To use
+        # this, see Net::IMAP#authenticate or your client's authentication
+        # method.
+        #
+        # === Properties
+        #
+        # Both properties may be sent either as positional arguments or as
+        # keyword arguments.  If the same property is sent as both a positional
+        # arg and a keyword arg, an ArgumentError is raised.
+        #
+        # * #authcid, #username --- the identity whose #password is used.
+        #   Only <tt>:authcid</tt> will be sent to callbacks.
+        # * #oauth2_token --- An OAuth2.0 access token assigned to #username,
+        #   authorized to access IMAP.
+        #
+        # See the documentation for each property method for more details.
+        #
+        # See Net::IMAP::SASL::Authenticator@Properties for a detailed description
+        # of property assignment, lazy loading, and callbacks.
+        #
+        def initialize(username_arg = nil, oauth2_token_arg = nil,
+                       username: nil, authcid: nil, oauth2_token: nil,
+                       **, &callback)
+          super
+          propinit :authcid, authcid, username, username_arg,     required: true
+          propinit :oauth2_token, oauth2_token, oauth2_token_arg, required: true
+        end
+
+        # :call-seq:
+        #   initial_response? -> true
+        #
+        # +PLAIN+ can send an initial client response.
+        def initial_response?; true end
+
+        ##
+        # method: authcid
+        # :call-seq: authcid -> string
+        #
+        # Authentication identity: the identity that matches the #oauth2_token.
+        #
+        # RFC-2831[https://tools.ietf.org/html/rfc2831] uses the term +username+.
+        # "Authentication identity" is the generic term used by
+        # RFC-4422[https://tools.ietf.org/html/rfc4422].
+        # RFC-4616[https://tools.ietf.org/html/rfc4616] and many later RFCs
+        # abbreviate to +authcid+.  #username is available as an alias for
+        # #authcid, but only <tt>:authcid</tt> will be sent to callbacks.
+        property :authcid
+        alias username authcid
+
+        ##
+        # method: oauth2_token
+        # :call-seq: oauth2_token -> string
+        #
+        # An OAuth2 access token for #authcid, which has been authorized with
+        # appropriate OAuth2 scopes to access IMAP.
+        property :oauth2_token
+
+        # Returns the XOAUTH2 formatted response, which combines the +authcid+
+        # with the +oauth2_token+.
+        #
+        # [Note]
+        #   For simplicity, the same response is always generated, even when the
+        #   server sends error data in its challenge.  However, the \SASL
+        #   specification requires an empty response to acknowledge the error.
+        #   This has little effect in practice, any response to the error results
+        #   in an tagged error response: generally +NO+, but potentially +BAD+.
+        def process(data)
+          @last_server_response = data
+          "user=%s\1auth=Bearer %s\1\1" % [username, oauth2_token]
+        end
+
+        # Stores the most recent server "challenge".  When authentication fails,
+        # this may hold information about the failure reason, as JSON.
+        attr_reader :last_server_response
+
+      end
+    end
+
+    XOauth2Authenticator = SASL::XOAuth2Authenticator # :nodoc:
+    deprecate_constant :XOauth2Authenticator
+
+  end
+end

lib/net/imap/sasl/xoauth2_authenticator.rb

@@ -47,16 +47,45 @@ def test_plain_no_null_chars
   def xoauth2(...) Net::IMAP::SASL.authenticator("XOAUTH2", ...) end
 
   def test_xoauth2_authenticator_matches_mechanism
-    assert_kind_of(Net::IMAP::XOauth2Authenticator, xoauth2("user", "pass"))
+    assert_kind_of(Net::IMAP::SASL::XOAuth2Authenticator, xoauth2("user", "tok"))
   end
 
-  def test_xoauth2
+  def test_xoauth2_response
     assert_equal(
       "user=username\1auth=Bearer token\1\1",
       xoauth2("username", "token").process(nil)
     )
   end
 
+  def test_xoauth2_kwargs
+    assert_equal(
+      "user=arg\1auth=Bearer kwarg\1\1",
+      xoauth2("arg", oauth2_token: "kwarg").process(nil)
+    )
+    assert_equal(
+      "user=authc\1auth=Bearer kwarg\1\1",
+      xoauth2(authcid: "authc", oauth2_token: "kwarg").process(nil)
+    )
+    assert_equal(
+      "user=user\1auth=Bearer kwarg\1\1",
+      xoauth2(username: "user", oauth2_token: "kwarg").process(nil)
+    )
+  end
+
+  def test_xoauth2_callbacks
+    assert_equal(
+      "user=authc ID\1auth=Bearer lazy\1\1",
+      xoauth2(authcid: "authc ID", oauth2_token: proc{ "lazy" }).process(nil)
+    )
+    assert_equal(
+      "user=u\1auth=Bearer t\1\1",
+      xoauth2 {|prop, authctx|
+        assert_kind_of(Net::IMAP::SASL::XOAuth2Authenticator, authctx)
+        case prop when :authcid then "u" when :oauth2_token then "t" end
+      }.process(nil)
+    )
+  end
+
   def test_xoauth2_supports_initial_response
     assert xoauth2("foo", "bar").initial_response?
     assert Net::IMAP::SASL.initial_response?(xoauth2("foo", "bar"))