actionpack 3.0.0.beta3 → 3.0.0.beta4

data/lib/action_controller/metal/http_authentication.rb

@@ -300,5 +300,163 @@ module ActionController
       end
 
     end
+
+    # Makes it dead easy to do HTTP Token authentication.
+    #
+    # Simple Token example:
+    #
+    #   class PostsController < ApplicationController
+    #     TOKEN = "secret"
+    #
+    #     before_filter :authenticate, :except => [ :index ]
+    #
+    #     def index
+    #       render :text => "Everyone can see me!"
+    #     end
+    #
+    #     def edit
+    #       render :text => "I'm only accessible if you know the password"
+    #     end
+    #
+    #     private
+    #       def authenticate
+    #         authenticate_or_request_with_http_token do |token, options|
+    #           token == TOKEN
+    #         end
+    #       end
+    #   end
+    #
+    #
+    # Here is a more advanced Token example where only Atom feeds and the XML API is protected by HTTP token authentication,
+    # the regular HTML interface is protected by a session approach:
+    #
+    #   class ApplicationController < ActionController::Base
+    #     before_filter :set_account, :authenticate
+    #
+    #     protected
+    #       def set_account
+    #         @account = Account.find_by_url_name(request.subdomains.first)
+    #       end
+    #
+    #       def authenticate
+    #         case request.format
+    #         when Mime::XML, Mime::ATOM
+    #           if user = authenticate_with_http_token { |t, o| @account.users.authenticate(t, o) }
+    #             @current_user = user
+    #           else
+    #             request_http_token_authentication
+    #           end
+    #         else
+    #           if session_authenticated?
+    #             @current_user = @account.users.find(session[:authenticated][:user_id])
+    #           else
+    #             redirect_to(login_url) and return false
+    #           end
+    #         end
+    #       end
+    #   end
+    #
+    #
+    # In your integration tests, you can do something like this:
+    #
+    #   def test_access_granted_from_xml
+    #     get(
+    #       "/notes/1.xml", nil,
+    #       :authorization => ActionController::HttpAuthentication::Token.encode_credentials(users(:dhh).token)
+    #     )
+    #
+    #     assert_equal 200, status
+    #   end
+    #
+    #
+    # On shared hosts, Apache sometimes doesn't pass authentication headers to
+    # FCGI instances. If your environment matches this description and you cannot
+    # authenticate, try this rule in your Apache setup:
+    #
+    #   RewriteRule ^(.*)$ dispatch.fcgi [E=X-HTTP_AUTHORIZATION:%{HTTP:Authorization},QSA,L]
+    module Token
+
+      extend self
+
+      module ControllerMethods
+        def authenticate_or_request_with_http_token(realm = "Application", &login_procedure)
+          authenticate_with_http_token(&login_procedure) || request_http_token_authentication(realm)
+        end
+
+        def authenticate_with_http_token(&login_procedure)
+          Token.authenticate(self, &login_procedure)
+        end
+
+        def request_http_token_authentication(realm = "Application")
+          Token.authentication_request(self, realm)
+        end
+      end
+
+      # If token Authorization header is present, call the login procedure with 
+      # the present token and options.
+      #
+      # controller      - ActionController::Base instance for the current request.
+      # login_procedure - Proc to call if a token is present.  The Proc should 
+      #                   take 2 arguments:
+      #                     authenticate(controller) { |token, options| ... }
+      #
+      # Returns the return value of `&login_procedure` if a token is found.
+      # Returns nil if no token is found.
+      def authenticate(controller, &login_procedure)
+        token, options = token_and_options(controller.request)
+        if !token.blank?
+          login_procedure.call(token, options)
+        end
+      end
+
+      # Parses the token and options out of the token authorization header.  If
+      # the header looks like this:
+      #   Authorization: Token token="abc", nonce="def"
+      # Then the returned token is "abc", and the options is {:nonce => "def"}
+      #
+      # request - ActionController::Request instance with the current headers.
+      #
+      # Returns an Array of [String, Hash] if a token is present.
+      # Returns nil if no token is found.
+      def token_and_options(request)
+        if header = request.authorization.to_s[/^Token (.*)/]
+          values = $1.split(',').
+            inject({}) do |memo, value|
+              value.strip!                      # remove any spaces between commas and values
+              key, value = value.split(/\=\"?/) # split key=value pairs
+              value.chomp!('"')                 # chomp trailing " in value
+              value.gsub!(/\\\"/, '"')          # unescape remaining quotes
+              memo.update(key => value)
+            end
+          [values.delete("token"), values.with_indifferent_access]
+        end
+      end
+
+      # Encodes the given token and options into an Authorization header value.
+      #
+      # token   - String token.
+      # options - optional Hash of the options.
+      #
+      # Returns String.
+      def encode_credentials(token, options = {})
+        values = ["token=#{token.to_s.inspect}"]
+        options.each do |key, value|
+          values << "#{key}=#{value.to_s.inspect}"
+        end
+        "Token #{values * ", "}"
+      end
+
+      # Sets a WWW-Authenticate to let the client know a token is desired.
+      #
+      # controller - ActionController::Base instance for the outgoing response.
+      # realm      - String realm to use in the header.
+      #
+      # Returns nothing.
+      def authentication_request(controller, realm)
+        controller.headers["WWW-Authenticate"] = %(Token realm="#{realm.gsub(/"/, "")}")
+        controller.__send__ :render, :text => "HTTP Token: Access denied.\n", :status => :unauthorized
+      end
+    end
+
   end
 end

data/lib/action_controller/metal/instrumentation.rb

@@ -23,9 +23,9 @@ module ActionController
         :path       => (request.fullpath rescue "unknown")
       }
 
-      ActiveSupport::Notifications.instrument("action_controller.start_processing", raw_payload.dup)
+      ActiveSupport::Notifications.instrument("start_processing.action_controller", raw_payload.dup)
 
-      ActiveSupport::Notifications.instrument("action_controller.process_action", raw_payload) do |payload|
+      ActiveSupport::Notifications.instrument("process_action.action_controller", raw_payload) do |payload|
         result = super
         payload[:status] = response.status
         append_info_to_payload(payload)
@@ -42,20 +42,20 @@ module ActionController
     end
 
     def send_file(path, options={})
-      ActiveSupport::Notifications.instrument("action_controller.send_file",
+      ActiveSupport::Notifications.instrument("send_file.action_controller",
         options.merge(:path => path)) do
         super
       end
     end
 
     def send_data(data, options = {})
-      ActiveSupport::Notifications.instrument("action_controller.send_data", options) do
+      ActiveSupport::Notifications.instrument("send_data.action_controller", options) do
         super
       end
     end
 
     def redirect_to(*args)
-      ActiveSupport::Notifications.instrument("action_controller.redirect_to") do |payload|
+      ActiveSupport::Notifications.instrument("redirect_to.action_controller") do |payload|
         result = super
         payload[:status]   = self.status
         payload[:location] = self.location

data/lib/action_controller/metal/rack_delegation.rb

@@ -8,10 +8,10 @@ module ActionController
     delegate :headers, :status=, :location=, :content_type=,
              :status, :location, :content_type, :to => "@_response"
 
-    def dispatch(action, request)
-      @_response = ActionDispatch::Response.new
-      @_response.request = request
-      super
+    def dispatch(action, request, response = ActionDispatch::Response.new)
+      @_response ||= response
+      @_response.request ||= request
+      super(action, request)
     end
 
     def params

data/lib/action_controller/metal/renderers.rb

@@ -71,7 +71,7 @@ module ActionController
     end
 
     add :json do |json, options|
-      json = ActiveSupport::JSON.encode(json) unless json.respond_to?(:to_str)
+      json = ActiveSupport::JSON.encode(json, options) unless json.respond_to?(:to_str)
       json = "#{options[:callback]}(#{json})" unless options[:callback].blank?
       self.content_type ||= Mime::JSON
       self.response_body  = json
@@ -79,12 +79,12 @@ module ActionController
 
     add :js do |js, options|
       self.content_type ||= Mime::JS
-      self.response_body  = js.respond_to?(:to_js) ? js.to_js : js
+      self.response_body  = js.respond_to?(:to_js) ? js.to_js(options) : js
     end
 
     add :xml do |xml, options|
       self.content_type ||= Mime::XML
-      self.response_body  = xml.respond_to?(:to_xml) ? xml.to_xml : xml
+      self.response_body  = xml.respond_to?(:to_xml) ? xml.to_xml(options) : xml
     end
 
     add :update do |proc, options|

data/lib/action_controller/metal/request_forgery_protection.rb

@@ -4,62 +4,65 @@ module ActionController #:nodoc:
   class InvalidAuthenticityToken < ActionControllerError #:nodoc:
   end
 
+  # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
+  # web application, not a forged link from another site, is done by embedding a token based on a random
+  # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
+  # by Rails and then verifying the authenticity of that token in the controller.  Only HTML/JavaScript
+  # requests are checked, so this will not protect your XML API (presumably you'll have a different
+  # authentication scheme there anyway).  Also, GET requests are not protected as these should be
+  # idempotent anyway.
+  #
+  # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
+  # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
+  # error message in production by editing public/422.html.  A call to this method in ApplicationController is
+  # generated by default in post-Rails 2.0 applications.
+  #
+  # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
+  # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
+  # include a hidden field named like that and set its value to what is returned by
+  # <tt>form_authenticity_token</tt>.
+  #
+  # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
+  # 1.x, add this to config/environments/test.rb:
+  #
+  #   # Disable request forgery protection in test environment
+  #   config.action_controller.allow_forgery_protection = false
+  #
+  # == Learn more about CSRF (Cross-Site Request Forgery) attacks
+  #
+  # Here are some resources:
+  # * http://isc.sans.org/diary.html?storyid=1750
+  # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
+  #
+  # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
+  # There are a few guidelines you should follow:
+  #
+  # * Keep your GET requests safe and idempotent.  More reading material:
+  #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
+  #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
+  #   * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look
+  #     for "Expires: at end of session"
+  #
   module RequestForgeryProtection
     extend ActiveSupport::Concern
 
     include AbstractController::Helpers
+    include AbstractController::Callbacks
 
     included do
       # Sets the token parameter name for RequestForgery. Calling +protect_from_forgery+
       # sets it to <tt>:authenticity_token</tt> by default.
-      config.request_forgery_protection_token ||= :authenticity_token
+      config_accessor :request_forgery_protection_token
+      self.request_forgery_protection_token ||= :authenticity_token
 
       # Controls whether request forgergy protection is turned on or not. Turned off by default only in test mode.
-      config.allow_forgery_protection ||= true
+      config_accessor :allow_forgery_protection
+      self.allow_forgery_protection = true if allow_forgery_protection.nil?
 
       helper_method :form_authenticity_token
       helper_method :protect_against_forgery?
     end
 
-    # Protecting controller actions from CSRF attacks by ensuring that all forms are coming from the current
-    # web application, not a forged link from another site, is done by embedding a token based on a random
-    # string stored in the session (which an attacker wouldn't know) in all forms and Ajax requests generated
-    # by Rails and then verifying the authenticity of that token in the controller.  Only HTML/JavaScript
-    # requests are checked, so this will not protect your XML API (presumably you'll have a different
-    # authentication scheme there anyway).  Also, GET requests are not protected as these should be
-    # idempotent anyway.
-    #
-    # This is turned on with the <tt>protect_from_forgery</tt> method, which will check the token and raise an
-    # ActionController::InvalidAuthenticityToken if it doesn't match what was expected. You can customize the
-    # error message in production by editing public/422.html.  A call to this method in ApplicationController is
-    # generated by default in post-Rails 2.0 applications.
-    #
-    # The token parameter is named <tt>authenticity_token</tt> by default. If you are generating an HTML form
-    # manually (without the use of Rails' <tt>form_for</tt>, <tt>form_tag</tt> or other helpers), you have to
-    # include a hidden field named like that and set its value to what is returned by
-    # <tt>form_authenticity_token</tt>.
-    #
-    # Request forgery protection is disabled by default in test environment. If you are upgrading from Rails
-    # 1.x, add this to config/environments/test.rb:
-    #
-    #   # Disable request forgery protection in test environment
-    #   config.action_controller.allow_forgery_protection = false
-    #
-    # == Learn more about CSRF (Cross-Site Request Forgery) attacks
-    #
-    # Here are some resources:
-    # * http://isc.sans.org/diary.html?storyid=1750
-    # * http://en.wikipedia.org/wiki/Cross-site_request_forgery
-    #
-    # Keep in mind, this is NOT a silver-bullet, plug 'n' play, warm security blanket for your rails application.
-    # There are a few guidelines you should follow:
-    #
-    # * Keep your GET requests safe and idempotent.  More reading material:
-    #   * http://www.xml.com/pub/a/2002/04/24/deviant.html
-    #   * http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.1.1
-    #   * Make sure the session cookies that Rails creates are non-persistent.  Check in Firefox and look
-    #     for "Expires: at end of session"
-    #
     module ClassMethods
       # Turn on request forgery protection. Bear in mind that only non-GET, HTML/JavaScript requests are checked.
       #
@@ -79,22 +82,6 @@ module ActionController #:nodoc:
         self.request_forgery_protection_token ||= :authenticity_token
         before_filter :verify_authenticity_token, options
       end
-
-      def request_forgery_protection_token
-        config.request_forgery_protection_token
-      end
-
-      def request_forgery_protection_token=(val)
-        config.request_forgery_protection_token = val
-      end
-
-      def allow_forgery_protection
-        config.allow_forgery_protection
-      end
-
-      def allow_forgery_protection=(val)
-        config.allow_forgery_protection = val
-      end
     end
 
     protected
@@ -104,22 +91,6 @@ module ActionController #:nodoc:
         before_filter :verify_authenticity_token, options
       end
 
-      def request_forgery_protection_token
-        config.request_forgery_protection_token
-      end
-
-      def request_forgery_protection_token=(val)
-        config.request_forgery_protection_token = val
-      end
-
-      def allow_forgery_protection
-        config.allow_forgery_protection
-      end
-
-      def allow_forgery_protection=(val)
-        config.allow_forgery_protection = val
-      end
-
       # The actual before_filter that is used.  Modify this to change how you handle unverified requests.
       def verify_authenticity_token
         verified_request? || raise(ActionController::InvalidAuthenticityToken)
@@ -146,7 +117,7 @@ module ActionController #:nodoc:
       end
 
       def protect_against_forgery?
-        config.allow_forgery_protection
+        allow_forgery_protection
       end
   end
 end

data/lib/action_controller/metal/responder.rb

@@ -217,7 +217,7 @@ module ActionController #:nodoc:
     # the verb is POST.
     #
     def default_action
-      @action ||= ACTIONS_FOR_VERBS[request.method_symbol]
+      @action ||= ACTIONS_FOR_VERBS[request.request_method_symbol]
     end
   end
 end

data/lib/action_controller/metal/url_for.rb

@@ -16,5 +16,13 @@ module ActionController
       raise "In order to use #url_for, you must include the helpers of a particular " \
             "router. For instance, `include Rails.application.routes.url_helpers"
     end
+
+    module ClassMethods
+      def action_methods
+        @action_methods ||= begin
+          super - _router.named_routes.helper_names
+        end
+      end
+    end
   end
 end

data/lib/action_controller/railtie.rb

@@ -13,64 +13,51 @@ module ActionController
   class Railtie < Rails::Railtie
     config.action_controller = ActiveSupport::OrderedOptions.new
 
-    ad = config.action_dispatch
-    config.action_controller.singleton_class.send(:define_method, :session) do
-      ActiveSupport::Deprecation.warn "config.action_controller.session has been " \
-        "renamed to config.action_dispatch.session.", caller
-      ad.session
-    end
+    config.action_controller.singleton_class.tap do |d|
+      d.send(:define_method, :session) do
+        ActiveSupport::Deprecation.warn "config.action_controller.session has been deprecated. " <<
+          "Please use Rails.application.config.session_store instead.", caller
+      end
 
-    config.action_controller.singleton_class.send(:define_method, :session=) do |val|
-      ActiveSupport::Deprecation.warn "config.action_controller.session has been " \
-        "renamed to config.action_dispatch.session.", caller
-      ad.session = val
-    end
+      d.send(:define_method, :session=) do |val|
+        ActiveSupport::Deprecation.warn "config.action_controller.session= has been deprecated. " <<
+          "Please use config.session_store(name, options) instead.", caller
+      end
 
-    config.action_controller.singleton_class.send(:define_method, :session_store) do
-      ActiveSupport::Deprecation.warn "config.action_controller.session_store has been " \
-        "renamed to config.action_dispatch.session_store.", caller
-      ad.session_store
-    end
+      d.send(:define_method, :session_store) do
+        ActiveSupport::Deprecation.warn "config.action_controller.session_store has been deprecated. " <<
+          "Please use Rails.application.config.session_store instead.", caller
+      end
 
-    config.action_controller.singleton_class.send(:define_method, :session_store=) do |val|
-      ActiveSupport::Deprecation.warn "config.action_controller.session_store has been " \
-        "renamed to config.action_dispatch.session_store.", caller
-      ad.session_store = val
+      d.send(:define_method, :session_store=) do |val|
+        ActiveSupport::Deprecation.warn "config.action_controller.session_store= has been deprecated. " <<
+          "Please use config.session_store(name, options) instead.", caller
+      end
     end
 
     log_subscriber :action_controller, ActionController::Railties::LogSubscriber.new
 
-    initializer "action_controller.logger" do
-      ActiveSupport.on_load(:action_controller) { self.logger ||= Rails.logger }
-    end
-
-    initializer "action_controller.page_cache_directory" do
-      ActiveSupport.on_load(:action_controller) do
-        self.page_cache_directory = Rails.public_path
-      end
-    end
-
     initializer "action_controller.set_configs" do |app|
       paths = app.config.paths
       ac = app.config.action_controller
 
-      ac.assets_dir      = paths.public.to_a.first
-      ac.javascripts_dir = paths.public.javascripts.to_a.first
-      ac.stylesheets_dir = paths.public.stylesheets.to_a.first
+      ac.assets_dir           ||= paths.public.to_a.first
+      ac.javascripts_dir      ||= paths.public.javascripts.to_a.first
+      ac.stylesheets_dir      ||= paths.public.stylesheets.to_a.first
+      ac.page_cache_directory ||= paths.public.to_a.first
+      ac.helpers_path         ||= paths.app.helpers.to_a
 
       ActiveSupport.on_load(:action_controller) do
         self.config.merge!(ac)
       end
     end
 
-    initializer "action_controller.initialize_framework_caches" do
-      ActiveSupport.on_load(:action_controller) { self.cache_store ||= RAILS_CACHE }
+    initializer "action_controller.logger" do
+      ActiveSupport.on_load(:action_controller) { self.logger ||= Rails.logger }
     end
 
-    initializer "action_controller.set_helpers_path" do |app|
-      ActiveSupport.on_load(:action_controller) do
-        self.helpers_path = app.config.paths.app.helpers.to_a
-      end
+    initializer "action_controller.initialize_framework_caches" do
+      ActiveSupport.on_load(:action_controller) { self.cache_store ||= RAILS_CACHE }
     end
 
     initializer "action_controller.url_helpers" do |app|