aker 3.0.0.pre

Sign up to get free protection for your applications and to get access to all the features.
Files changed (118) hide show
  1. data/CHANGELOG.md +210 -0
  2. data/README.md +282 -0
  3. data/assets/aker/form/login.css +73 -0
  4. data/assets/aker/form/login.html.erb +44 -0
  5. data/lib/aker/authorities/automatic_access.rb +36 -0
  6. data/lib/aker/authorities/composite.rb +301 -0
  7. data/lib/aker/authorities/static.rb +283 -0
  8. data/lib/aker/authorities/support/find_sole_user.rb +24 -0
  9. data/lib/aker/authorities/support.rb +9 -0
  10. data/lib/aker/authorities.rb +46 -0
  11. data/lib/aker/cas/authority.rb +79 -0
  12. data/lib/aker/cas/configuration_helper.rb +85 -0
  13. data/lib/aker/cas/middleware/logout_responder.rb +49 -0
  14. data/lib/aker/cas/middleware/ticket_remover.rb +35 -0
  15. data/lib/aker/cas/middleware.rb +6 -0
  16. data/lib/aker/cas/proxy_mode.rb +108 -0
  17. data/lib/aker/cas/rack_proxy_callback.rb +188 -0
  18. data/lib/aker/cas/service_mode.rb +88 -0
  19. data/lib/aker/cas/service_url.rb +62 -0
  20. data/lib/aker/cas/user_ext.rb +64 -0
  21. data/lib/aker/cas.rb +31 -0
  22. data/lib/aker/central_parameters.rb +101 -0
  23. data/lib/aker/configuration.rb +534 -0
  24. data/lib/aker/deprecation.rb +105 -0
  25. data/lib/aker/form/custom_views_mode.rb +80 -0
  26. data/lib/aker/form/login_form_asset_provider.rb +56 -0
  27. data/lib/aker/form/middleware/custom_view_login_responder.rb +19 -0
  28. data/lib/aker/form/middleware/login_renderer.rb +72 -0
  29. data/lib/aker/form/middleware/login_responder.rb +71 -0
  30. data/lib/aker/form/middleware/logout_responder.rb +26 -0
  31. data/lib/aker/form/middleware.rb +10 -0
  32. data/lib/aker/form/mode.rb +118 -0
  33. data/lib/aker/form.rb +26 -0
  34. data/lib/aker/group.rb +67 -0
  35. data/lib/aker/group_membership.rb +162 -0
  36. data/lib/aker/ldap/authority.rb +392 -0
  37. data/lib/aker/ldap/user_ext.rb +19 -0
  38. data/lib/aker/ldap.rb +22 -0
  39. data/lib/aker/modes/base.rb +85 -0
  40. data/lib/aker/modes/http_basic.rb +100 -0
  41. data/lib/aker/modes/support/attempted_path.rb +22 -0
  42. data/lib/aker/modes/support/rfc_2617.rb +32 -0
  43. data/lib/aker/modes/support.rb +12 -0
  44. data/lib/aker/modes.rb +48 -0
  45. data/lib/aker/rack/authenticate.rb +37 -0
  46. data/lib/aker/rack/configuration_helper.rb +18 -0
  47. data/lib/aker/rack/default_logout_responder.rb +36 -0
  48. data/lib/aker/rack/environment_helper.rb +34 -0
  49. data/lib/aker/rack/facade.rb +102 -0
  50. data/lib/aker/rack/failure.rb +69 -0
  51. data/lib/aker/rack/logout.rb +63 -0
  52. data/lib/aker/rack/request_ext.rb +19 -0
  53. data/lib/aker/rack/session_timer.rb +95 -0
  54. data/lib/aker/rack/setup.rb +77 -0
  55. data/lib/aker/rack.rb +107 -0
  56. data/lib/aker/test/helpers.rb +22 -0
  57. data/lib/aker/test.rb +8 -0
  58. data/lib/aker/user.rb +231 -0
  59. data/lib/aker/version.rb +3 -0
  60. data/lib/aker.rb +51 -0
  61. data/spec/aker/aker-sample.yml +11 -0
  62. data/spec/aker/authorities/automatic_access_spec.rb +52 -0
  63. data/spec/aker/authorities/composite_spec.rb +488 -0
  64. data/spec/aker/authorities/nu-schema.jar +0 -0
  65. data/spec/aker/authorities/static_spec.rb +455 -0
  66. data/spec/aker/authorities/support/find_sole_user_spec.rb +33 -0
  67. data/spec/aker/authorities_spec.rb +16 -0
  68. data/spec/aker/cas/authority_spec.rb +106 -0
  69. data/spec/aker/cas/configuration_helper_spec.rb +92 -0
  70. data/spec/aker/cas/middleware/logout_responder_spec.rb +47 -0
  71. data/spec/aker/cas/middleware/ticket_remover_spec.rb +49 -0
  72. data/spec/aker/cas/proxy_mode_spec.rb +185 -0
  73. data/spec/aker/cas/rack_proxy_callback_spec.rb +190 -0
  74. data/spec/aker/cas/service_mode_spec.rb +122 -0
  75. data/spec/aker/cas/service_url_spec.rb +114 -0
  76. data/spec/aker/cas/user_ext_spec.rb +27 -0
  77. data/spec/aker/cas_spec.rb +19 -0
  78. data/spec/aker/central_parameters_spec.rb +44 -0
  79. data/spec/aker/configuration_spec.rb +465 -0
  80. data/spec/aker/deprecation_spec.rb +115 -0
  81. data/spec/aker/form/a_form_mode.rb +129 -0
  82. data/spec/aker/form/custom_views_mode_spec.rb +34 -0
  83. data/spec/aker/form/login_form_asset_provider_spec.rb +80 -0
  84. data/spec/aker/form/middleware/a_form_login_responder.rb +89 -0
  85. data/spec/aker/form/middleware/custom_view_login_responder_spec.rb +47 -0
  86. data/spec/aker/form/middleware/login_renderer_spec.rb +56 -0
  87. data/spec/aker/form/middleware/login_responder_spec.rb +34 -0
  88. data/spec/aker/form/middleware/logout_responder_spec.rb +55 -0
  89. data/spec/aker/form/mode_spec.rb +15 -0
  90. data/spec/aker/form_spec.rb +11 -0
  91. data/spec/aker/group_membership_spec.rb +208 -0
  92. data/spec/aker/group_spec.rb +66 -0
  93. data/spec/aker/ldap/authority_spec.rb +414 -0
  94. data/spec/aker/ldap/ldap-users.ldif +197 -0
  95. data/spec/aker/ldap_spec.rb +11 -0
  96. data/spec/aker/modes/a_aker_mode.rb +41 -0
  97. data/spec/aker/modes/http_basic_spec.rb +127 -0
  98. data/spec/aker/modes/support/attempted_path_spec.rb +32 -0
  99. data/spec/aker/modes_spec.rb +11 -0
  100. data/spec/aker/rack/authenticate_spec.rb +78 -0
  101. data/spec/aker/rack/default_logout_responder_spec.rb +67 -0
  102. data/spec/aker/rack/facade_spec.rb +154 -0
  103. data/spec/aker/rack/failure_spec.rb +151 -0
  104. data/spec/aker/rack/logout_spec.rb +63 -0
  105. data/spec/aker/rack/request_ext_spec.rb +29 -0
  106. data/spec/aker/rack/session_timer_spec.rb +134 -0
  107. data/spec/aker/rack/setup_spec.rb +87 -0
  108. data/spec/aker/rack_spec.rb +216 -0
  109. data/spec/aker/test/helpers_spec.rb +44 -0
  110. data/spec/aker/user_spec.rb +362 -0
  111. data/spec/aker_spec.rb +80 -0
  112. data/spec/deprecation_helper.rb +58 -0
  113. data/spec/java_helper.rb +5 -0
  114. data/spec/logger_helper.rb +17 -0
  115. data/spec/matchers.rb +31 -0
  116. data/spec/mock_builder.rb +25 -0
  117. data/spec/spec_helper.rb +52 -0
  118. metadata +265 -0
data/CHANGELOG.md ADDED
@@ -0,0 +1,210 @@
1
+ Aker History
2
+ ============
3
+
4
+ 3.0.0
5
+ -----
6
+ - First open-source version.
7
+ - Project renamed from "Bcsec" (short for Bioinformatics Core
8
+ security) to "Aker" (ancient Egyptian god of the horizon).
9
+ - Bcsec contained several authorities which were specific to NUBIC;
10
+ those have been removed and purged from the git history for the
11
+ project.
12
+ - Added :custom_form mode (#1).
13
+
14
+ Bcsec History
15
+ =============
16
+
17
+ This is the history for the parts of Bcsec which remain in
18
+ Aker. Versions that only included changes to code which has been
19
+ removed from the open source version have been removed.
20
+
21
+ 2.2.0
22
+ -----
23
+ - Introduced the concept of "configuration slices" so that extensions
24
+ may add default configuration values. (#5875)
25
+ - Introduced mode registration and authority aliases so that named
26
+ modes and authorities can have arbitrary class names. (#5875)
27
+ - Introduced the ability to configure rack middleware to be installed
28
+ relative to bcsec (outside of modes). (#5875)
29
+ - Bcsec now has a 30 minute session timeout. (#5156)
30
+ - It is now possible to customize the login and logout pages when using the
31
+ `form` mode. (#5469)
32
+ - Added a generic LDAP authority. (#5876)
33
+ - Send a permanent redirect after a successful CAS authentication in
34
+ order to prevent the service ticket from showing up in the user's
35
+ browsing history. (#2725)
36
+ - Extract and expose the method for determining the CAS service URL
37
+ for a particular request. (See `Bcsec::Cas::ServiceUrl`.)
38
+ - Updated JRuby tested version to 1.6.2.
39
+
40
+ 2.1.0
41
+ -----
42
+
43
+ - ActiveRecord / ActiveSupport 3 compatibility. (#2804)
44
+ - Fixed: user information is no longer saved in the session in
45
+ non-interactive modes. (#2757)
46
+
47
+ 2.0.5
48
+ -----
49
+
50
+ - Updated tested platforms to JRuby 1.5.3 and Ruby 1.9.2. (MRI 1.8.7
51
+ in the specific form of REE 2010.02 remains the same.)
52
+
53
+ 2.0.4
54
+ -----
55
+
56
+ - Changed: the #find_users method on the authorities interface now
57
+ accepts one or more separate criteria. The separate criteria are
58
+ joined using a logical OR. All the built-in authorities have been
59
+ updated to support this; custom authorities may need to be updated
60
+ as well. (#4027)
61
+ - Added: `Bcsec::Authorities::Static#load!` will now load arbitrary
62
+ `Bcsec::User` attributes from the YAML file, not just the username,
63
+ password, and authorization information. (#4297)
64
+ - Changed: Depend on net-ldap 0.1.1 instead of ruby-net-ldap 0.0.4.
65
+ This new version of the net/ldap library is backwards compatible,
66
+ interface-wise, but it trades 1.8.6- support for 1.9+ support.
67
+
68
+ 2.0.3
69
+ -----
70
+
71
+ - Fixed: static authority now allows different users to have the same
72
+ password. (#4068)
73
+
74
+ 2.0.1
75
+ -----
76
+
77
+ - Added `Bcsec::Authorities::AutomaticAccess`.
78
+
79
+ 2.0.0
80
+ -----
81
+
82
+ - Complete rewrite: better architecture (no sole singletons); rack
83
+ support; better RESTful API authentication support; support for MRI
84
+ 1.8.7, JRuby, and YARV 1.9.1; and much more.
85
+
86
+ 1.6.1
87
+ -----
88
+
89
+ - Correct MockAuthenticator-authorized users so that they reflect the
90
+ appropriate group memberships when logging in with CAS (bug #2221)
91
+ - Prevent nil dereference in User#in_group? when the user has no groups at all
92
+
93
+ 1.6.0
94
+ -----
95
+
96
+ - Fix nil-sensitivity bug in Bcsec.use_cas (#1994)
97
+ - Remove explicit `gem` invocations from library code
98
+ - Make minor changes to allow bcsec to run under jruby 1.4.0
99
+
100
+ 1.5.2
101
+ -----
102
+
103
+ - Modify build layout a bit so that the source directory can be used with
104
+ bundler's :path option in sowsear
105
+
106
+ 1.5.0
107
+ -----
108
+
109
+ - Update to use open source versions of bcdatabase and
110
+ schema_qualified_tables.
111
+
112
+ 1.4.8
113
+ -----
114
+
115
+ - Configuration from use_cas now propagates to RailsCasFilter.
116
+
117
+ 1.4.0
118
+ -----
119
+
120
+ - Allow CAS configuration parameters to be passed to use_cas.
121
+ These parameters are passed directly to CASClient::Client; see
122
+ http://rubycas-client.rubyforge.org/ for configuration details.
123
+ These parameters override central configuration.
124
+
125
+ 1.3.0
126
+ -----
127
+
128
+ - Dev: support deploy:tag from git-svn clones
129
+
130
+ 1.2.6
131
+ -----
132
+
133
+ - Added Bcsec::AuthenticateOnlyAuthenticator for when you only need to
134
+ authenticate. It responds to allow_access? and always returns true.
135
+ - Added ability to add authenticators with may_access? method only.
136
+ - Added rspec-rails version to use when running specs.
137
+
138
+ 1.2.2
139
+ -----
140
+
141
+ - Correct _dependency_ definitions in gemspec. (Was using _requirements_,
142
+ which are informational only.) `gem install bcsec` will now install all
143
+ dependent gems.
144
+
145
+ 1.2.1
146
+ -----
147
+
148
+ - Clear the effects of use_cas in Bcsec::Configurator#clear
149
+
150
+ 1.2.0
151
+ -----
152
+
153
+ - Add Bcsec::portal_set? and similar to allow querying whether certain
154
+ config attributes are set without throwing an exception when they aren't.
155
+ - Add adapter code in rspec_helper.rb so that rspec-rails can be used as a gem.
156
+
157
+ 1.1.0
158
+ -----
159
+
160
+ - Added publicly-accessible method Bcsec#amplify! to provide bcsec consumers
161
+ with the ability to manually invoke group data retrieval.
162
+
163
+ 1.0.1
164
+ -----
165
+
166
+ - Fix issue when having multiple authenticors and the first one returns no groups
167
+
168
+ 1.0.0
169
+ -----
170
+
171
+ - A user's security groups are cached in the current user object in the
172
+ session.
173
+ - In group checks are handled in memory instead of hitting the database every
174
+ time.
175
+ - Added dependency on RubyTree gem
176
+
177
+ 0.1.1
178
+ -----
179
+
180
+ - Fix issue where Bcsec::CentralAuthenticationParameters would sometimes not be
181
+ automatically resolved by applications using ActiveSupport's dependency
182
+ loader.
183
+
184
+ 0.1.0
185
+ -----
186
+
187
+ - Add CAS support
188
+ - Add MockAuthenticator#load_credentials! to support loading test credentials
189
+ from a file.
190
+
191
+ 0.0.2
192
+ -----
193
+
194
+ - Adapt deploy task to be multi-developer friendly
195
+ - Add separate uninstall task to return to published version
196
+
197
+ 0.0.1
198
+ -----
199
+
200
+ - Fix rake tasks for deploy, local install
201
+ - Integrate ci_reporter
202
+ - Add rudimentary environment support in order to build in hudson
203
+ - Made site affiliate portal foreign key explicit
204
+
205
+ 0.0.0
206
+ -----
207
+
208
+ - Extract non-rails-specific bcsec elements from bcsec engine.
209
+ - Convert test/unit tests moved from bcsec plugin into rspec specs. (Shallow
210
+ conversion only so far.)
data/README.md ADDED
@@ -0,0 +1,282 @@
1
+ Aker
2
+ ====
3
+
4
+ Aker is a library for managing authentication and authorization in
5
+ ruby applications (particularly Rack applications). It is designed to
6
+ extensibly work with your existing (possibly legacy) authentication
7
+ infrastructure.
8
+
9
+ Aker is made up of **authorities** which provide user security
10
+ information, **modes** which integrate authentication with HTTP (via
11
+ Rack), and a **configuration** which specifies which of these to use
12
+ and how to set them up.
13
+
14
+ Reader's note: this README uses [YARD][] markup to provide links to
15
+ Aker's API documentation. If you aren't already, consider reading it
16
+ on [rubydoc.info][] so that the links will be followable.
17
+
18
+ [YARD]: http://yardoc.org/
19
+ [rubydoc.info]: http://rubydoc.info/github/NUBIC/aker/master/file/README.md
20
+
21
+ Aker concepts
22
+ -------------
23
+
24
+ ### Authorities
25
+
26
+ An **authority** in Aker is the encapsulation of a mechanism for
27
+ providing authentication and/or authorization. The methods which an
28
+ authority may implement (all are optional) are described in detail in
29
+ the documentation for the {Aker::Authorities::Composite composite
30
+ authority}. All the included authorities are described in the
31
+ documentation for the {Aker::Authorities} module. See their
32
+ documentation for more information.
33
+
34
+ More than one authority can be used in a particular configuration.
35
+ When validating credentials or performing any of the other actions
36
+ provided by the authority interface, all the authorities will be
37
+ consulted. The documentation for the composite authority describes
38
+ how the results are aggregated for each action.
39
+
40
+ ### Modes
41
+
42
+ An Aker **mode** is a mechanism for receiving credentials in the context
43
+ of a web application. Aker modes come in variants that are intended
44
+ for use in human-user-facing contexts (*UI* modes) and machine-facing
45
+ contexts (*API* modes). It is possible for the same mode to act in
46
+ both capacities.
47
+
48
+ An application may have zero-to-many API modes, but only one UI mode.
49
+ API modes work within a standard [RFC2617][] HTTP Authorization
50
+ interface, while UI modes have broad access to the Rack environment to
51
+ prompt the user as necessary.
52
+
53
+ All the included modes are described in the documentation of the
54
+ {Aker::Modes} module. See their documentation for more information.
55
+ If you would like to implement your own mode, see {Aker::Modes::Base}.
56
+
57
+ #### API vs. UI
58
+
59
+ Aker uses the following heuristic to determine whether to attempt to
60
+ authenticate a particular request using the configured UI mode or API
61
+ mode(s):
62
+
63
+ * If there are no API modes configured, requests are always handled by
64
+ the UI mode.
65
+ * If the HTTP Accept header includes `text/html` (literally includes
66
+ it, not matches it), the request is handled by the UI mode.
67
+ * If the HTTP User-Agent header includes `Mozilla`, the request is
68
+ handled by the UI mode.
69
+ * Otherwise, the request is handled by the API mode(s).
70
+
71
+ [RFC2617]: http://www.ietf.org/rfc/rfc2617.txt
72
+
73
+ ### Configuration
74
+
75
+ The aker **configuration** is where you define the authorities and
76
+ modes (and their parameters) for your application. It's a class whose
77
+ instances can be initialized both {Aker::Configuration traditionally}
78
+ and using a {Aker::ConfiguratorLanguage DSL}. There's a global
79
+ instance ({Aker.configuration}) which will be sufficient for most
80
+ uses and which can be updated using the DSL via {Aker.configure}.
81
+
82
+ Since {Aker.configure} updates the configuration (rather than
83
+ replacing it), it is worthwhile to consider splitting up your
84
+ configuration into environment-specific and common parts. For
85
+ instance, you might have the common configuration:
86
+
87
+ Aker.configure {
88
+ ui_mode :form
89
+ api_mode :http_basic
90
+ }
91
+
92
+ And then for your development environment use:
93
+
94
+ Aker.configure {
95
+ authority Aker::Authorities::Static.from_file("#{Rails.root}/environments/development-users.yml")
96
+ central "/etc/nubic/aker-local.yml"
97
+ }
98
+
99
+ And in your tests use:
100
+
101
+ Aker.configure {
102
+ authority Aker::Authorities::Static.from_file("#{Rails.root}/spec/test-users.yml")
103
+ }
104
+
105
+ But then in production use:
106
+
107
+ Aker.configure {
108
+ authorities :ldap
109
+ central "/etc/nubic/aker-prod.yml"
110
+ }
111
+
112
+ Using form authentication
113
+ -------------------------
114
+
115
+ Aker's {Aker::Form::Mode :form} mode provides a traditional HTML
116
+ form for user authentication. It works with one or more authorities
117
+ which handle the `:user` credential kind — compatible
118
+ authorities that ship with Aker are {Aker::Ldap::Authority
119
+ :ldap}, and {Aker::Authorities::Static :static}.
120
+
121
+ `:form` is the default UI mode. If you want to explicitly configure
122
+ it, do like so:
123
+
124
+ Aker.configure {
125
+ authorities :static # whatever is appropriate for your app
126
+ ui_mode :form
127
+ }
128
+
129
+ Using CAS
130
+ ---------
131
+
132
+ Aker's {Aker::Cas::ServiceMode :cas} mode provides interactive user
133
+ authentication via an external CAS 2 server. The
134
+ {Aker::Cas::ProxyMode :cas_proxy} mode complements `:cas` by providing
135
+ non-interactive authentication using CAS proxy tickets. Each of these
136
+ modes works with an authority which can handle the corresponding
137
+ credential kind (i.e., `:cas` needs a `:cas`-handling authority). The
138
+ {Aker::Cas::Authority :cas} authority handles both. Here's an
139
+ example configuration:
140
+
141
+ Aker.configure {
142
+ authority :cas
143
+ ui_mode :cas
144
+ api_mode :cas_proxy # don't include unless needed
145
+ }
146
+
147
+ (The `:static` authority can also verify `:cas` and `:cas_proxy`
148
+ credentials, but it is relatively awkward to set up and so is left as
149
+ an exercise for the adventurous integrated tester.)
150
+
151
+ Since the CAS server provides authentication only, you may also want
152
+ to configure an authority to provide authorization information.
153
+
154
+ Authenticating a RESTful API
155
+ ----------------------------
156
+
157
+ As noted above, Aker has specific support for [RFC2617][]-style
158
+ standard HTTP authentication. It supports multiple simultaneous API
159
+ authentication modes. The most common case for multiple API modes
160
+ will be CAS-protected APIs which also need to provide non-interactive
161
+ API access (e.g., for cron jobs, since they are not run in the context
162
+ of a user logged into any particular application). Here's a sample
163
+ configuration:
164
+
165
+ Aker.configure {
166
+ ui_mode :cas
167
+ api_mode :http_basic, :cas_proxy
168
+
169
+ authorities :cas, :ldap
170
+
171
+ central "/etc/nubic/aker-local.yml"
172
+ }
173
+
174
+ In this case, the CAS server will be used for interactive logins and
175
+ for CAS proxy ticket validation, while HTTP Basic-authenticated
176
+ requests will be validated using the `:ldap` authority.
177
+
178
+ Rack (and Rails) integration
179
+ ----------------------------
180
+
181
+ Aker's web application integration is based on [Rack][]. This means
182
+ it can be used with nearly any ruby web framework, including Sinatra,
183
+ Camping, etc., in addition to Rails.
184
+
185
+ In your Aker-protected Rack application, you have access to a
186
+ `"aker.check"` key in the Rack environment. This key will yield an
187
+ instance of {Aker::Rack::Facade} which provides methods for
188
+ determining who is logged in, checking permissions, requiring
189
+ authentication, etc. See its API documentation for more information.
190
+
191
+ To configure Aker into your Rack application, use
192
+ {Aker::Rack.use_in}. See that method's API documentation for more
193
+ information.
194
+
195
+ #### Rails
196
+
197
+ While Rack support is built into the main Aker gem, Rails support (for
198
+ both Rails 2.3 and 3.x) is in a separate gem plugin. See the README
199
+ in the [`aker-rails` gem][aker-rails] for more information about it.
200
+
201
+ [Rack]: http://rack.rubyforge.org/
202
+ [aker-rails]: https://github.com/NUBIC/aker-rails
203
+
204
+ Aker outside of a Rack app
205
+ --------------------------
206
+
207
+ Aker's authorities are independent of its HTTP integration, so they
208
+ may be used in any ruby script or application. Here's an example:
209
+
210
+ #!/usr/bin/env ruby
211
+
212
+ require 'rubygems'
213
+ require 'aker'
214
+
215
+ Aker.configure {
216
+ authorities :ldap, :static
217
+ central "/etc/nubic/aker-staging.yml"
218
+ }
219
+
220
+ u = Aker.authority.valid_credentials?(:user, 'wakibbe', 'ekibder')
221
+ # => valid_credentials? returns a Aker::User on success
222
+
223
+ if !u
224
+ $stderr.puts "Bad credentials"
225
+ exit(1)
226
+ elsif u.permit?('Admin')
227
+ lookedup = Aker.authority.find_user(ARGV[0])
228
+ if lookedup
229
+ puts "#{ARGV[0]} is the username of #{lookedup.full_name}"
230
+ else
231
+ puts "#{ARGV[0]} isn't a valid username"
232
+ end
233
+ else
234
+ $stderr.puts "Unauthorized"
235
+ exit(2)
236
+ end
237
+
238
+ See the rest of the API documentation for more information.
239
+
240
+ Extending Aker
241
+ --------------
242
+
243
+ Aker was built for extensibility. Here are the highlights; see the
244
+ relevant sections above for more.
245
+
246
+ * {Aker::Authorities::Composite#valid_credentials? Authentication} and
247
+ {Aker::Authorities::Composite#amplify! authorization} can be
248
+ provided by implementing an {Aker::Authorities authority}. An
249
+ application can configure in multiple authorities and their results
250
+ will be intelligently combined. Authorities can also implement
251
+ {Aker::Authorities::Composite#on_authentication_success success} and
252
+ {Aker::Authorities::Composite#on_authentication_failure failure}
253
+ callbacks to provide for auditing or
254
+ {Aker::Authorities::Composite#veto? lockout} features.
255
+ * An HTTP-based credential presentation mechanism can be implemented
256
+ as a {Aker::Modes mode}. E.g., you would write a mode to adapt to a
257
+ legacy single-sign-on system.
258
+ * Authorities and modes can be customized through
259
+ {Aker::Configuration#parameters_for parameters} included in the
260
+ {Aker::Configuration configuration}.
261
+ * Reusable extensions can be packaged as gems and registered alongside
262
+ Aker's built-in functionality. Extensions may use
263
+ {Aker::Configuration::Slice slices} to register themselves, set
264
+ defaults parameter values, and register middleware that will be
265
+ included relative to Aker's own middleware.
266
+
267
+ Limitations
268
+ -----------
269
+
270
+ Aker's original iteration was a rails plugin built to assist the
271
+ Northwestern University Biomedical Informatics Center in transitioning
272
+ legacy systems to Ruby on Rails. Since then it's been used in dozens
273
+ of applications, both ports of existing systems and ones newly
274
+ built.
275
+
276
+ While it can be adapted to many kinds of applications, it is probably
277
+ not a good choice if you are not integrating with an existing
278
+ authentication or authorization backend. It does not include any
279
+ mechanism for provisioning users or letting users sign up for accounts
280
+ on their own. Such things could be built for it, but if that's what
281
+ you need then one of the other existing ruby security frameworks might
282
+ get you up and running faster.
@@ -0,0 +1,73 @@
1
+ html {
2
+ background-color: #393939;
3
+ font-size: 12px;
4
+ font-family: Helvetica, Arial, sans-serif;
5
+ margin: 0; padding: 0;
6
+ }
7
+ p.error {
8
+ text-align: center;
9
+ background-color: #c66;
10
+ color: #333;
11
+ margin: 1em 0;
12
+ padding: 1em;
13
+ font-size: 1.3em;
14
+ }
15
+ .access {
16
+ display: block;
17
+ margin: 2em 0;
18
+ border: solid #000;
19
+ border-width: 2px 0;
20
+ background-color: #999;
21
+ color: #fff;
22
+ width: 100%
23
+ }
24
+ .access .contents {
25
+ width: 24em;
26
+ margin: 0 auto;
27
+ }
28
+ .access h1 {
29
+ text-align: center;
30
+ font-size: 1.5em;
31
+ margin: 1em;
32
+ padding: 0;
33
+ }
34
+ .access a {
35
+ color: #fff;
36
+ }
37
+ .access a:visited {
38
+ color: #eed;
39
+ }
40
+ .access a:hover {
41
+ color: #fff;
42
+ background-color: #aa9;
43
+ }
44
+ .access .row {
45
+ margin: 0.5em;
46
+ }
47
+ .access .row:after {
48
+ display: block;
49
+ content: " ";
50
+ clear: both;
51
+ visibility: hidden;
52
+ height: 0;
53
+ }
54
+ .access .label {
55
+ text-align: right;
56
+ height: 2em;
57
+ font-weight: bold;
58
+ float: left;
59
+ width: 6em;
60
+ padding-top: 6px;
61
+ }
62
+ .access .value {
63
+ margin-left: 6.5em;
64
+ }
65
+ .access .text {
66
+ border: 1px solid #393939;
67
+ padding: 2px;
68
+ }
69
+ .access .button {
70
+ border: 1px outset #393939;
71
+ background-color: #393939;
72
+ color: #ddd;
73
+ }
@@ -0,0 +1,44 @@
1
+ <!DOCTYPE html>
2
+ <html>
3
+ <head>
4
+ <title>Please log in</title>
5
+ <link rel="stylesheet" type="text/css" href="<%= login_base %>/login.css" />
6
+ </head>
7
+ <body class="access">
8
+ <form method="POST" action="<%= login_base %>">
9
+ <input type="hidden" name="url" value="<%= options[:url] %>" />
10
+ <% if options[:logged_out] %>
11
+ <h1>Logged out</h1>
12
+ <% else %>
13
+ <h1>Please log in</h1>
14
+ <% end %>
15
+ <% if options[:login_failed] %>
16
+ <p class="error">Login failed</p>
17
+ <% elsif options[:session_expired] %>
18
+ <p class="error">Session expired</p>
19
+ <% end %>
20
+ <div class="contents">
21
+ <div class="row">
22
+ <div class="label">
23
+ <label for="username">Username</label>
24
+ </div>
25
+ <div class="value">
26
+ <input type="text" id="username" name="username" class="text" value="<%= escape_html(options[:username]) %>"/>
27
+ </div>
28
+ </div>
29
+ <div class="row">
30
+ <div class="label">
31
+ <label for="password">Password</label>
32
+ </div>
33
+ <div class="value">
34
+ <input type="password" id="password" name="password" class="text" />
35
+ </div>
36
+ </div>
37
+ <div class="row">
38
+ <div class="value">
39
+ <input type="submit" value="Log in" class="button" />
40
+ </div>
41
+ </div>
42
+ </div>
43
+ </body>
44
+ </html>
@@ -0,0 +1,36 @@
1
+ require 'aker'
2
+
3
+ module Aker::Authorities
4
+ ##
5
+ # An authority which grants all users access to the Aker
6
+ # environment's configured portal. This allows you to mix
7
+ # authentication-only access control and group-authorization access
8
+ # control in the same application.
9
+ #
10
+ # This authority does not provide any credential validation, so it
11
+ # can't be used on its own. Combine it with one of the
12
+ # {Aker::Authorities others}.
13
+ #
14
+ # If you only need authentication-only access control, it will be
15
+ # easier to just omit the {Aker::Configuration#portal portal} from
16
+ # your aker configuration.
17
+ class AutomaticAccess
18
+ def initialize(configuration)
19
+ unless configuration.portal?
20
+ raise "#{self.class.to_s.split('::').last} is unnecessary " <<
21
+ "if you don't have a portal configured."
22
+ end
23
+ @portal = configuration.portal
24
+ end
25
+
26
+ ##
27
+ # Adds the configured portal to the user if necessary.
28
+ #
29
+ # @return [Aker::User]
30
+ def amplify!(user)
31
+ user.portals << @portal unless user.portals.include?(@portal)
32
+ user.default_portal = @portal unless user.default_portal
33
+ user
34
+ end
35
+ end
36
+ end