aker 3.0.0.pre

data/lib/aker/rack.rb

@@ -0,0 +1,107 @@
+require 'aker'
+require 'warden'
+
+##
+# Integration of Aker with {http://rack.rubyforge.org/ Rack}.
+module Aker::Rack
+  autoload :Authenticate,            'aker/rack/authenticate'
+  autoload :ConfigurationHelper,     'aker/rack/configuration_helper'
+  autoload :DefaultLogoutResponder,  'aker/rack/default_logout_responder'
+  autoload :EnvironmentHelper,       'aker/rack/environment_helper'
+  autoload :Facade,                  'aker/rack/facade'
+  autoload :Failure,                 'aker/rack/failure'
+  autoload :Logout,                  'aker/rack/logout'
+  autoload :RequestExt,              'aker/rack/request_ext'
+  autoload :SessionTimer,            'aker/rack/session_timer'
+  autoload :Setup,                   'aker/rack/setup'
+
+  class << self
+    ##
+    # Configures all the necessary middleware for Aker into the given
+    # rack application stack.  With `Rack::Builder`:
+    #
+    #      Rack::Builder.new do
+    #        Aker::Rack.use_in(self) # self is the builder instance
+    #      end
+    #
+    # Aker's middleware stack relies on the existence of a session,
+    # so the session-enabling middleware must be higher in the
+    # application stack than Aker.
+    #
+    # @param [#use] builder the target application builder.  This
+    #   could be a `Rack::Builder` object or something that acts like
+    #   one.
+    # @param [Aker::Configuration,nil] configuration the
+    #   configuration to apply to this use.  If nil, uses the global
+    #   configuration ({Aker.configuration}).
+    # @return [void]
+    def use_in(builder, configuration=nil)
+      effective_configuration = configuration || Aker.configuration
+      unless effective_configuration
+        fail "No configuration was provided and there's no global configuration.  " <<
+          "Please set one or the other before calling use_in."
+      end
+
+      install_modes(effective_configuration)
+
+      builder.use Setup, effective_configuration
+
+      with_mode_middlewares(builder, effective_configuration) do
+        effective_configuration.install_middleware(:before_authentication, builder)
+        builder.use Warden::Manager do |manager|
+          manager.failure_app = Aker::Rack::Failure.new
+        end
+        builder.use SessionTimer
+        builder.use Authenticate
+        effective_configuration.install_middleware(:after_authentication, builder)
+        builder.use Logout
+      end
+
+      builder.use DefaultLogoutResponder
+    end
+
+    private
+
+    ##
+    # @return [void]
+    def install_modes(configuration)
+      configuration.registered_modes.each do |mode|
+        Warden::Strategies.add(mode.key, mode)
+      end
+    end
+
+    ##
+    # @return [void]
+    def with_mode_middlewares(builder, conf)
+      mode_classes(conf).each { |m| m.prepend_middleware(builder) if m.respond_to?(:prepend_middleware) }
+      yield
+      mode_classes(conf).each { |m| m.append_middleware(builder) if m.respond_to?(:append_middleware) }
+    end
+
+    def mode_classes(configuration)
+      return [] unless configuration
+
+      [configuration.ui_mode, configuration.api_modes].flatten.map do |key|
+        Warden::Strategies[key]
+      end
+    end
+
+    def logout_path(configuration)
+      configuration.parameters_for(:rack)[:logout_path]
+    end
+  end
+
+  ##
+  # @private
+  class Slice < Aker::Configuration::Slice
+    def initialize
+      super do
+        rack_parameters :login_path => '/login', :logout_path => '/logout'
+
+        policy_parameters :'session-timeout-seconds' => 1800
+      end
+    end
+  end
+end
+
+Aker::Configuration.add_default_slice(Aker::Rack::Slice.new)

data/lib/aker/test/helpers.rb

@@ -0,0 +1,22 @@
+require File.join(File.dirname(__FILE__), %w(.. test))
+
+##
+# Contains helpers for writing tests on aker-protected code.
+module Aker::Test::Helpers
+  ##
+  # Generates an environment hash that marks `user` as logged in.  You can use
+  # the generated hash in pre-existing requests, merge the hash with the
+  # environment generated by `Rack::MockRequest.env_for`, etc.
+  #
+  # @param [String,Aker::User] user
+  #   a user's username or a {Aker::User} object.  Your Aker configuration
+  #   must use an authority that implements `find_user` for username lookup to
+  #   work.
+  # @return [Hash<String, Aker::Rack::Facade>] a Hash of the form
+  #   `{'aker' => (a Aker::Rack::Facade)}`
+  def login_env(user)
+    u = Aker::User === user ? user : Aker.authority.find_user(user)
+
+    { 'aker.check' => Aker::Rack::Facade.new(Aker.configuration, u) }
+  end
+end

data/lib/aker/test.rb

@@ -0,0 +1,8 @@
+require 'aker'
+
+##
+# Code useful for testing aker-protected applications can be found in this
+# namespace.
+module Aker::Test
+  autoload :Helpers, 'aker/test/helpers'
+end

data/lib/aker/user.rb

@@ -0,0 +1,231 @@
+require 'aker'
+
+module Aker
+  ##
+  # @private
+  module DeprecatedUser
+    [:nu_employee_id, :personnel_id].each do |deprec_id|
+      define_method deprec_id do
+        Deprecation.notify(
+          "#{deprec_id} is deprecated. Use identifiers[#{deprec_id.inspect}] instead.", "3.0")
+        identifiers[deprec_id]
+      end
+
+      define_method "#{deprec_id}=" do |value|
+        Deprecation.notify(
+          "#{deprec_id} is deprecated. Use identifiers[#{deprec_id.inspect}] instead.", "3.0")
+        identifiers[deprec_id] = value
+      end
+    end
+  end
+
+  class User
+    include DeprecatedUser
+
+    ATTRIBUTES = :username, :first_name, :middle_name, :last_name,
+      :title, :business_phone, :fax, :email, :address, :city, :state, :country
+
+    attr_accessor *ATTRIBUTES
+
+    ##
+    # Specifies a default portal to use for subsequent calls which
+    # take a portal as a parameter.
+    #
+    # @return [Symbol, nil]
+    attr_accessor :default_portal
+
+    ##
+    # The portals to which this user has access.
+    #
+    # @return [Array<Symbol>]
+    # @see #may_access?
+    attr_accessor :portals
+
+    ##
+    # Creates a new instance.
+    #
+    # @param [String] username the username for this new user
+    # @param [Array<Symbol>] portals the portals to which this user
+    #   has access.
+    def initialize(username, portals=[])
+      @username = username
+      @portals = [*portals]
+    end
+
+    ##
+    # @param [#to_sym,nil] portal the portal in question.  If nil,
+    #   uses {#default_portal}.
+    # @return [Boolean] true if the user has access, otherwise false.
+    def may_access?(portal=nil)
+      portals.include?((portal || required_default_portal).to_sym)
+    end
+
+    ##
+    # @overload permit?(*groups, options={})
+    #   Determines whether this user has access to any of the given
+    #   groups.
+    #   @param [Array<#to_sym>] groups the names of the groups to query
+    #   @param [Hash] options additional constraints on the query
+    #   @option options [#to_sym] :portal (#default_portal) the portal
+    #     within which to do the group check
+    #   @return [Boolean]
+    #
+    # @overload permit?(*groups, options={}, &block)
+    #   Evaluates the given block if the user is in any of the given
+    #   groups.
+    #   @param [Array<#to_sym>] groups the names of the groups to use
+    #     as the condition
+    #   @param [Hash] options additional constraints on the condition
+    #   @option options [#to_sym] :portal (#default_portal) the portal
+    #     within which to do the group check
+    #   @return [Object,nil] the value of the block if it is
+    #     executed; otherwise nil
+    def permit?(*args)
+      options = args.last.is_a?(Hash) ? args.pop : { }
+      portal = options[:portal] || default_portal
+
+      permitted =
+        if args.empty?
+          may_access?(portal)
+        else
+          args.detect { |group| group_memberships(portal).include?(group.to_sym) }
+        end
+
+      if block_given?
+        permitted ? yield : nil
+      else
+        permitted
+      end
+    end
+
+    ##
+    # A display-friendly name for this user.  Uses `first_name` and
+    # `last_name` if available, otherwise it just uses the username.
+    #
+    # @return [String]
+    def full_name
+      display_name_parts = [first_name, last_name].compact
+      if display_name_parts.empty?
+        username
+      else
+        display_name_parts.join(' ')
+      end
+    end
+
+    ##
+    # A mapping of identifers that apply to this user. The values that
+    # might be set in this hash are defined by authorities.
+    #
+    # @since 2.2.0
+    # @return [Hash<Symbol, Object>] the identifiers for this user.
+    def identifiers
+      @identifiers ||= {}
+    end
+
+    def portals
+      @portals ||= []
+    end
+
+    ##
+    # Exposes the {GroupMemberships group memberships} for a
+    # this user on a particular portal.
+    #
+    # This method never returns `nil`.  Therefore, its return value
+    # should not be used to determine if a user has access to a portal
+    # &mdash; only for groups.  Use {#may_access?} to determine portal
+    # access.
+    #
+    # @param [#to_sym,nil] portal the portal to get the memberships
+    #   for.  If nil, uses {#default_portal}.
+    #
+    # @return [GroupMemberships] for a particular portal
+    #
+    # @see GroupMemberships#include?
+    def group_memberships(portal=nil)
+      portal = (portal || required_default_portal).to_sym
+      all_group_memberships[portal] ||= GroupMemberships.new(portal)
+    end
+
+    ##
+    # Exposes all the group memberships that this instance knows
+    # about.  In general, {#group_memberships} is preferred unless you
+    # really need to iterate over everything.
+    #
+    # @return [Hash<Symbol, GroupMemberships>]
+    def all_group_memberships
+      @gms ||= {}
+    end
+
+    def default_portal=(val)
+      @default_portal = val.nil? ? nil : val.to_sym
+    end
+
+    ##
+    # Modifies this user record in place, adding attributes from the
+    # other user.  Merge rules:
+    #
+    # * For portals: the resulting portal list is a union of the
+    #   portal list for this and the _other_ user.
+    # * For group memberships: group memberships are added from
+    #   the _other_ user for all portals which this user doesn't
+    #   already have group memberships.  (That is, the group
+    #   membership lists for a particular portal are not merged.)
+    #   This rule is to prevent ambiguity if different
+    #   authorities have different group hierarchies.  In
+    #   practice only one authority is providing authorization
+    #   information for a portal, so this shouldn't matter.
+    # * For identifiers: any identifier in the _other_ user that is
+    #   not already set in this user is copied over.
+    # * For all other attributes: an attribute is copied from
+    #   _other_ if that attribute is not already set in this
+    #   user.
+    #
+    # Note that these semantics are different from the semantics of
+    # `Hash#merge!` in the ruby standard library.
+    #
+    # @param [Aker::User] other the user from which to take attribute
+    #   values
+    #
+    # @return [Aker::User] self
+    def merge!(other)
+      ATTRIBUTES.each do |getter|
+        already_set =
+          begin
+            self.send(getter)
+          rescue
+            false
+          end
+        unless already_set
+          setter = :"#{getter}="
+          value =
+            begin
+              other.send(getter)
+            rescue
+              nil # skip inaccessible attributes
+            end
+          self.send setter, value
+        end
+      end
+
+      self.default_portal ||= other.default_portal
+      self.portals |= other.portals
+      other.all_group_memberships.keys.each do |other_portal|
+        if self.group_memberships(other_portal).empty?
+          self.group_memberships(other_portal).concat(other.group_memberships(other_portal))
+        end
+      end
+      other.identifiers.each do |ident, value|
+        identifiers[ident] ||= value
+      end
+
+      self
+    end
+
+    protected
+
+    def required_default_portal
+      default_portal or raise "No default portal set.  Please specify one explicitly."
+    end
+  end
+end
+

data/lib/aker/version.rb

@@ -0,0 +1,3 @@
+module Aker
+  VERSION = "3.0.0.pre"
+end

data/lib/aker.rb

@@ -0,0 +1,51 @@
+module Aker
+  autoload :CentralParameters, 'aker/central_parameters'
+  autoload :Configuration,     'aker/configuration'
+  autoload :Deprecation,       'aker/deprecation'
+  autoload :Group,             'aker/group'
+  autoload :GroupMemberships,  'aker/group_membership'
+  autoload :GroupMembership,   'aker/group_membership'
+  autoload :User,              'aker/user'
+  autoload :Test,              'aker/test'
+  autoload :VERSION,           'aker/version'
+
+  class << self
+    ##
+    # @return [Configuration,nil] the single configuration for the
+    #   system using aker.  Created/updated using {.configure
+    #   configure}.
+    attr_accessor :configuration
+
+    ##
+    # @return [Object,nil] a single authentication/authorization entry
+    #   point conforming to the authority protocol as defined by
+    #   {Aker::Authorities::Composite}.  By default, it is
+    #   automatically derived from the {.configuration configuration}.
+    # @see Aker::Configuration#composite_authority
+    attr_accessor :authority
+
+    ##
+    # Create/update the global aker configuration.  Accepts a block
+    # containing expressions in the {Configuration} DSL.
+    #
+    # @see Aker.configuration
+    # @return [Configuration]
+    def configure(&block)
+      @configuration ||= Aker::Configuration.new
+      @configuration.enhance(&block)
+    end
+
+    def authority
+      @authority || (@configuration && @configuration.composite_authority)
+    end
+  end
+end
+
+# These files are required instead of autoloaded so that their
+# configuration slices are installed immediately.
+require 'aker/authorities'
+require 'aker/cas'
+require 'aker/form'
+require 'aker/ldap'
+require 'aker/modes'
+require 'aker/rack'

data/spec/aker/aker-sample.yml

@@ -0,0 +1,11 @@
+netid:
+  user: cn=foo
+cc_pers:
+  user: cc_pers_foo
+  password: secret
+cas:
+  base_url: https://cas.example.edu
+  proxy_retrieval_url: https://cas.example.edu/retrieve_pgt
+  proxy_callback_url: https://cas.example.edu/receive_pgt
+foo:
+  bar: baz

data/spec/aker/authorities/automatic_access_spec.rb

@@ -0,0 +1,52 @@
+require File.expand_path("../../../spec_helper", __FILE__)
+
+module Aker::Authorities
+  describe AutomaticAccess do
+    describe "initialization" do
+      it "fails if the configuration has no portal" do
+        lambda { AutomaticAccess.new(Aker::Configuration.new) }.should raise_error(
+          "AutomaticAccess is unnecessary if you don't have a portal configured.")
+      end
+    end
+
+    describe "#amplify!" do
+      before do
+        @authority = AutomaticAccess.new(Aker::Configuration.new { portal :ENU })
+        @user = Aker::User.new('jo')
+      end
+
+      it "adds the configured portal to the portal list" do
+        @authority.amplify!(@user)
+        @user.portals.should include(:ENU)
+      end
+
+      it "does not add the portal if it is already there" do
+        @user.portals << :ENU
+        @authority.amplify!(@user)
+        @user.portals.size.should == 1
+      end
+
+      it "sets the default portal if it isn't already set" do
+        @authority.amplify!(@user)
+        @user.default_portal.should == :ENU
+      end
+
+      it "leaves an existing default portal alone" do
+        @user.default_portal = :NOTIS
+        @authority.amplify!(@user)
+        @user.default_portal.should == :NOTIS
+      end
+
+      it "returns the user" do
+        @authority.amplify!(@user).should === @user
+      end
+
+      it "grants the user access" do
+        @user.may_access?(:ENU).should be_false
+        @authority.amplify!(@user)
+        @user.may_access?(:ENU).should be_true
+        @user.may_access?.should be_true
+      end
+    end
+  end
+end