api_guardian 0.1.0.pre

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b3cb31c1deac4f774db0a75388fdc08c6b490f95
+  data.tar.gz: 44fc98728a248791eeee42aaeb18191db8652afb
+SHA512:
+  metadata.gz: d5a0bb945c2c13444138979d60703de6c47ef2239542a73cd3c607652faef4a8ba65613b5e0a4a79464dcb85b4bda6fe44b0a96e251bc9ce2c97175a5686426b
+  data.tar.gz: 510271fa761b9fc922fce424fe94da0c47e7594b8aa24aa8aec8bdf8b8375395aa6177a2130cbbc0bea3941844e6a71c1499a8ff05e5e719fb20d3268a0d3a47

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2015 Travis Vignon
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,125 @@
+# Api Guardian
+
+Drop in authorization and authentication suite for Rails APIs.
+
+## **\*\*This gem is in alpha stages and is not feature complete. It should not be used in production!\*\***
+
+## Overview
+
+ApiGuardian includes the following features out of the box:
+
+* User registration (email/pass)
+* Password reset workflow
+* Roles
+* Permissions
+* Stateless authentication using OAuth2 (via [Doorkeeper](https://github.com/doorkeeper-gem/doorkeeper) and [Doorkeeper::JWT](https://github.com/chriswarren/doorkeeper-jwt))
+* Policy enforcement (via [Pundit](https://github.com/elabs/pundit))
+* Serialization to [JSON API](http://jsonapi.org/) (via [AMS](https://github.com/rails-api/active_model_serializers))
+* Two-factor auth (TODO)
+* External Login (TODO)
+
+What doesn't it include?
+
+* Stateful session support (Cookies)
+* HTML/CSS/JS or views of any kind.
+
+## Requirements
+
+* PostgreSQL >= 9.1 (uuid-ossp support)
+
+**Note: For now, your app must use a PostgreSQL database.** This is because ApiGuardian is using UUID primary keys for all records.
+
+## Installation
+
+### First
+
+Put this in your Gemfile:
+
+```rb
+gem 'api_guardian'
+```
+
+### Second
+
+Run this command:
+
+```sh
+rake generate api_guardian:install
+```
+
+This will add an initializer, mount the routes, and, copy the migrations/seed files.
+You will need to follow this with:
+
+```sh
+rake db:migrate
+```
+
+### Third
+
+To Do
+
+### Finally
+
+To Do
+
+## Usage
+
+### Roles
+
+To Do
+
+### Permissions
+
+To Do
+
+### Users
+
+To Do
+
+## Roadmap
+
+* controller actions:
+  * Assign permissions to role by name
+  * validate user password
+* config
+  * password settings (44:1?)
+    * devise_zxcvbn
+  * user lockouts
+  * 2fa settings
+  * ???
+* Generators
+  * install (initializer, migrations, seed, routes)
+  * ???
+* omniauth
+* Request logging
+* Sessions/Devices (attach to tokens)
+* Activity/Events (User signed in, User authenticated at...)
+* Email Service/SMS Service
+* Account lockout
+* SSO
+* digits integration
+* Multi-tenancy
+* Account lockout (failed login attempts)
+* 2FA
+  * http://blog.meldium.com/home/2013/8/23/screw-up-two-factor-authentication
+  * https://www.authy.com/product/
+  * https://github.com/heapsource/active_model_otp + Twilio
+* Fix for JWT storage: https://github.com/doorkeeper-gem/doorkeeper/wiki/How-to-fix-PostgreSQL-error-on-index-row-size
+* Cache
+
+## Getting Help
+
+If you find a bug, please report an [Issue](https://github.com/lookitsatravis/api_guardian/issues).
+
+If you have a question, please post to [Stack Overflow](https://stackoverflow.com/questions/tagged/api_guardian).
+
+Thanks!
+
+## Contributing
+
+See [CONTRIBUTING.md](CONTRIBUTING.md)
+
+## License
+
+ApiGuardian is copyright © 2015 Travis Vignon. It is free software, and may be
+redistributed under the terms specified in the [`MIT-LICENSE`](MIT-LICENSE) file.

data/Rakefile

@@ -0,0 +1,30 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Guarantor'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+load 'rails/tasks/statistics.rake'
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core'
+require 'rspec/core/rake_task'
+
+desc 'Run all specs in spec directory (excluding plugin specs)'
+RSpec::Core::RakeTask.new(spec: 'app:db:test:prepare')
+
+task default: :spec

data/app/controllers/api_guardian/api_controller.rb

@@ -0,0 +1,112 @@
+# TODO: User. should be moved to UserStore.
+module ApiGuardian
+  class ApiController < ActionController::API
+    include ::Pundit
+    include ApiGuardian::Concerns::ApiErrors::Handler
+    include ApiGuardian::Concerns::ApiRequest::Validator
+
+    before_action :doorkeeper_authorize!, except: [:not_found]
+    before_action :set_current_user
+    before_action :prep_response
+    before_action :validate_api_request, except: [:not_found]
+    before_action :find_and_authorize_resource, except: [:index, :new, :create, :not_found]
+    after_action :verify_policy_scoped, only: :index
+    after_action :verify_authorized, except: [:index, :not_found]
+
+    rescue_from Exception, with: :api_error_handler
+
+    attr_reader :current_user
+
+    def index
+      @resources = resource_store.paginate(page_params[:number], page_params[:size])
+      render json: @resources, include: includes
+    end
+
+    def show
+      render json: @resource, include: includes
+    end
+
+    def create
+      authorize resource_class
+      @resource = resource_store.create(create_resource_params)
+      render json: @resource, status: :created, include: includes
+    end
+
+    def update
+      @resource = resource_store.update(@resource, update_resource_params)
+      render json: @resource, include: includes
+    end
+
+    def destroy
+      @resource.destroy!
+      head :no_content
+    end
+
+    def not_found
+      render_not_found
+    end
+
+    protected
+
+    def find_and_authorize_resource
+      @resource = resource_store.find(params[:id])
+      authorize @resource
+    end
+
+    def resource_store
+      @resource_store ||= ('ApiGuardian::Stores::' + resource_name + 'Store').constantize.new(policy_scope(resource_class))
+    end
+
+    def resource_name
+      @resource_name ||= controller_name.classify
+    end
+
+    def resource_class
+      @resource_class ||= ApiGuardian.send("#{resource_name.downcase}_class")
+    end
+
+    # :nocov:
+    def includes
+      fail 'This needs to be overriden by a child of the API ApplicationController.'
+    end
+    # :nocov:
+
+    def create_resource_params
+      params.require(:data).require(:attributes).permit(create_params)
+    end
+
+    def update_resource_params
+      params.require(:data).require(:attributes).permit(update_params)
+    end
+
+    # :nocov:
+    def create_params
+      fail 'This needs to be overriden by a child of the API ApplicationController.'
+    end
+    # :nocov:
+
+    def page_params
+      params.fetch(:page, number: 1, size: 25)
+    end
+
+    # :nocov:
+    def update_params
+      fail 'This needs to be overriden by a child of the API ApplicationController.'
+    end
+    # :nocov:
+
+    private
+
+    def set_current_user
+      @current_user = ApiGuardian.user_class.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
+    end
+
+    def current_resource_owner
+      ApiGuardian.user_class.find(doorkeeper_token.resource_owner_id) if doorkeeper_token
+    end
+
+    def prep_response
+      response.headers['Content-Type'] = 'application/vnd.api+json'
+    end
+  end
+end

data/app/controllers/api_guardian/application_controller.rb

@@ -0,0 +1,11 @@
+module ApiGuardian
+  class ApplicationController < ActionController::API
+    include ApiGuardian::Concerns::ApiErrors::Handler
+
+    rescue_from Exception, with: :api_error_handler
+
+    def not_found
+      render_not_found
+    end
+  end
+end

data/app/controllers/api_guardian/permissions_controller.rb

@@ -0,0 +1,7 @@
+module ApiGuardian
+  class PermissionsController < ApiController
+    def includes
+      []
+    end
+  end
+end

data/app/controllers/api_guardian/registration_controller.rb

@@ -0,0 +1,38 @@
+module ApiGuardian
+  class RegistrationController < ApiGuardian::ApplicationController
+    def create
+      @user = ApiGuardian::Stores::UserStore.register(register_params)
+      render json: @user, status: :created, include: ['role']
+    end
+
+    def reset_password
+      if ApiGuardian::Stores::UserStore.reset_password(reset_password_params)
+        head :no_content
+      else
+        render_not_found
+      end
+    end
+
+    def complete_reset_password
+      if ApiGuardian::Stores::UserStore.complete_reset_password(complete_reset_password_params)
+        head :no_content
+      else
+        render_not_found
+      end
+    end
+
+    protected
+
+    def register_params
+      params.permit(:email, :password, :password_confirmation)
+    end
+
+    def reset_password_params
+      params.fetch(:email)
+    end
+
+    def complete_reset_password_params
+      params.permit(:token, :email, :password, :password_confirmation)
+    end
+  end
+end

data/app/controllers/api_guardian/roles_controller.rb

@@ -0,0 +1,19 @@
+module ApiGuardian
+  class RolesController < ApiController
+    protected
+
+    def includes
+      []
+    end
+
+    def create_params
+      [
+        :name, :default
+      ]
+    end
+
+    def update_params
+      create_params
+    end
+  end
+end

data/app/controllers/api_guardian/users_controller.rb

@@ -0,0 +1,20 @@
+module ApiGuardian
+  class UsersController < ApiController
+    protected
+
+    def includes
+      ['role']
+    end
+
+    def create_params
+      [
+        :first_name, :last_name, :email, :phone_number, :role_id, :password,
+        :password_confirmation
+      ]
+    end
+
+    def update_params
+      create_params
+    end
+  end
+end

data/app/models/api_guardian/permission.rb

@@ -0,0 +1,14 @@
+module ApiGuardian
+  class Permission < ActiveRecord::Base
+    has_many :role_permissions, class_name: ApiGuardian.role_permission_class.to_s
+    has_many :roles, through: :role_permissions, class_name: ApiGuardian.role_class.to_s
+
+    validates :name, uniqueness: true
+    validates :name, :desc, presence: true
+
+    # Class Methods
+    def self.policy_class
+      ApiGuardian::Policies::PermissionPolicy
+    end
+  end
+end

data/app/models/api_guardian/role.rb

@@ -0,0 +1,97 @@
+# TODO: Permission. should be moved to PermissionStore.
+module ApiGuardian
+  class Role < ActiveRecord::Base
+    has_many :users, class_name: ApiGuardian.user_class.to_s
+    has_many :role_permissions, class_name: ApiGuardian.role_permission_class.to_s
+
+    validates :name, uniqueness: true, presence: true
+    validates :default, uniqueness: true, if: proc { |r| r.default? }
+
+    scope :default, -> { where(default: true) }
+
+    # Class Methods
+    def self.default_role
+      default.first
+    end
+
+    def self.policy_class
+      ApiGuardian::Policies::RolePolicy
+    end
+
+    # Instance Methods
+    def can?(action)
+      if action.is_a?(Array)
+        grants = []
+        action.each do |a|
+          perm = Permission.find_by_name(action)
+          fail ApiGuardian::Errors::InvalidPermissionNameError, "Permission '#{a}' is not valid." unless perm
+
+          role_permissions.includes(:permission).find_each do |rp|
+            grants.push rp.granted if rp.permission.name == a
+          end
+        end
+        return grants.include? true if grants.count > 0 # otherwise this permission wasn't found at all
+      else
+        perm = Permission.find_by_name(action)
+        fail ApiGuardian::Errors::InvalidPermissionNameError, "Permission '#{action}' is not valid." unless perm
+
+        role_permissions.includes(:permission).find_each do |rp|
+          return rp.granted if rp.permission.name == action
+        end
+      end
+
+      false
+    end
+
+    def cannot?(action)
+      !can? action
+    end
+
+    def permissions
+      arr = role_permissions.includes(:permission).map do |rp|
+        rp.permission.name if rp.granted
+      end.compact
+
+      # We want to simplify returned permissions when user has "manage" for a
+      # given resource by only returing that one instead of individual ones.
+      arr.map do |p|
+        val = nil
+        if p.include? ':manage'
+          val = p
+        else
+          resource = p.split(':')[0]
+          val = p unless arr.include? "#{resource}:manage"
+        end
+        val
+      end.compact
+    end
+
+    def create_default_permissions(granted)
+      Permission.find_each do |p|
+        role_permissions.create(permission: p, granted: granted) unless role_permissions.include? p
+      end
+    end
+
+    def add_permission(name)
+      perm = Permission.find_by_name(name)
+      fail ApiGuardian::Errors::InvalidPermissionNameError, "Permission '#{name}' is not valid." unless perm
+
+      role_permissions.each do |rp|
+        return rp.update_attribute(:granted, true) if rp.permission.name == name
+      end
+
+      role_permissions.create(permission: perm, granted: true)
+    end
+
+    def remove_permission(name, destroy = false)
+      role_permissions.each do |rp|
+        next unless rp.permission.name == name
+        if destroy
+          rp.destroy
+        else
+          rp.update_attribute(:granted, false)
+        end
+      end
+    end
+  end
+end