authenticates_rpi 0.0.0

data/.gitignore

@@ -0,0 +1 @@
+.*.swp

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 [name of plugin creator]
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README

@@ -0,0 +1,36 @@
+AuthenticatesRpi
+================
+
+Provides a consistent structure for web app authentication of RPI people.
+
+Authentication is accomplished through CAS using the rubyCAS-client, and model-level write authorization is provided by the authenticates_access plugin.
+
+Full installation procedure and usage documentation is available on this project's github wiki: http://wiki.github.com/mikldt/authenticates_rpi
+
+Example
+=======
+
+Configuration is done by one line in a controller (in most cases it makes
+sense to do this in the ApplicationController for your app):
+
+  authenticate_rpi Person, :username_field => 'username', :admin_field => 'is_admin' 
+
+Where the Person is the model representing the site's users, and the username returned by CAS matches :username_field for the user that is logging in. :admin_field is an optional argument, and if provided, it's value will determine the method or field on the user model that identifies site administrators. This is a convenience feature. 
+
+This makes the following methods available to controllers and views:
+* logged_in?
+* admin_logged_in?
+* current_user
+
+Login is available via the session controller provided by this plugin.
+
+Login link:
+link_to "login", new_session_path 
+
+Logout link:
+link_to 'logout', session_path, :method => :delete 
+
+
+See the wiki for details.
+
+Copyright (c) 2009 Michael DiTore, released under the MIT license

data/Rakefile

@@ -0,0 +1,39 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/rdoctask'
+
+desc 'Default: run unit tests.'
+task :default => :test
+
+desc 'Test the authenticates_rpi plugin.'
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = true
+end
+
+desc 'Generate documentation for the authenticates_rpi plugin.'
+Rake::RDocTask.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'AuthenticatesRpi'
+  rdoc.options << '--line-numbers' << '--inline-source'
+  rdoc.rdoc_files.include('README')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "authenticates_rpi"
+    gemspec.summary = "CAS Authentication and Authorization on Rails!"
+    gemspec.description = "Rails plugin to manage CAS, Authentication, and LDAP name info"
+    gemspec.email = "mikldt@gmail.com"
+    gemspec.homepage = "http://github.com/mikldt/authenticates_rpi"
+    gemspec.authors = ["Michael DiTore"]
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available. Install it with: gem install jeweler"
+end
+

data/VERSION

@@ -0,0 +1 @@
+0.0.0

data/app/controllers/sessions_controller.rb

@@ -0,0 +1,121 @@
+class SessionsController < ApplicationController
+  before_filter CASClient::Frameworks::Rails::Filter, :only => :new
+#  before_filter :require_login, :only => [ :destroy ]
+#  before_filter :require_login_or_first_user, :except => [ :destroy, :new, :show ]
+  unloadable
+  #GET new_account_url
+  def new
+    # Will be forced to authenticate before getting here.
+
+    if logged_in?
+      # The user is already logged in, so let's not mess with the session.
+      flash[:notice] = "You are already logged in!"
+      redirect_to root_path
+    else
+      # The user needs to be logged in.
+      user = find_user_by_username(session[:cas_user])
+
+      # New user, the plugin knows what to do.
+      if user.nil?
+        # Delegate to authenticates_rpi.rb
+        new_user_action(session[:cas_user])
+        # See if they can log in now.
+        user = find_user_by_username(session[:cas_user])
+      end
+
+      if user.nil?
+        # We don't know this person.
+        # TODO: What to do in this case.
+        flash[:notice] = "Sorry, your login does not appear to be valid."
+        redirect_to root_path
+      else
+        # This person is in the db, let them in.
+        session[:username] = user.send(username_field)
+        flash[:notice] = "Logged in successfully - #{current_user_display_name}"
+
+        # This session variable may be set before redirecting to session/new
+        # in order to get the user back to the page they were trying to get at.
+        if session[:page_before_login]
+          redirect_to session[:page_before_login]
+          session[:page_before_login] = nil
+        else
+          redirect_to root_path
+        end
+      end
+    end
+#Tidbits of old code:
+
+#      #logger.info("Redirecting to prev uri: " + session[:prev_uri])
+#      if session[:prev_uri]
+#        redirect_to session[:prev_uri]
+#      else
+#        redirect_to root_url
+#      end
+
+#    elsif User.find(:first)
+#      flash[:notice] = ["Sorry, login is for admins only."]
+#      redirect_to root_path
+#    else
+#      flash[:notice] = ['Congratulations! Fill out this form to become the first user!']
+#      redirect_to new_user_path
+#    end
+  end
+
+
+ #  #GET edit_account_url
+   def edit
+     #TODO: secure and make proper, use update
+     if not params[:username].nil? and User.current=User.find_by_username(params[:username])
+       flash[:notice] = ["Welcome", User.current.first].join(', ')
+     elsif not params[:username].nil?
+       flash[:notice] = ["Sorry - login error! Please see the webmaster... TODO"]
+       redirect_to "/"
+     end
+   end
+
+  #DELETE account_url
+  def destroy
+    # clear out the session and log out of CAS
+    session[:username] = nil
+    CASClient::Frameworks::Rails::Filter.logout(self)
+  end
+
+  # These methods let you pretend to be someone else
+  # Security critical, so modify with caution!
+  def sudo
+    # Note: we add the session parameter admin_under_sudo. This should
+    # NEVER be accessed outside of this controller, as doing that or
+    # accessing the actuall session username variable directly would
+    # defeat the purpose of encapsulating the login as it really would be.
+    if !admin_logged_in? && !session[:admin_under_sudo] = 1
+      flash[:notice] = "Access denied!"
+      redirect_to root_url
+    elsif !sudo_enabled
+      flash[:notice] = "SUDO Feature disabled"
+      redirect_to root_url
+    else
+      @users = user_class.find(:all)
+      @username_field = username_field
+      @name_field = fullname_field || username_field
+    end
+  end
+
+  def change_user
+   if !admin_logged_in? && !session[:admin_under_sudo] = 1
+      flash[:notice] = "Access denied!"
+      redirect_to root_url
+    elsif !sudo_enabled
+      flash[:notice] = "SUDO Feature disabled"
+      redirect_to root_url
+    else
+      # Again, we have to be really careful with the next 2 lines!
+      session[:username] = params[:username]
+      session[:admin_under_sudo] = 1
+      redirect_to root_url
+    end
+  end
+
+  def show
+    @show_debug = params[:debug] && (admin_logged_in? || session[:admin_under_sudo])
+  end
+end

data/app/views/sessions/show.html.erb

@@ -0,0 +1,18 @@
+<% if logged_in? %>
+  <p>
+    You are currently logged in as <%= current_user_display_name %> 
+    (<%= link_to 'logout', session_path, :confirm => 'Are you sure?', :method => :delete %>).
+  </p>
+  <% if admin_logged_in? %>
+    <p>You are logged in with administrator privileges on this application.</p>
+  <% end %>
+
+  <% if @show_debug %>
+    <p>Session data:</p>
+    <pre>
+    <%= session.to_yaml %>
+    </pre>
+  <% end %>
+<% else %>
+    You are not logged in. <%= link_to 'Log In', new_session_path %>.
+<% end %>

data/app/views/sessions/sudo.html.erb

@@ -0,0 +1,5 @@
+Choose a user to pretend to be.
+<% form_tag :action => 'change_user', :method => :post do %>
+  <%= collection_select "username",nil, @users, @username_field, @name_field %>
+  <%= submit_tag "SU" %>
+<% end %>

data/authenticates_rpi.gemspec

@@ -0,0 +1,57 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{authenticates_rpi}
+  s.version = "0.0.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Michael DiTore"]
+  s.date = %q{2010-01-24}
+  s.description = %q{Rails plugin to manage CAS, Authentication, and LDAP name info}
+  s.email = %q{mikldt@gmail.com}
+  s.extra_rdoc_files = [
+    "README"
+  ]
+  s.files = [
+    ".gitignore",
+     "MIT-LICENSE",
+     "README",
+     "Rakefile",
+     "VERSION",
+     "app/controllers/sessions_controller.rb",
+     "app/views/sessions/show.html.erb",
+     "app/views/sessions/sudo.html.erb",
+     "authenticates_rpi.gemspec",
+     "config/routes.rb",
+     "init.rb",
+     "install.rb",
+     "lib/authenticates_rpi.rb",
+     "tasks/authenticates_rpi_tasks.rake",
+     "test/authenticates_rpi_test.rb",
+     "test/test_helper.rb",
+     "uninstall.rb"
+  ]
+  s.homepage = %q{http://github.com/mikldt/authenticates_rpi}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{CAS Authentication and Authorization on Rails!}
+  s.test_files = [
+    "test/test_helper.rb",
+     "test/authenticates_rpi_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+    else
+    end
+  else
+  end
+end
+

data/config/routes.rb

@@ -0,0 +1,3 @@
+ActionController::Routing::Routes.draw do |map|
+  map.resource :session, :except => [ :create ], :member => {:sudo => :get, :change_user => :post }
+end

data/init.rb

@@ -0,0 +1,2 @@
+# Include hook code here
+ActionController::Base.send :extend, AuthenticatesRpi::ActMethods

data/install.rb

@@ -0,0 +1 @@
+# Install hook code here

data/lib/authenticates_rpi.rb

@@ -0,0 +1,252 @@
+# AuthenticatesRpi
+module AuthenticatesRpi
+  # This module gets mixed-in to ActionController::Base
+  module ActMethods
+    def authenticate_rpi ( user_class, opts={} )
+      include InstanceMethods
+      # logger.info "----------------------------------------------"
+      # logger.info "autheticates_rpi mixed in ( on Rails " + 
+      #   Rails::VERSION::STRING + " )"
+
+      #Username field is required; used to look up the value from CAS.
+      username_field = opts[:username_field] || "username"
+      
+      #Fields that we'll fill in from LDAP, in addition to username_field
+      fullname_field = opts[:fullname_field] || nil
+      firstname_field = opts[:firstname_field] || nil
+      lastname_field = opts[:lastname_field] || nil
+      email_field = opts[:email_field] || nil
+
+      #Admin field is optional if the site has admins. If none specified,
+      #all users recieve false for admin_logged_in.
+      admin_field = opts[:admin_field]
+
+      autoadd = opts[:autoadd_users] || false
+      sudo_enabled = opts[:sudo_enabled] || false
+
+      ldap_address = opts[:ldap_address] || nil
+      ldap_port = opts[:ldap_port] || 389
+      ldap_dn = opts[:ldap_dn] || nil
+      ldap_username_field = opts[:ldap_username_field] || 'uid'
+      ldap_email_field = opts[:ldap_email_field] || 'mailAlternateAddress'
+
+      #Argument Validation
+      #TODO: proper exceptions to raise, not just runtime junk
+      unless user_class.instance_of?(Class)
+        raise 'user_class must be a class'
+      end
+      unless user_class.new.respond_to?(username_field)
+        raise 'username_field: no such method "' + username_field +
+          '" on class ' + user_class.name
+      end
+      unless admin_field.nil? || user_class.new.respond_to?(admin_field)
+        raise 'admin_field: no such method "' + admin_field +
+          '" on class ' + user_class.name
+      end
+
+      #Argument Storage
+      write_inheritable_attribute :user_class, user_class
+      write_inheritable_attribute :username_field, username_field
+      write_inheritable_attribute :fullname_field, fullname_field
+      write_inheritable_attribute :firstname_field, firstname_field
+      write_inheritable_attribute :email_field, email_field
+      write_inheritable_attribute :lastname_field, lastname_field
+      write_inheritable_attribute :admin_field, admin_field
+      write_inheritable_attribute :autoadd_users, autoadd
+      write_inheritable_attribute :sudo_enabled, sudo_enabled
+      write_inheritable_attribute :ldap_address, ldap_address
+      write_inheritable_attribute :ldap_port, ldap_port
+      write_inheritable_attribute :ldap_dn, ldap_dn
+      write_inheritable_attribute :ldap_username_field, ldap_username_field
+      write_inheritable_attribute :ldap_email_field, ldap_email_field
+      class_inheritable_reader :user_class, :username_field, :fullname_field,
+        :firstname_field, :lastname_field, :admin_field, :autoadd_users,
+        :ldap_address, :ldap_port, :ldap_dn, :ldap_username_field, 
+        :sudo_enabled, :email_field, :ldap_email_field
+    end
+ end
+
+  # Instance methods that are included when we run authenticates_rpi
+  # in a controller (say, ApplicationController)
+  # We use instance methods because the access the session, which
+  # belongs to the ActionController instance.
+  module InstanceMethods
+    # Setup for when we get mixed into ActionController::Base
+    def self.included(base)
+      base.helper :all
+      base.before_filter "set_up_accessor"
+      base.helper_method :logged_in?, :admin_logged_in?, :go_to_login,
+                         :current_user, :current_user_display_name
+    end
+
+    # Methods for interacting with session data
+    def logged_in?
+      if session[:username].nil?
+        false
+      else
+        true
+      end
+    end
+
+    def admin_logged_in?
+      if session[:username].nil?
+        #No current user
+        false
+      elsif admin_field.nil?
+        #Site not configured for admin behavior
+        logger.warn "AuthenticatesRpi checking for admin, " +
+          "but no admin field is configured. "
+        false
+      else
+        #Check the app-configured admin field
+        if current_user.send admin_field
+          true
+        else
+          false
+        end
+      end
+    end
+
+    # Method to return the object representing the logged in user,
+    # or false if there's nobody logged in. For general use, and included
+    # as a helper. This should be the only method used for getting the
+    # current user.
+    def current_user
+      if session[:username].nil?
+        false
+      else
+        p = find_user_by_username(session[:username])
+        if p.nil?
+          raise "User "+session[:username]+" not found!"
+        else
+          p
+        end
+      end
+    end
+
+    # Figures out a 'display name' for the user, in the following priority
+    # 1. If there's a fullname field defined, use that
+    # 2. If there are first and last names, use them
+    # 3. Just use the username, because its unique.
+    def current_user_display_name
+      user = current_user
+      if fullname_field
+        n = user.send(fullname_field)
+        return n unless n.blank?
+      end
+
+      if firstname_field && lastname_field
+        f = user.send(firstname_field)
+        l = user.send(lastname_field)
+        return f + " " + l unless f.blank? || l.blank?
+      end
+
+      return user.send(username_field)
+    end
+
+    def go_to_login
+      redirect_to :controller => 'sessions', :action => 'new'
+
+      # Before we go, save the current (full) path.
+      # This will allow us to get back to the requested page
+      # once we've authenticated.
+      session[:page_before_login] = request.request_uri
+    end
+
+    protected
+
+    # Preparation for authenticates_access plugin
+    def set_up_accessor
+      if (Module.constants.include? 'AuthenticatesRpi' &&
+        ActiveRecord::Base.methods.include? ('accessor='))
+        ActiveRecord::Base.accessor = current_user
+      end
+    end
+
+    #Finds a person by username, using the configurable username field.
+    def find_user_by_username(username)
+      user_class.find(:first, :conditions => {username_field => username})
+    end
+
+    def logged_in_filter
+      unless logged_in?
+        go_to_login
+      end
+    end
+
+    def admin_filter
+      unless admin_logged_in?
+        unless logged_in?
+          go_to_login
+        else
+          forbidden
+        end
+      end
+    end
+
+    def new_user_action(username)
+      # If the plugin is configured to auto-add new users, do it.
+      if autoadd_users
+        u = user_class.new
+        # If we have authenticates_access, we need to bypass it in order
+        # to change the username.
+        # Use caution while auth is bypassed (the user can't just edit
+        # their own rcsid, so its important that username comes from a
+        # good source)
+        if u.methods.include? 'bypass_auth'
+          u.bypass_auth do
+            u.send(username_field+'=', username)
+          end
+        else
+          u.send(username_field+'=', username)
+        end
+
+        # Fetch additional data from LDAP if you like
+        logger.info "created the user"
+        unless(ldap_address.nil? || ldap_dn.nil?)
+          require 'ldap'
+          logger.info 'Making LDAP query for new user: '+username
+          ldap_conn = LDAP::Conn.new(ldap_address, ldap_port)
+          ldap_conn.set_option(LDAP::LDAP_OPT_PROTOCOL_VERSION, 3)
+          ldap_conn.bind
+          results = ldap_conn.search2(ldap_username_field+"="+username+","+
+                                      ldap_dn, LDAP::LDAP_SCOPE_SUBTREE, 
+                                      '(cn=*)')
+          # Add the data to the user if t
+          unless(results.first.nil?)
+            first = results.first['givenName'].first.split(' ').first
+            last = results.first['sn'].first
+            email = results.first[ldap_email_field]
+            # full = results.first['gecos'].first
+            if fullname_field
+              u.send('attribute=', fullname_field, first + ' ' + last)
+            end
+            if firstname_field
+              u.send('attribute=', firstname_field, first)
+            end
+            if lastname_field
+              u.send('attribute=', lastname_field, last)
+            end
+            if email_field and !email.nil?
+              u.send('attribute=', email_field, email)
+            end
+          end
+        end
+
+        u.save
+      end
+    end
+
+
+    # Error Handling
+
+    protected
+    #TODO: Real error handling
+    def forbidden
+      logger.warn "User forbidden."
+      flash[:notice] = "Sorry, you do not have permission to view that page."
+      redirect_to root_path
+    end
+  end
+end
+

data/tasks/authenticates_rpi_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :authenticates_rpi do
+#   # Task goes here
+# end

data/test/authenticates_rpi_test.rb

@@ -0,0 +1,8 @@
+require 'test_helper'
+
+class AuthenticatesRpiTest < ActiveSupport::TestCase
+  # Replace this with your real tests.
+  test "the truth" do
+    assert true
+  end
+end

data/test/test_helper.rb

@@ -0,0 +1,3 @@
+require 'rubygems'
+require 'active_support'
+require 'active_support/test_case'

data/uninstall.rb

@@ -0,0 +1 @@
+# Uninstall hook code here

metadata

@@ -0,0 +1,72 @@
+--- !ruby/object:Gem::Specification 
+name: authenticates_rpi
+version: !ruby/object:Gem::Version 
+  version: 0.0.0
+platform: ruby
+authors: 
+- Michael DiTore
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-01-24 00:00:00 -05:00
+default_executable: 
+dependencies: []
+
+description: Rails plugin to manage CAS, Authentication, and LDAP name info
+email: mikldt@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- README
+files: 
+- .gitignore
+- MIT-LICENSE
+- README
+- Rakefile
+- VERSION
+- app/controllers/sessions_controller.rb
+- app/views/sessions/show.html.erb
+- app/views/sessions/sudo.html.erb
+- authenticates_rpi.gemspec
+- config/routes.rb
+- init.rb
+- install.rb
+- lib/authenticates_rpi.rb
+- tasks/authenticates_rpi_tasks.rake
+- test/authenticates_rpi_test.rb
+- test/test_helper.rb
+- uninstall.rb
+has_rdoc: true
+homepage: http://github.com/mikldt/authenticates_rpi
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: CAS Authentication and Authorization on Rails!
+test_files: 
+- test/test_helper.rb
+- test/authenticates_rpi_test.rb