RubyGems - aws-auth - Versions diffs - 0.9.0 - Mend

aws-auth 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (15) hide show

data/README +1 -0
data/Rakefile +8 -0
data/aws-auth.yml +4 -0
data/db/aws-users.db +0 -0
data/db/migrate/002_create_users.rb +24 -0
data/db/test.db +0 -0
data/lib/aws-auth.rb +126 -0
data/lib/aws-auth/admin.rb +270 -0
data/lib/aws-auth/tasks.rb +28 -0
data/lib/aws-auth/user.rb +35 -0
data/public/css/control.css +232 -0
data/public/images/external-link.gif +0 -0
data/public/js/prototype.js +2539 -0
data/public/js/upload_status.js +117 -0
metadata +109 -0

data/README ADDED

	@@ -0,0 +1 @@
1	+ Rack middleware that provides AWS (Amazon Web Services) style authentication.

data/Rakefile ADDED

@@ -0,0 +1,8 @@
+$:.unshift "./lib"
+require 'rake'
+require 'rake/testtask'
+require 'rake/gempackagetask'
+require 'aws-auth'
+require 'aws-auth/tasks'
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/aws-auth.yml ADDED

@@ -0,0 +1,4 @@
+---
+:auth:
+  :database: db/aws-users.db
+  :adapter: sqlite3

data/db/aws-users.db ADDED

Binary file

data/db/migrate/002_create_users.rb ADDED

@@ -0,0 +1,24 @@
+class CreateUsers < ActiveRecord::Migration
+  def self.up
+    create_table :users do |t|
+      t.column :id,             :integer,  :null => false
+      t.column :login,          :string,   :limit => 40
+      t.column :password,       :string,   :limit => 40
+      t.column :email,          :string,   :limit => 64
+      t.column :key,            :string,   :limit => 64
+      t.column :secret,         :string,   :limit => 64
+      t.column :created_at,     :datetime
+      t.column :updated_at,     :timestamp
+      t.column :activated_at,   :datetime
+      t.column :superuser,      :integer, :default => 0
+      t.column :deleted,        :integer, :default => 0
+    end
+  end
+  def self.down
+    drop_table :users
+  end
+end

data/db/test.db ADDED

Binary file

data/lib/aws-auth.rb ADDED

@@ -0,0 +1,126 @@
+require 'rubygems'
+require 'rack'
+require 'active_record'
+require 'base64'
+require 'digest/sha1'
+require 'openssl'
+require 'sinatra'
+module AWSAuth
+class Base
+  VERSION = "0.9.0"
+  ROOT_DIR = ENV['AWS_ROOT_DIR'] || File.join(File.dirname(__FILE__),'..')
+  DEFAULT_PASSWORD = "testp@ss"
+  def self.config
+    @@config ||= load_config()
+  end
+  def self.config_path=(val)
+    @@config_path = val
+  end
+  def initialize(app)
+    @app = app
+    AWSAuth::User.establish_connection(AWSAuth::Base.config[:auth])
+  end
+  def call(env)
+    date_s = env['HTTP_X_AMZ_DATE'] || env['HTTP_DATE']
+    request = Rack::Request.new(env)
+    auth = Rack::Auth::Basic::Request.new(env)
+    # Basic Auth
+    if auth.provided? && auth.basic?
+      user = AWSAuth::User.find_by_login(auth.credentials[0])
+      unless user.nil?
+        if user.password == AWSAuth::Base.hmac_sha1( auth.credentials[1], user.secret )
+          env['AWS_AUTH_USER'] = user
+        end
+      end
+    # Route 53
+    elsif env['HTTP_X_AMZN_AUTHORIZATION'] =~ /^AWS3-HTTPS AWSAccessKeyId=(.*),Algorithm=HmacSHA256,Signature=(.*)$/
+      access_key = $1
+      signature = $2
+      user = AWSAuth::User.find_by_key(access_key)
+      unless user.nil?
+        hmac = HMAC::SHA256.new(user.secret)
+        hmac.update(date_s)
+        if Base64.encode64(hmac.digest).chomp == signature
+          env['AWS_AUTH_USER'] = user
+        end
+      end
+    # S3
+    elsif env['HTTP_AUTHORIZATION'] =~ /^AWS (\w+):(.+)$/ || !request['Signature'].nil?
+      meta, amz = {}, {}
+      env.each do |k,v|
+        k = k.downcase.gsub('_', '-')
+        amz[$1] = v.strip if k =~ /^http-x-amz-([-\w]+)$/
+        meta[$1] = v if k =~ /^http-x-amz-meta-([-\w]+)$/
+      end
+      auth, key_s, secret_s = *env['HTTP_AUTHORIZATION'].to_s.match(/^AWS (\w+):(.+)$/)
+      if request.params.has_key?('Signature') and Time.at(request['Expires'].to_i) >= Time.now
+        key_s, secret_s, date_s = request['AWSAccessKeyId'], request['Signature'], request['Expires']
+      end
+      uri = env['PATH_INFO']
+      uri += "?" + env['QUERY_STRING'] if %w[acl versioning torrent].include?(env['QUERY_STRING'])
+      canonical = [env['REQUEST_METHOD'], env['HTTP_CONTENT_MD5'], env['CONTENT_TYPE'],
+	date_s, uri]
+      amz.sort.each do |k, v|
+        canonical[-1,0] = "x-amz-#{k}:#{v}"
+      end
+      user = AWSAuth::User.find_by_key key_s
+      unless (user and secret_s != AWSAuth::Base.hmac_sha1(user.secret, canonical.map{|v|v.to_s.strip} * "\n")) || (user and user.deleted == 1)
+        env['AWS_AUTH_USER'] = user
+      end
+    end
+    @app.call(env)
+  end
+  def self.generate_secret
+    abc = %{ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz}
+    (1..40).map { abc[rand(abc.size),1] }.join
+  end
+  def self.generate_key
+    abc = %{ABCDEF0123456789}
+    (1..20).map { abc[rand(abc.size),1] }.join
+  end
+  def self.hmac_sha1(key, s)
+    ipad = [].fill(0x36, 0, 64)
+    opad = [].fill(0x5C, 0, 64)
+    key = key.unpack("C*")
+    if key.length < 64 then
+      key += [].fill(0, 0, 64-key.length)
+    end
+    inner = []
+    64.times { |i| inner.push(key[i] ^ ipad[i]) }
+    inner += s.unpack("C*")
+    outer = []
+    64.times { |i| outer.push(key[i] ^ opad[i]) }
+    outer = outer.pack("c*")
+    outer += Digest::SHA1.digest(inner.pack("c*"))
+    return Base64::encode64(Digest::SHA1.digest(outer)).chomp
+  end
+  protected
+  def self.load_config()
+    @@config_path ||= File.join(File.dirname(__FILE__), '../aws-auth.yml')
+    return YAML::load(File.read(ENV['AWS_AUTH_PATH'])) if ENV['AWS_AUTH_PATH'] && File.exists?(ENV['AWS_AUTH_PATH'])
+    return YAML::load(File.read(File.expand_path("~/.aws-auth.yml"))) if File.exists?(File.expand_path("~/.aws-auth.yml"))
+    return YAML::load(File.read(@@config_path)) if @@config_path && File.exists?(@@config_path)
+  end
+end
+end
+require File.join(File.dirname(__FILE__),'aws-auth/user')
+require File.join(File.dirname(__FILE__),'aws-auth/admin')

data/lib/aws-auth/admin.rb ADDED

@@ -0,0 +1,270 @@
+module AWS
+  class Admin < Sinatra::Base
+    POST = %{if(!this.title||confirm(this.title+'?')){var f = document.createElement('form'); this.parentNode.appendChild(f); f.method = 'POST'; f.action = this.href; f.submit();}return false;}
+    set :sessions, :on
+    enable :inline_templates
+    @@navigation_tabs = [["users","/control/users",true],["profile","/control/profile"],["logout","/control/logout"]]
+    @@home_page = "/control/buckets"
+    def self.add_tab(name, path, admin_only=false)
+      t = [name,path]
+      t << admin_only unless admin_only == false
+      @@navigation_tabs = [t] + @@navigation_tabs
+    end
+    def self.tabs
+      @@navigation_tabs
+    end
+    def self.home_page
+      @@home_page
+    end
+    def self.home_page=(val)
+      @@home_page = val
+    end
+    before do
+      ActiveRecord::Base.verify_active_connections!
+    end
+    get '/?' do
+      login_required
+      redirect @@home_page
+    end
+    get %r{^/s/(.*)} do
+      expires 500, :public
+      open(File.join(AWSAuth::Base::ROOT_DIR,'public', params[:captures].first))
+    end
+    get '/login' do
+      r :login, "Login"
+    end
+    post '/login' do
+      @user = AWSAuth::User.find_by_login params[:login]
+      if @user
+	if @user.password == AWSAuth::Base.hmac_sha1( params[:password], @user.secret )
+	  session[:user_id] = @user.id
+	  redirect @@home_page
+	else
+	  @user.errors.add(:password, 'is incorrect')
+	end
+      else
+	@user = AWSAuth::User.new
+	@user.errors.add(:login, 'not found')
+      end
+      r :login, "Login"
+    end
+    get '/logout' do
+      session[:user_id] = nil
+      redirect '/control'
+    end
+    get "/profile/?" do
+      login_required
+      @usero = @user
+      r :profile, "Your Profile"
+    end
+    post "/profile/?" do
+      login_required
+      @user.update_attributes(params['user'])
+      @usero = @user
+      r :profile, "Your Profile"
+    end
+    get "/users/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.new
+      @users = AWSAuth::User.find :all, :conditions => ['deleted != 1'], :order => 'login'
+      r :users, "User List"
+    end
+    post "/users/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.new params['user'].merge(:activated_at => Time.now)
+      if @usero.valid?
+	@usero.save()
+	redirect "/control/users"
+      else
+	@users = AWSAuth::User.find :all, :conditions => ['deleted != 1'], :order => 'login'
+        r :users, "User List"
+      end
+    end
+    get "/users/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      r :profile, @usero.login
+    end
+    post "/users/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      # if were not changing passwords remove blank values
+      if params['user']['password'].blank? && params['user']['password_confirmation'].blank?
+	params['user'].delete('password')
+	params['user'].delete('password_confirmation')
+      end
+      if @usero.update_attributes(params['user'])
+        redirect "/control/users/#{@usero.login}"
+      else
+        r :profile, @usero.login
+      end
+    end
+    post "/users/delete/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      if @usero.id == @user.id
+	# FIXME: notify user they cannot delete themselves
+      else
+	@usero.destroy
+      end
+      redirect "/control/users"
+    end
+    protected
+    def login_required
+      @user = AWSAuth::User.find(session[:user_id]) unless session[:user_id].nil?
+      redirect '/control/login' if @user.nil?
+    end
+    def r(name, title, layout = :layout)
+      @title = title
+      haml name, :layout => layout
+    end
+    def errors_for(model)
+      ret = ""
+      if model.errors.size > 0
+        ret += "<ul class=\"errors\">"
+        model.errors.each_full do |error|
+          ret += "<li>#{error}</li>"
+        end
+        ret += "</ul>"
+      end
+      ret
+    end
+    def only_superusers
+      redirect '/control/login' unless @user.superuser?
+    end
+  end
+end
+__END__
+@@ layout
+%html
+  %head
+    %title Control Center &raquo; #{@title}
+    %script{ :language => "JavaScript", :type => "text/javascript", :src => "/control/s/js/prototype.js" }
+    %style{ :type => "text/css" }
+      @import '/control/s/css/control.css';
+  %body
+    %div#page
+      - if @user and not @login
+        %div.menu
+          %ul
+            %li
+              - for tab in AWS::Admin.tabs
+                - if tab[2].nil? || (tab[2] && @user.superuser?)
+                  %a{ :href => tab[1] }= tab[0]
+      %div#header
+        %h1 Control Center
+        %h2 #{@title}
+      %div#content
+        = yield
+@@ login
+%form.create{ :method => "post" }
+  %div.required
+    %label{ :for => "login" } User
+    %input#login{ :type => "text", :name => "login" }
+  %div.required
+    %label{ :for => "password" } Password
+    %input#password{ :type => "password", :name => "password" }
+  %input#loggo{ :type => "submit", :value => "Login", :name => "loggo" }
+@@ users
+%table
+  %thead
+    %tr
+      %th Login
+      %th Activated On
+      %th Actions
+  %tbody
+    - @users.each do |user|
+      %tr
+        %th
+          %a{ :href => "/control/users/#{user.login}" } #{user.login}
+        %td #{user.activated_at}
+        %td
+          %a{ :href => "/control/users/delete/#{user.login}", :onclick => POST, :title => "Delete user #{user.login}" } Delete
+%h3 Create a User
+%form.create{ :action => "/control/users", :method => "post" }
+  = preserve errors_for(@usero)
+  %div.required
+    %label{ :for => "user[login]" } Login
+    %input.large{ :type => "text", :value => @usero.login, :name => "user[login]" }
+  %div.required.inline
+    %label{ :for => "user[superuser]" } Is a super-admin?
+    %input{ :type => "checkbox", :name => "user[superuser]", :value => @usero.superuser }
+  %div.required
+    %label{ :for => "user[password]" } Password
+    %input.fixed{ :type => "password", :name => "user[password]" }
+  %div.required
+    %label{ :for => "user[password_confirmation]" } Password again
+    %input.fixed{ :type => "password", :name => "user[password_confirmation]" }
+  %div.required
+    %label{ :for => "user[email]" } Email
+    %input{ :type => "text", :value => @usero.email, :name => "user[email]" }
+  %div.required
+    %label{ :for => "user[key]" } Key (must be unique)
+    %input.fixed.long{ :type => "text", :value => (@usero.key || AWSAuth::Base.generate_key), :name => "user[key]" }
+  %div.required
+    %label{ :for => "user[secret]" } Secret
+    %input.fixed.long{ :type => "text", :value => (@usero.secret || AWSAuth::Base.generate_secret), :name => "user[secret]" }
+  %input.newuser{ :type => "submit", :value => "Create", :name => "newuser" }
+@@ profile
+%form.create{ :method => "post" }
+  = preserve errors_for(@usero)
+  - if @user.superuser?
+    %div.required.inline
+      %label{ :for => "user[superuser]" } Is a super-admin?
+      %input{ :type => "hidden", :name => "user[superuser]", :value => 0 }
+      %input{ :type => "checkbox", :name => "user[superuser]", :value => 1, :checked => @usero.superuser? }
+  %div.required
+    %label{ :for => "user[password]" } Password
+    %input.fixed{ :type => "password", :name => "user[password]" }
+  %div.required
+    %label{ :for => "user[password_confirmation]" } Password again
+    %input.fixed{ :type => "password", :name => "user[password_confirmation]" }
+  %div.required
+    %label{ :for => "user[email]" } Email
+    %input{ :type => "text", :value => @usero.email, :name => "user[email]" }
+  %div.required
+    %label{ :for => "key" } Key
+    %h4 #{@usero.key}
+  %div.required
+    %label{ :for => "secret" } Secret
+    %h4 #{@usero.secret}
+  %input#saveuser{ :type => "submit", :value => "Save", :name => "saveuser" }

data/lib/aws-auth/tasks.rb ADDED

@@ -0,0 +1,28 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/gempackagetask'
+require File.join(File.dirname(__FILE__), '../aws-auth')
+namespace :auth do
+  task :environment do
+    ActiveRecord::Base.establish_connection(AWSAuth::Base.config[:auth])
+  end
+  desc "Migrate the database"
+  task(:migrate => :environment) do
+    ActiveRecord::Base.logger = Logger.new(STDOUT)
+    ActiveRecord::Migration.verbose = true
+    out_dir = File.dirname(AWSAuth::Base.config[:auth][:database])
+    FileUtils.mkdir_p(out_dir) unless File.exists?(out_dir)
+    ActiveRecord::Migrator.migrate(File.join(AWSAuth::Base::ROOT_DIR, 'db', 'migrate'), ENV["VERSION"] ? ENV["VERSION"].to_i : nil)
+    num_users = AWSAuth::User.count || 0
+    if num_users == 0
+      puts "** No users found, creating the `admin' user."
+      AWSAuth::User.create :login => "admin", :password => AWSAuth::Base::DEFAULT_PASSWORD,
+        :email => "admin@parkplace.net", :key => AWSAuth::Base.generate_key(), :secret => AWSAuth::Base.generate_secret(),
+        :activated_at => Time.now, :superuser => 1
+    end
+  end
+end