RubyGems - aws-auth - Versions diffs - 0.9.0 - Mend

aws-auth 0.9.0

Files changed (15) hide show

data/README +1 -0
data/Rakefile +8 -0
data/aws-auth.yml +4 -0
data/db/aws-users.db +0 -0
data/db/migrate/002_create_users.rb +24 -0
data/db/test.db +0 -0
data/lib/aws-auth.rb +126 -0
data/lib/aws-auth/admin.rb +270 -0
data/lib/aws-auth/tasks.rb +28 -0
data/lib/aws-auth/user.rb +35 -0
data/public/css/control.css +232 -0
data/public/images/external-link.gif +0 -0
data/public/js/prototype.js +2539 -0
data/public/js/upload_status.js +117 -0
metadata +109 -0

data/README ADDED

	@@ -0,0 +1 @@
1	+ Rack middleware that provides AWS (Amazon Web Services) style authentication.

data/Rakefile ADDED

@@ -0,0 +1,8 @@
+$:.unshift "./lib"
+require 'rake'
+require 'rake/testtask'
+require 'rake/gempackagetask'
+require 'aws-auth'
+require 'aws-auth/tasks'
+require 'bundler'
+Bundler::GemHelper.install_tasks

data/aws-auth.yml ADDED

@@ -0,0 +1,4 @@
+---
+:auth:
+  :database: db/aws-users.db
+  :adapter: sqlite3

data/db/aws-users.db ADDED

Binary file

data/db/migrate/002_create_users.rb ADDED

@@ -0,0 +1,24 @@
+class CreateUsers < ActiveRecord::Migration
+  def self.up
+    create_table :users do |t|
+      t.column :id,             :integer,  :null => false
+      t.column :login,          :string,   :limit => 40
+      t.column :password,       :string,   :limit => 40
+      t.column :email,          :string,   :limit => 64
+      t.column :key,            :string,   :limit => 64
+      t.column :secret,         :string,   :limit => 64
+      t.column :created_at,     :datetime
+      t.column :updated_at,     :timestamp
+      t.column :activated_at,   :datetime
+      t.column :superuser,      :integer, :default => 0
+      t.column :deleted,        :integer, :default => 0
+    end
+  end
+  def self.down
+    drop_table :users
+  end
+end

data/db/test.db ADDED

Binary file

data/lib/aws-auth.rb ADDED

@@ -0,0 +1,126 @@
+require 'rubygems'
+require 'rack'
+require 'active_record'
+require 'base64'
+require 'digest/sha1'
+require 'openssl'
+require 'sinatra'
+module AWSAuth
+class Base
+  VERSION = "0.9.0"
+  ROOT_DIR = ENV['AWS_ROOT_DIR'] || File.join(File.dirname(__FILE__),'..')
+  DEFAULT_PASSWORD = "testp@ss"
+  def self.config
+    @@config ||= load_config()
+  end
+  def self.config_path=(val)
+    @@config_path = val
+  end
+  def initialize(app)
+    @app = app
+    AWSAuth::User.establish_connection(AWSAuth::Base.config[:auth])
+  end
+  def call(env)
+    date_s = env['HTTP_X_AMZ_DATE'] || env['HTTP_DATE']
+    request = Rack::Request.new(env)
+    auth = Rack::Auth::Basic::Request.new(env)
+    # Basic Auth
+    if auth.provided? && auth.basic?
+      user = AWSAuth::User.find_by_login(auth.credentials[0])
+      unless user.nil?
+        if user.password == AWSAuth::Base.hmac_sha1( auth.credentials[1], user.secret )
+          env['AWS_AUTH_USER'] = user
+        end
+      end
+    # Route 53
+    elsif env['HTTP_X_AMZN_AUTHORIZATION'] =~ /^AWS3-HTTPS AWSAccessKeyId=(.*),Algorithm=HmacSHA256,Signature=(.*)$/
+      access_key = $1
+      signature = $2
+      user = AWSAuth::User.find_by_key(access_key)
+      unless user.nil?
+        hmac = HMAC::SHA256.new(user.secret)
+        hmac.update(date_s)
+        if Base64.encode64(hmac.digest).chomp == signature
+          env['AWS_AUTH_USER'] = user
+        end
+      end
+    # S3
+    elsif env['HTTP_AUTHORIZATION'] =~ /^AWS (\w+):(.+)$/ || !request['Signature'].nil?
+      meta, amz = {}, {}
+      env.each do |k,v|
+        k = k.downcase.gsub('_', '-')
+        amz[$1] = v.strip if k =~ /^http-x-amz-([-\w]+)$/
+        meta[$1] = v if k =~ /^http-x-amz-meta-([-\w]+)$/
+      end
+      auth, key_s, secret_s = *env['HTTP_AUTHORIZATION'].to_s.match(/^AWS (\w+):(.+)$/)
+      if request.params.has_key?('Signature') and Time.at(request['Expires'].to_i) >= Time.now
+        key_s, secret_s, date_s = request['AWSAccessKeyId'], request['Signature'], request['Expires']
+      end
+      uri = env['PATH_INFO']
+      uri += "?" + env['QUERY_STRING'] if %w[acl versioning torrent].include?(env['QUERY_STRING'])
+      canonical = [env['REQUEST_METHOD'], env['HTTP_CONTENT_MD5'], env['CONTENT_TYPE'],
+	date_s, uri]
+      amz.sort.each do |k, v|
+        canonical[-1,0] = "x-amz-#{k}:#{v}"
+      end
+      user = AWSAuth::User.find_by_key key_s
+      unless (user and secret_s != AWSAuth::Base.hmac_sha1(user.secret, canonical.map{|v|v.to_s.strip} * "\n")) || (user and user.deleted == 1)
+        env['AWS_AUTH_USER'] = user
+      end
+    end
+    @app.call(env)
+  end
+  def self.generate_secret
+    abc = %{ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyz}
+    (1..40).map { abc[rand(abc.size),1] }.join
+  end
+  def self.generate_key
+    abc = %{ABCDEF0123456789}
+    (1..20).map { abc[rand(abc.size),1] }.join
+  end
+  def self.hmac_sha1(key, s)
+    ipad = [].fill(0x36, 0, 64)
+    opad = [].fill(0x5C, 0, 64)
+    key = key.unpack("C*")
+    if key.length < 64 then
+      key += [].fill(0, 0, 64-key.length)
+    end
+    inner = []
+    64.times { |i| inner.push(key[i] ^ ipad[i]) }
+    inner += s.unpack("C*")
+    outer = []
+    64.times { |i| outer.push(key[i] ^ opad[i]) }
+    outer = outer.pack("c*")
+    outer += Digest::SHA1.digest(inner.pack("c*"))
+    return Base64::encode64(Digest::SHA1.digest(outer)).chomp
+  end
+  protected
+  def self.load_config()
+    @@config_path ||= File.join(File.dirname(__FILE__), '../aws-auth.yml')
+    return YAML::load(File.read(ENV['AWS_AUTH_PATH'])) if ENV['AWS_AUTH_PATH'] && File.exists?(ENV['AWS_AUTH_PATH'])
+    return YAML::load(File.read(File.expand_path("~/.aws-auth.yml"))) if File.exists?(File.expand_path("~/.aws-auth.yml"))
+    return YAML::load(File.read(@@config_path)) if @@config_path && File.exists?(@@config_path)
+  end
+end
+end
+require File.join(File.dirname(__FILE__),'aws-auth/user')
+require File.join(File.dirname(__FILE__),'aws-auth/admin')

data/lib/aws-auth/admin.rb ADDED

@@ -0,0 +1,270 @@
+module AWS
+  class Admin < Sinatra::Base
+    POST = %{if(!this.title||confirm(this.title+'?')){var f = document.createElement('form'); this.parentNode.appendChild(f); f.method = 'POST'; f.action = this.href; f.submit();}return false;}
+    set :sessions, :on
+    enable :inline_templates
+    @@navigation_tabs = [["users","/control/users",true],["profile","/control/profile"],["logout","/control/logout"]]
+    @@home_page = "/control/buckets"
+    def self.add_tab(name, path, admin_only=false)
+      t = [name,path]
+      t << admin_only unless admin_only == false
+      @@navigation_tabs = [t] + @@navigation_tabs
+    end
+    def self.tabs
+      @@navigation_tabs
+    end
+    def self.home_page
+      @@home_page
+    end
+    def self.home_page=(val)
+      @@home_page = val
+    end
+    before do
+      ActiveRecord::Base.verify_active_connections!
+    end
+    get '/?' do
+      login_required
+      redirect @@home_page
+    end
+    get %r{^/s/(.*)} do
+      expires 500, :public
+      open(File.join(AWSAuth::Base::ROOT_DIR,'public', params[:captures].first))
+    end
+    get '/login' do
+      r :login, "Login"
+    end
+    post '/login' do
+      @user = AWSAuth::User.find_by_login params[:login]
+      if @user
+	if @user.password == AWSAuth::Base.hmac_sha1( params[:password], @user.secret )
+	  session[:user_id] = @user.id
+	  redirect @@home_page
+	else
+	  @user.errors.add(:password, 'is incorrect')
+	end
+      else
+	@user = AWSAuth::User.new
+	@user.errors.add(:login, 'not found')
+      end
+      r :login, "Login"
+    end
+    get '/logout' do
+      session[:user_id] = nil
+      redirect '/control'
+    end
+    get "/profile/?" do
+      login_required
+      @usero = @user
+      r :profile, "Your Profile"
+    end
+    post "/profile/?" do
+      login_required
+      @user.update_attributes(params['user'])
+      @usero = @user
+      r :profile, "Your Profile"
+    end
+    get "/users/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.new
+      @users = AWSAuth::User.find :all, :conditions => ['deleted != 1'], :order => 'login'
+      r :users, "User List"
+    end
+    post "/users/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.new params['user'].merge(:activated_at => Time.now)
+      if @usero.valid?
+	@usero.save()
+	redirect "/control/users"
+      else
+	@users = AWSAuth::User.find :all, :conditions => ['deleted != 1'], :order => 'login'
+        r :users, "User List"
+      end
+    end
+    get "/users/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      r :profile, @usero.login
+    end
+    post "/users/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      # if were not changing passwords remove blank values
+      if params['user']['password'].blank? && params['user']['password_confirmation'].blank?
+	params['user'].delete('password')
+	params['user'].delete('password_confirmation')
+      end
+      if @usero.update_attributes(params['user'])
+        redirect "/control/users/#{@usero.login}"
+      else
+        r :profile, @usero.login
+      end
+    end
+    post "/users/delete/:login/?" do
+      login_required
+      only_superusers
+      @usero = AWSAuth::User.find_by_login params[:login]
+      if @usero.id == @user.id
+	# FIXME: notify user they cannot delete themselves
+      else
+	@usero.destroy
+      end
+      redirect "/control/users"
+    end
+    protected
+    def login_required
+      @user = AWSAuth::User.find(session[:user_id]) unless session[:user_id].nil?
+      redirect '/control/login' if @user.nil?
+    end
+    def r(name, title, layout = :layout)
+      @title = title
+      haml name, :layout => layout
+    end
+    def errors_for(model)
+      ret = ""
+      if model.errors.size > 0
+        ret += "<ul class=\"errors\">"
+        model.errors.each_full do |error|
+          ret += "<li>#{error}</li>"
+        end
+        ret += "</ul>"
+      end
+      ret
+    end
+    def only_superusers
+      redirect '/control/login' unless @user.superuser?
+    end
+  end
+end
+__END__
+@@ layout
+%html
+  %head
+    %title Control Center &raquo; #{@title}
+    %script{ :language => "JavaScript", :type => "text/javascript", :src => "/control/s/js/prototype.js" }
+    %style{ :type => "text/css" }
+      @import '/control/s/css/control.css';
+  %body
+    %div#page
+      - if @user and not @login
+        %div.menu
+          %ul
+            %li
+              - for tab in AWS::Admin.tabs
+                - if tab[2].nil? || (tab[2] && @user.superuser?)
+                  %a{ :href => tab[1] }= tab[0]
+      %div#header
+        %h1 Control Center
+        %h2 #{@title}
+      %div#content
+        = yield
+@@ login
+%form.create{ :method => "post" }
+  %div.required
+    %label{ :for => "login" } User
+    %input#login{ :type => "text", :name => "login" }
+  %div.required
+    %label{ :for => "password" } Password
+    %input#password{ :type => "password", :name => "password" }
+  %input#loggo{ :type => "submit", :value => "Login", :name => "loggo" }
+@@ users
+%table
+  %thead
+    %tr
+      %th Login
+      %th Activated On
+      %th Actions
+  %tbody
+    - @users.each do |user|
+      %tr
+        %th
+          %a{ :href => "/control/users/#{user.login}" } #{user.login}
+        %td #{user.activated_at}
+        %td
+          %a{ :href => "/control/users/delete/#{user.login}", :onclick => POST, :title => "Delete user #{user.login}" } Delete
+%h3 Create a User
+%form.create{ :action => "/control/users", :method => "post" }
+  = preserve errors_for(@usero)
+  %div.required
+    %label{ :for => "user[login]" } Login
+    %input.large{ :type => "text", :value => @usero.login, :name => "user[login]" }
+  %div.required.inline
+    %label{ :for => "user[superuser]" } Is a super-admin?
+    %input{ :type => "checkbox", :name => "user[superuser]", :value => @usero.superuser }
+  %div.required
+    %label{ :for => "user[password]" } Password
+    %input.fixed{ :type => "password", :name => "user[password]" }
+  %div.required
+    %label{ :for => "user[password_confirmation]" } Password again
+    %input.fixed{ :type => "password", :name => "user[password_confirmation]" }
+  %div.required
+    %label{ :for => "user[email]" } Email
+    %input{ :type => "text", :value => @usero.email, :name => "user[email]" }
+  %div.required
+    %label{ :for => "user[key]" } Key (must be unique)
+    %input.fixed.long{ :type => "text", :value => (@usero.key || AWSAuth::Base.generate_key), :name => "user[key]" }
+  %div.required
+    %label{ :for => "user[secret]" } Secret
+    %input.fixed.long{ :type => "text", :value => (@usero.secret || AWSAuth::Base.generate_secret), :name => "user[secret]" }
+  %input.newuser{ :type => "submit", :value => "Create", :name => "newuser" }
+@@ profile
+%form.create{ :method => "post" }
+  = preserve errors_for(@usero)
+  - if @user.superuser?
+    %div.required.inline
+      %label{ :for => "user[superuser]" } Is a super-admin?
+      %input{ :type => "hidden", :name => "user[superuser]", :value => 0 }
+      %input{ :type => "checkbox", :name => "user[superuser]", :value => 1, :checked => @usero.superuser? }
+  %div.required
+    %label{ :for => "user[password]" } Password
+    %input.fixed{ :type => "password", :name => "user[password]" }
+  %div.required
+    %label{ :for => "user[password_confirmation]" } Password again
+    %input.fixed{ :type => "password", :name => "user[password_confirmation]" }
+  %div.required
+    %label{ :for => "user[email]" } Email
+    %input{ :type => "text", :value => @usero.email, :name => "user[email]" }
+  %div.required
+    %label{ :for => "key" } Key
+    %h4 #{@usero.key}
+  %div.required
+    %label{ :for => "secret" } Secret
+    %h4 #{@usero.secret}
+  %input#saveuser{ :type => "submit", :value => "Save", :name => "saveuser" }

data/lib/aws-auth/tasks.rb ADDED

@@ -0,0 +1,28 @@
+require 'rake'
+require 'rake/testtask'
+require 'rake/gempackagetask'
+require File.join(File.dirname(__FILE__), '../aws-auth')
+namespace :auth do
+  task :environment do
+    ActiveRecord::Base.establish_connection(AWSAuth::Base.config[:auth])
+  end
+  desc "Migrate the database"
+  task(:migrate => :environment) do
+    ActiveRecord::Base.logger = Logger.new(STDOUT)
+    ActiveRecord::Migration.verbose = true
+    out_dir = File.dirname(AWSAuth::Base.config[:auth][:database])
+    FileUtils.mkdir_p(out_dir) unless File.exists?(out_dir)
+    ActiveRecord::Migrator.migrate(File.join(AWSAuth::Base::ROOT_DIR, 'db', 'migrate'), ENV["VERSION"] ? ENV["VERSION"].to_i : nil)
+    num_users = AWSAuth::User.count || 0
+    if num_users == 0
+      puts "** No users found, creating the `admin' user."
+      AWSAuth::User.create :login => "admin", :password => AWSAuth::Base::DEFAULT_PASSWORD,
+        :email => "admin@parkplace.net", :key => AWSAuth::Base.generate_key(), :secret => AWSAuth::Base.generate_secret(),
+        :activated_at => Time.now, :superuser => 1
+    end
+  end
+end