blaxter-lockdown 0.9.8.99

data/lib/lockdown/frameworks/rails.rb

@@ -0,0 +1,154 @@
+require File.join(File.dirname(__FILE__), "rails", "controller")
+require File.join(File.dirname(__FILE__), "rails", "view")
+
+module Lockdown
+  module Frameworks
+    module Rails
+      class << self
+        def use_me?
+          Object.const_defined?("ActionController") && ActionController.const_defined?("Base")
+        end
+
+        def included(mod)
+          mod.extend Lockdown::Frameworks::Rails::Environment
+          mixin
+        end
+
+        def mixin
+          Lockdown.controller_parent.class_eval do
+            include Lockdown::Session
+            include Lockdown::Frameworks::Rails::Controller::Lock
+          end
+
+          Lockdown.controller_parent.helper_method :authorized?
+
+          Lockdown.controller_parent.before_filter do |c|
+            c.set_current_user
+            c.configure_lockdown
+            c.check_request_authorization
+          end
+
+          Lockdown.controller_parent.filter_parameter_logging :password, 
+            :password_confirmation
+      
+          Lockdown.controller_parent.rescue_from SecurityError, 
+            :with => proc{|e| access_denied(e)}
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown::System.class_eval do 
+            extend Lockdown::Frameworks::Rails::System
+          end
+        end
+      end # class block
+
+      module Environment
+
+        def project_root
+          ::RAILS_ROOT
+        end
+
+        def init_file
+          "#{project_root}/lib/lockdown/init.rb"
+        end
+
+        def controller_parent
+          ::ActionController::Base
+        end
+
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        def controller_class_name(str)
+          str = "#{str}Controller"
+          if str.include?("__")
+            str.split("__").collect{|p| Lockdown.camelize(p)}.join("::")
+          else
+            Lockdown.camelize(str)
+          end
+        end
+      end
+
+      module System
+        include Lockdown::Frameworks::Rails::Controller
+
+        def skip_sync?
+          Lockdown::System.fetch(:skip_db_sync_in).include?(ENV['RAILS_ENV'])
+        end
+
+        def load_controller_classes
+          @controller_classes = {}
+         
+          maybe_load_framework_controller_parent
+
+          ApplicationController.helper_method :authorized?
+
+          ApplicationController.before_filter do |c|
+            c.set_current_user
+            c.configure_lockdown
+            c.check_request_authorization
+          end
+
+          ApplicationController.filter_parameter_logging :password, 
+            :password_confirmation
+      
+          ApplicationController.rescue_from SecurityError, 
+            :with => proc{|e| access_denied(e)}
+
+
+          Dir.chdir("#{Lockdown.project_root}/app/controllers") do
+            Dir["**/*.rb"].sort.each do |c|
+              c = c.split('.').first
+              next if c == "application"
+              lockdown_load(c) 
+            end
+            if PLATFORM =~ /java/
+              Dir["**/*.class"].sort.each do |c|
+                c = c.split('.').first
+                next if c == "application"
+                lockdown_load(c)
+              end
+            end
+          end
+
+          if ENV['RAILS_ENV'] != 'production'
+            if ActiveSupport.const_defined?("Dependencies")
+              ActiveSupport::Dependencies.clear
+            else
+              Dependencies.clear
+            end
+          end
+        end
+
+        def maybe_load_framework_controller_parent
+          if ::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3
+            filename = "application_controller.rb"
+          else
+            filename = "application.rb"
+          end
+          
+          require_or_load(filename)
+        end
+
+        def lockdown_load(filename)
+          klass = Lockdown.class_name_from_file(filename)
+
+          require_or_load(filename)
+
+          @controller_classes[klass] = Lockdown.qualified_const_get(klass) 
+        end
+
+        def require_or_load(filename)
+          if ActiveSupport.const_defined?("Dependencies")
+            ActiveSupport::Dependencies.require_or_load(filename)
+          else
+            Dependencies.require_or_load(filename)
+          end
+        end
+      end # System
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/frameworks/rails/controller.rb

@@ -0,0 +1,154 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module Controller
+        
+        def available_actions(klass)
+          if klass.respond_to?(:action_methods)
+            klass.action_methods
+          else
+            klass.public_instance_methods - klass.hidden_actions
+          end
+        end
+
+        def controller_name(klass)
+          klass.controller_name
+        end
+
+        # Locking methods
+        module Lock
+          def configure_lockdown
+            check_session_expiry
+            store_location
+          end
+
+          def set_current_user
+            login_from_basic_auth? unless logged_in?
+            if logged_in?
+              Thread.current[:who_did_it] = Lockdown::System.
+                call(self, :who_did_it)
+            end
+          end
+
+          def check_request_authorization
+            unless authorized?(path_from_hash(params))
+              raise SecurityError, "Authorization failed for params #{params.inspect}"
+            end
+          end
+  
+          def path_allowed?(url)
+            session[:access_rights] ||= Lockdown::System.public_access
+            session[:access_rights].include?(url)
+          end
+    
+          def check_session_expiry
+            if session[:expiry_time] && session[:expiry_time] < Time.now
+              nil_lockdown_values
+              Lockdown::System.call(self, :session_timeout_method)
+            end
+            session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
+          end
+          
+          def store_location
+            if (request.method == :get) && (session[:thispage] != sent_from_uri)
+              session[:prevpage] = session[:thispage] || ''
+              session[:thispage] = sent_from_uri
+            end
+          end
+
+          def sent_from_uri
+            request.request_uri
+          end
+      
+          def authorized?(url, method = nil)
+            return false unless url
+
+            return true if current_user_is_admin?
+
+            method ||= (params[:method] || request.method)
+
+            url_parts = URI::split(url.strip)
+
+            path = url_parts[5]
+
+            return true if path_allowed?(path)
+
+            begin
+              hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
+              return path_allowed?(path_from_hash(hash)) if hash
+            rescue Exception
+              # continue on
+            end
+
+            # Mailto link
+            return true if url =~ /^mailto:/
+
+            # Public file
+            file = File.join(RAILS_ROOT, 'public', url)
+            return true if File.exists?(file)
+
+            # Passing in different domain
+            return remote_url?(url_parts[2])
+          end
+    
+          def access_denied(e)
+
+            RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
+
+            if Lockdown::System.fetch(:logout_on_access_violation)
+              reset_session
+            end
+            respond_to do |format|
+              format.html do
+                store_location
+                redirect_to Lockdown::System.fetch(:access_denied_path)
+                return
+              end
+              format.xml do
+                headers["Status"] = "Unauthorized"
+                headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+                render :text => e.message, :status => "401 Unauthorized"
+                return
+              end
+            end
+          end
+
+          def path_from_hash(hash)
+            hash[:controller].to_s + "/" + hash[:action].to_s
+          end
+
+          def remote_url?(domain = nil)
+            return false if domain.nil? || domain.strip.length == 0
+            request.host.downcase != domain.downcase
+          end
+
+          def redirect_back_or_default(default)
+            if session[:prevpage].nil? || session[:prevpage].blank?
+              redirect_to(default) 
+            else
+              redirect_to(session[:prevpage])
+            end
+          end
+  
+          # Called from current_user.  Now, attempt to login by
+          # basic authentication information.
+          def login_from_basic_auth?
+            username, passwd = get_auth_data
+            if username && passwd
+              set_session_user ::User.authenticate(username, passwd)
+            end
+          end
+
+          @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+          # gets BASIC auth info
+          def get_auth_data
+            auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+            auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+            return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
+          end
+        end # Lock
+      end # Controller
+    end # Rails
+  end # Frameworks
+end # Lockdown
+

data/lib/lockdown/frameworks/rails/view.rb

@@ -0,0 +1,50 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module View
+        def self.included(base)
+          base.class_eval do
+            alias_method :link_to_open, :link_to
+            alias_method :link_to, :link_to_secured
+
+            alias_method :button_to_open, :button_to
+            alias_method :button_to, :button_to_secured
+          end
+        end
+    
+        def link_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : nil
+
+          if authorized?(url, method)
+            return link_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def button_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : nil
+
+          if authorized?(url, method)
+            return button_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def link_to_or_show(name, options = {}, html_options = nil)
+          lnk = link_to(name, options, html_options)
+          lnk.length == 0 ? name : lnk
+        end
+
+        def links(*lis)
+          rvalue = []
+          lis.each{|link| rvalue << link if link.length > 0 }
+          rvalue.join( Lockdown::System.fetch(:link_separator) )
+        end
+      end # View
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/helper.rb

@@ -0,0 +1,95 @@
+module Lockdown
+  module Helper
+    def class_name_from_file(str)
+      str.split("/").collect{|s| camelize(s) }.join("::")
+    end
+
+    # If str_sym is a Symbol (:users), return "Users"
+    # If str_sym is a String ("Users"), return :users
+    def convert_reference_name(str_sym)
+      if str_sym.is_a?(Symbol)
+        titleize(str_sym)
+      else
+        underscore(str_sym).tr(' ','_').to_sym
+      end
+    end
+
+    def get_string(value)
+      if value.respond_to?(:name)
+        string_name(value.name)
+      else
+        string_name(value)
+      end
+    end
+
+    def get_symbol(value)
+      if value.respond_to?(:name)
+        symbol_name(value.name)
+      elsif value.is_a?(String)
+        symbol_name(value)
+      else
+        value
+      end
+    end
+
+    def camelize(str)
+      str.to_s.gsub(/\/(.?)/) { "::" + $1.upcase }.gsub(/(^|_)(.)/) { $2.upcase }
+    end
+
+    def random_string(len = 10)
+      chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      Array.new(len){||chars[rand(chars.size)]}.join
+    end
+
+    def administrator_group_string
+      string_name(administrator_group_symbol)
+    end
+
+    def administrator_group_symbol
+      :administrators
+    end
+
+    def qualified_const_defined?(klass)
+      if klass =~ /::/
+        namespace, klass = klass.split("::")
+        eval("#{namespace}.const_defined?(#{klass})") if const_defined?(namespace)
+      else
+        const_defined?(klass)
+      end
+    end
+
+    def qualified_const_get(klass)
+      if klass =~ /::/
+        namespace, klass = klass.split("::")
+        eval(namespace).const_get(klass)
+      else
+        const_get(klass)
+      end
+    end
+
+    private
+
+    def string_name(str_sym)
+      str_sym.is_a?(Symbol) ? convert_reference_name(str_sym) : str_sym
+    end
+
+    def symbol_name(str_sym)
+      str_sym.is_a?(String) ? convert_reference_name(str_sym) : str_sym
+    end
+
+    def titleize(str)
+      humanize(underscore(str)).gsub(/\b([a-z])/) { $1.capitalize }
+    end
+    
+    def humanize(str)
+      str.to_s.gsub(/_id$/, "").gsub(/_/, " ").capitalize
+    end
+
+    def underscore(str)
+      str.to_s.gsub(/::/, '/').
+        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+        gsub(/([a-z\d])([A-Z])/,'\1_\2').
+        tr("-", "_").downcase
+    end
+  end
+end