carpool 0.2.2 → 0.3.0

data/VERSION

@@ -1 +1 @@
-0.2.2
+0.3.0

data/carpool.gemspec

@@ -1,49 +1,49 @@
 # Generated by jeweler
 # DO NOT EDIT THIS FILE DIRECTLY
-# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# Instead, edit Jeweler::Tasks in Rakefile, and run 'rake gemspec'
 # -*- encoding: utf-8 -*-
 
 Gem::Specification.new do |s|
   s.name = %q{carpool}
-  s.version = "0.2.2"
+  s.version = "0.3.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Brent Kirby"]
-  s.date = %q{2010-11-14}
+  s.date = %q{2010-12-06}
   s.description = %q{Carpool is a single sign on solution for Rack-based applications allowing you to persist sessions across domains.}
   s.email = %q{dev@kurbmedia.com}
   s.extra_rdoc_files = [
     "LICENSE",
-     "README.md"
+    "README.md"
   ]
   s.files = [
     ".document",
-     ".gitignore",
-     "LICENSE",
-     "README.md",
-     "Rakefile",
-     "VERSION",
-     "carpool.gemspec",
-     "init.rb",
-     "lib/carpool.rb",
-     "lib/carpool/driver.rb",
-     "lib/carpool/mixins/action_controller.rb",
-     "lib/carpool/mixins/action_view.rb",
-     "lib/carpool/mixins/core.rb",
-     "lib/carpool/passenger.rb",
-     "lib/carpool/rails/railtie.rb",
-     "lib/carpool/seatbelt.rb",
-     "test/helper.rb",
-     "test/test_carpool.rb"
+    "LICENSE",
+    "README.md",
+    "Rakefile",
+    "VERSION",
+    "carpool.gemspec",
+    "init.rb",
+    "lib/carpool.rb",
+    "lib/carpool/driver.rb",
+    "lib/carpool/encryptor.rb",
+    "lib/carpool/mixins/action_controller.rb",
+    "lib/carpool/mixins/action_view.rb",
+    "lib/carpool/mixins/core.rb",
+    "lib/carpool/passenger.rb",
+    "lib/carpool/rails/railtie.rb",
+    "lib/carpool/responder.rb",
+    "lib/carpool/seatbelt.rb",
+    "test/helper.rb",
+    "test/test_carpool.rb"
   ]
   s.homepage = %q{http://github.com/kurbmedia/carpool}
-  s.rdoc_options = ["--charset=UTF-8"]
   s.require_paths = ["lib"]
   s.rubygems_version = %q{1.3.7}
   s.summary = %q{Single Sign On solution for Rack-Based applications}
   s.test_files = [
     "test/helper.rb",
-     "test/test_carpool.rb"
+    "test/test_carpool.rb"
   ]
 
   if s.respond_to? :specification_version then

data/init.rb

@@ -1 +1 @@
-require 'carpool'
+require 'carpool'

data/lib/carpool.rb

@@ -1,23 +1,18 @@
 require 'carpool/mixins/core'
+require 'carpool/responder'
+require 'carpool/encryptor'
 require 'carpool/driver'
 require 'carpool/passenger'
 require 'carpool/seatbelt'
 require 'base64'
+require 'fast-aes'
 
 require 'carpool/rails/railtie' if defined?(Rails) && defined?(Rails::Railtie)
 
 module Carpool
   
   class << self
-    
-    def auth_attempt=(bool)
-      @auth_attempt = bool
-    end
-    
-    def auth_attempt?
-      @auth_attempt ||= false
-    end
-    
+      
     def driver_uri
       "#{Carpool::Passenger.driver_uri}/sso/authenticate"
     end
@@ -31,26 +26,7 @@ module Carpool
     def acts_as?(type)
       @acts_as == type.to_sym
     end
-    
-    def redirect_request(loc, message = "Redirecting")
-      [302,
-        { 'Content-Type'   => 'text/plain', 
-          'Location'       => loc,
-          'Cache-Control'  => 'private, no-cache, max-age=0, must-revalidate',
-          'Content-Length' => "#{message.to_s.length}"
-        }, message]
-    end
-    
-  end
-  
-  def self.generate_site_key(url)
-    digest = Digest::SHA256.new
-    digest.update(url)
-    Base64.encode64(digest.digest).gsub( /\s/, '')
-  end
-  
-  def self.unpack_key(key)
-    Base64.decode64(key)
+
   end
     
 end

data/lib/carpool/driver.rb

@@ -7,8 +7,7 @@ module Carpool
     include Carpool::Mixins::Core
     
     class << self
-      
-      attr_accessor :site_key
+  
       attr_accessor :unauthorized_uri
       attr_accessor :revoke_uri
       
@@ -16,14 +15,8 @@ module Carpool
         @passengers ||= []
       end
       
-      def passenger(url, options = {})
-        options[:site_key] ||= Carpool.generate_site_key(url)
-        options[:secret]   ||= Carpool.generate_site_key(url.reverse)
-        passengers << { url => options }
-      end
-      
-      def site_key
-        @site_key ||= Carpool.generate_site_key(@env['HTTP_HOST'])
+      def passenger(url, secret)
+        passengers << { :host => url, :secret => secret }
       end
       
     end
@@ -36,73 +29,39 @@ module Carpool
     end
     
     def call(env)
+      @env = env      
       
-      @env = env
-      carpool_cookies['scope'] = "driver"
-      
-      # TODO: See if this is even necessary? Basically make sure auth_attempt
-      # is set to true if current_passenger is set. This value shouldn't be set if we've already
-      # processed a passenger.
-      Carpool.auth_attempt = true if carpool_cookies['current_passenger']
+      env['carpool'] = Carpool::Seatbelt.new(env) unless env['carpool'] && env['carpool'] != Carpool::Seatbelt
+      return revoke_all_instances! if is_revoking?       
 
-      # Unless we are trying to authenticate a passenger, just continue through the stack.
-      return @app.call(env) unless valid_request? && valid_referrer? 
-
-      # Parse the referring site
-      referrer = URI.parse(@env['HTTP_REFERER'])
-      
-      # Unless this domain is listed as a potential passenger, issue a 500.
-      current_passenger = Carpool::Driver.passengers.reject{ |p| !p.keys.first.downcase.include?(referrer.host) }
-      if current_passenger.nil? or current_passenger.empty?
-        return [500, {'Content-Type'=>'text/plain'}, 'Unauthorized request.']
-      end
-      
-      # We are logging out this user, clear out our cookies and reset the session, then pass the request to the normal revoke path.
-      if is_revoking?
-        destroy_session!
-        set_new_path(Carpool::Driver.revoke_uri)
-        return @app.call(env)
-      end
-      
-      carpool_cookies['current_passenger'] = current_passenger.first[referrer.host.to_s]
+      if valid_request?
+        manager.auth_request!
+        unless manager.authentication_exists?
+          return Carpool::Responder.authenticate
+        end
+      end      
       
-      # Attempt to find an existing driver session.
-      # If one is found, redirect back to the passenger site and include our seatbelt
-      # The seatbelt includes two parts:
-      #   1) The referring uri, so that Carpool::Passenger on the other end can send the user back to their location one authenticated
-      #   2) The session payload. This is an AES encrypted hash of whatever attributes you've made available. The encrypted hash is
-      #      keyed with the site_key and secret of the referring site for extra security.
-      #
-      if carpool_passenger_token
-        seatbelt = SeatBelt.new(env)
-        seatbelt.set_referrer(referrer)
-        seatbelt = seatbelt.create_payload!
-        Carpool.auth_attempt  = false
-        cleanup_session!
-        return Carpool.redirect_request(seatbelt, 'Approved!')
+      result = catch(:carpool) do
+        @app.call(env)
       end
       
-      Carpool.auth_attempt = true
-      carpool_cookies['redirect_to'] = referrer
-      
-      set_new_path(Carpool::Driver.unauthorized_uri)
-      return @app.call(env)
-      
+      return result
+
     end
     
     private
     
-    def valid_referrer?
-      !(@env['HTTP_REFERER'].nil? or @env['HTTP_REFERER'].blank?)
-    end
-    
     def valid_request?
-      @env['PATH_INFO'].downcase == "/sso/authenticate" || @env['PATH_INFO'].downcase == "/sso/revoke"
+      (@env['PATH_INFO'].downcase == "/sso/authenticate" || @env['PATH_INFO'].downcase == "/sso/revoke") && !@env['HTTP_REFERER'].to_s.blank?
     end
     
     def is_revoking?
       @env['PATH_INFO'].downcase == "/sso/revoke"
     end
     
+    def revoke_all_instances!
+      [307, {"Location" => Carpool::Driver.revoke_uri}, "Revoking global access."]
+    end
+    
   end
 end

data/lib/carpool/encryptor.rb

@@ -0,0 +1,52 @@
+require 'fast-aes'
+module Carpool
+  class Encryptor
+    
+    def self.generate_token(user_hash, token)
+      digest  = self.create_digest(token)
+      aes     = FastAES.new(digest.digest)  
+      encoded = self.encode(user_hash)
+      self.encode64(aes.encrypt(encoded))
+    end
+    
+    def self.generate_payload(redirection, user_token)
+      self.encode64(Marshal.dump({:redirect_to => redirection, :user => user_token}))
+    end
+    
+    def self.process_seatbelt(seatbelt)
+      seatbelt = Marshal.load(Base64.decode64(seatbelt))
+      {
+        :redirect_to => seatbelt[:redirect_to],
+        :user        => self.recover_user(seatbelt[:user])
+      }
+    end
+    
+    private
+    
+    def self.create_digest(data)
+      digest = Digest::SHA256.new
+      digest.update(data)
+    end
+    
+    def self.encode(data)
+      object = Marshal.dump(data)
+      self.encode64(object)
+    end
+    
+    def self.encode64(data)
+      Base64.encode64(data).gsub(/\s/, '')
+    end
+    
+    def self.decode(data)
+      object = Base64.decode64(data)
+      Marshal.load(object)
+    end
+      
+    def self.recover_user(user_token)
+      digest = self.create_digest(Carpool::Passenger.secret)
+      aes = FastAES.new(digest.digest)
+      self.decode(aes.decrypt(Base64.decode64(user_token)))
+    end
+    
+  end
+end

data/lib/carpool/mixins/action_controller.rb

@@ -10,38 +10,16 @@ module Carpool
         Carpool.revoke_uri
       end
       
-      def carpool_can_authenticate?
-        !([carpool_rack_env['X-CARPOOL-PAYLOAD']].flatten.empty?)
-      end
-      
-      def carpool_user
-        @_carpool_user
-      end
-      
-      def fasten_seatbelt(user)
-        Carpool::SeatBelt.new(carpool_rack_env).fasten!(user)
-      end
-      
-      def fasten_seatbelt!(user)
-        redirect_to fasten_seatbelt(user)
-      end
-      
-      def remove_seatbelt!
-        seatbelt = Carpool::SeatBelt.new(carpool_rack_env).remove!
-        @_carpool_user = seatbelt.user
-        seatbelt
+      def carpool_manager
+        carpool_rack_env['carpool']
       end
+            
+      private
       
-      def revoke_authentication!
-        if Carpool.acts_as?(:driver)
-          carpool_rack_env.delete('carpool.cookies')
-        else
-          redirect_to carpool_logout_url
-        end
+      def carpool_rack_request
+        @_request = Rack::Request.new(carpool_rack_env)
       end
       
-      private
-      
       def carpool_rack_env
         (defined?(env) ? env : request.env)
       end

data/lib/carpool/mixins/core.rb

@@ -10,34 +10,38 @@ module Carpool
         
         def carpool_cookies
           session['carpool.cookies'] ||= {}
-        end
+        end        
         
-        def carpool_passenger_token
-          carpool_cookies['passenger_token']
+        def request
+          @request ||= Rack::Request.new(@env)
         end
         
-        def carpool_passenger_token=(token)
-          carpool_cookies['passenger_token'] = token
+        def session
+          request.session
         end
         
         def cleanup_session!
-          ['redirect_to', 'current_passenger'].each{ |k| carpool_cookies.delete(k) }
+          carpool_cookies.delete('requesting_authentication')
+          carpool_cookies.delete('passenger_uri')
         end
         
         def destroy_session!
-          session.clear
+          cleanup_session!
+          carpool_cookies = {}
+          session.delete('carpool.cookies')
         end
         
-        def request
-          @request ||= Rack::Request.new(@env)
+        def manager
+          @env['carpool']
         end
         
-        def session
-          @env['rack.session']
+        def carpool_passenger_tokens
+          carpool_cookies['passenger_tokens'] ||= []
         end
         
-        def set_new_path(p)
-          @env['PATH_INFO'] = p
+        def update_authentication!(new_token)
+          carpool_passenger_tokens << new_token
+          carpool_passenger_tokens.uniq!
         end
         
       end

data/lib/carpool/passenger.rb

@@ -1,5 +1,3 @@
-require 'net/http'
-
 module Carpool
   class Passenger
     
@@ -21,43 +19,21 @@ module Carpool
     
     def call(env)
       @env = env
-      @params = CGI.parse(env['QUERY_STRING'])
       
-      carpool_cookies['scope'] ||= "passenger"
+      env['carpool'] = Carpool::Seatbelt.new(env) unless env['carpool'] && env['carpool'] != Carpool::Seatbelt
       
-      # If this isn't an authorize request from the driver, just ignore it.
-      return @app.call(env) unless valid_request? && valid_referrer?
-      
-      # If we can't find our payload, then we need to abort.
-      return [500, {}, 'Invalid seatbelt.'] if @params['seatbelt'].nil? or @params['seatbelt'].blank?
-      
-      # Set a custom HTTP header for our payload and send the request to the user's /sso/authorize handler.
-      env['X-CARPOOL-PAYLOAD'] = @params['seatbelt']
-      
-      return @app.call(env)
+      return @app.call(env) unless valid_request?
+      result = catch(:carpool) do
+        @app.call(env)
+      end
+      return result
       
     end
     
     private
     
     def valid_request?
-      @env['PATH_INFO'] == "/sso/authorize" || @env['PATH_INFO'] == "/sso/remote_authentication"
-    end
-    
-    def valid_referrer?
-      return false if @env['HTTP_REFERER'].nil? or @env['HTTP_REFERER'].blank?
-      return false if @params['driver'].nil?    or @params['driver'].blank?
-      
-      referring_uri = @params['driver'].to_s
-      secret_match  = Digest::SHA256.new
-      secret_match  = secret_match.update(Carpool::Passenger.secret).to_s
-      referring_uri = referring_uri.to_s.gsub(/(\[|\]|\")/,'') # TODO: Figure out why ruby 1.9.2 has extra chars.
-      secret_match  = secret_match.to_s
-      referring_uri == secret_match
-    end
-    
-    def authenticate_from_remote!
-      
+      @env['PATH_INFO'] == "/sso/authorize"
     end
     
   end

data/lib/carpool/responder.rb

@@ -0,0 +1,19 @@
+module Carpool
+  
+  class Responder
+    
+    def self.authenticate
+      [307, {"Location" => Carpool::Driver.unauthorized_uri}, "Redirecing for authentication."]
+    end
+    
+    def self.passenger_redirect(passenger, payload)
+      new_uri  = "#{passenger.scheme}://"
+      new_uri << passenger.host
+      new_uri << ((passenger.port != 80 && passenger.port != 443) ? ":#{passenger.port}" : "")
+      new_uri << "/sso/authorize?seatbelt=#{payload}"
+      [303, {"Location" => new_uri}, "Redirecting...."]
+    end
+    
+  end
+  
+end

data/lib/carpool/seatbelt.rb

@@ -1,95 +1,66 @@
-require 'fast-aes'
-require 'yaml'
-
 module Carpool
-  class SeatBelt
+  class Seatbelt
     
     include Carpool::Mixins::Core
     
-    attr_accessor :env
-    attr_accessor :redirect_uri
-    attr_accessor :user
+    attr_accessor :env, :current_passenger, :current_user, :redirect_to
     
-    # SeatBelt instances require access to the rack environment.
     def initialize(env)
       @env = env
     end
     
-    # 'Attaches' the current user into the session so it can be re-authenticated when
-    # a passenger requests it at a later date. We 'fasten' the users seatbelt for the trip back to the
-    # referring site.
-    # Fasten! returns a url for redirection back to our passenger site including the seatbelt used for authentication
-    # on the other end.
-    #
-    def fasten!(user)
-      carpool_cookies['passenger_token'] = generate_token(user)
-      Carpool.auth_attempt = false
-      payload = create_payload!
-      cleanup_session!
-      payload
+    def authentication_exists?
+      !carpool_passenger_tokens.empty?
     end
     
-    # Restore the user from our payload. We 'remove' their seatbelt because they have arrived!
-    def remove!
-      payload  = @env['X-CARPOOL-PAYLOAD']
-      payload  = payload.flatten.first if payload.is_a?(Array) # TODO: Figure out why our header is an array?
-      seatbelt = YAML.load(Base64.decode64(CGI.unescape(payload))).to_hash
-      seatbelt = stringify_keys(seatbelt)
-      user     = Base64.decode64(seatbelt['user'])
-      key      = Carpool.generate_site_key(@env['SERVER_NAME'])
-      secret   = Carpool::Passenger.secret
-      digest   = Digest::SHA256.new
-      digest.update("#{key}--#{secret}")
-      aes  = FastAES.new(digest.digest)
-      data = aes.decrypt(user)
-      @redirect_uri = seatbelt['redirect_uri'].to_s
-      @user         = YAML.load(data).to_hash
-      self
+    def authenticate!
+      throw(:carpool, Carpool::Responder.authenticate) unless authentication_exists?
     end
     
-    # Create a redirection payload to be sent back to our passenger
-    def create_payload!
-      seatbelt = self.to_s
-      referrer = carpool_cookies['redirect_to']
-      driver   = Digest::SHA256.new
-      driver   = driver.update(carpool_cookies['current_passenger'][:secret]).to_s
-      new_uri  = "#{referrer.scheme}://"
-      new_uri << referrer.host
-      new_uri << ((referrer.port != 80 && referrer.port != 443) ? ":#{referrer.port}" : "")
-      new_uri << "/sso/authorize?seatbelt=#{seatbelt}&driver=#{driver}"
+    def authorize!(user = nil)
+      unless Carpool.acts_as?(:passenger)
+        return false unless auth_request?
+        update_authentication!(passenger_for_auth[:secret])
+        token   = Carpool::Encryptor.generate_token(user.encrypted_credentials, passenger_for_auth[:secret])
+        payload = Carpool::Encryptor.generate_payload(current_passenger, token)        
+        throw(:carpool, Carpool::Responder.passenger_redirect(current_passenger, payload))        
+      else
+        seatbelt = Carpool::Encryptor.process_seatbelt(request.params['seatbelt'])
+        throw(:carpool, Carpool::Responder.invalid) and return unless seatbelt[:user].is_a?(Hash)
+        @current_user = seatbelt[:user]
+        @redirect_to  = seatbelt[:redirect_to]
+      end
     end
     
-    def to_s
-      CGI.escape(Base64.encode64({ 'redirect_uri' => carpool_cookies['redirect_to'].to_s, 'user' => carpool_cookies['passenger_token'] }.to_yaml.to_s).gsub( /\s/, ''))
+    def auth_request!
+      return if auth_request?
+      carpool_cookies['passenger_uri'] = @env['HTTP_REFERER']
+      carpool_cookies['requesting_authentication'] = true
     end
     
-    def set_referrer(ref)
-      carpool_cookies['redirect_to'] = ref
+    def auth_request?
+      carpool_cookies['requesting_authentication'] && carpool_cookies['requesting_authentication'] == true
     end
     
-    private
+    def current_passenger
+      URI.parse(carpool_cookies['passenger_uri'])
+    end
     
-    def generate_token(user)
-      referrer  = carpool_cookies['redirect_to']
-      passenger = Carpool::Driver.passengers.reject{ |p| p.keys.first.downcase != referrer.host }.first.values.first
-            
-      digest    = Digest::SHA256.new
-      digest.update("#{passenger[:site_key]}--#{passenger[:secret]}")
-      aes = FastAES.new(digest.digest)
-      Base64.encode64(aes.encrypt(gather_credentials(user).to_yaml.to_s)).gsub( /\s/, '')
-      
+    def revoke!
+      destroy_session!
     end
     
-    def gather_credentials(user)
-      user.encrypted_credentials
+    def success!
+      throw(:carpool, [303, {"Location" => @redirect_to.to_s}, "Authorized!"])
     end
     
-    def stringify_keys(hash)
-      hash.inject({}) do |options, (key, value)|
-        options[key.to_s] = value
-        options
-      end
+    private
+    
+    def passenger_for_auth
+      passenger = Carpool::Driver.passengers.detect{ |p| p[:host].downcase.include?(current_passenger.host.downcase) }
+      throw(:carpool, Carpool::Responder.invalid) and return if current_passenger.nil?
+      passenger
     end
-        
-  end
+
+  end  
 end

metadata

@@ -4,9 +4,9 @@ version: !ruby/object:Gem::Version
   prerelease: false
   segments: 
   - 0
-  - 2
-  - 2
-  version: 0.2.2
+  - 3
+  - 0
+  version: 0.3.0
 platform: ruby
 authors: 
 - Brent Kirby
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-11-14 00:00:00 -05:00
+date: 2010-12-06 00:00:00 -05:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -54,7 +54,6 @@ extra_rdoc_files:
 - README.md
 files: 
 - .document
-- .gitignore
 - LICENSE
 - README.md
 - Rakefile
@@ -63,11 +62,13 @@ files:
 - init.rb
 - lib/carpool.rb
 - lib/carpool/driver.rb
+- lib/carpool/encryptor.rb
 - lib/carpool/mixins/action_controller.rb
 - lib/carpool/mixins/action_view.rb
 - lib/carpool/mixins/core.rb
 - lib/carpool/passenger.rb
 - lib/carpool/rails/railtie.rb
+- lib/carpool/responder.rb
 - lib/carpool/seatbelt.rb
 - test/helper.rb
 - test/test_carpool.rb
@@ -76,8 +77,8 @@ homepage: http://github.com/kurbmedia/carpool
 licenses: []
 
 post_install_message: 
-rdoc_options: 
-- --charset=UTF-8
+rdoc_options: []
+
 require_paths: 
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement 

data/.gitignore

@@ -1,21 +0,0 @@
-## MAC OS
-.DS_Store
-
-## TEXTMATE
-*.tmproj
-tmtags
-
-## EMACS
-*~
-\#*
-.\#*
-
-## VIM
-*.swp
-
-## PROJECT::GENERAL
-coverage
-rdoc
-pkg
-
-## PROJECT::SPECIFIC