cloudkit-jruby 0.11.2

data/lib/cloudkit/oauth_store.rb

@@ -0,0 +1,48 @@
+module CloudKit
+
+  # An OAuthStore is a thin abstraction around CloudKit::Store, providing
+  # consistent collection names, and allowing automatic upgrades in later
+  # releases if needed.
+  class OAuthStore
+    @@store = nil
+
+    # Initialize a Store for use with OAuth middleware. Load the static consumer
+    # resource if it does not exist.
+    def initialize
+      @@store = Store.new(
+        :collections => [
+          :cloudkit_oauth_nonces,
+          :cloudkit_oauth_tokens,
+          :cloudkit_oauth_request_tokens,
+          :cloudkit_oauth_consumers]
+        ) unless @@store
+      load_static_consumer
+    end
+
+    def get(uri, options={}) #:nodoc:
+      @@store.get(CloudKit::URI.new(uri), options)
+    end
+
+    def post(uri, options={}) #:nodoc:
+      @@store.post(CloudKit::URI.new(uri), options)
+    end
+
+    def put(uri, options={}) #:nodoc:
+      @@store.put(CloudKit::URI.new(uri), options)
+    end
+
+    def delete(uri, options={}) #:nodoc:
+      @@store.delete(CloudKit::URI.new(uri), options)
+    end
+
+    # Return the version number for this store.
+    def version; 1; end
+
+    # Load the static consumer entity if it does not already exist.
+    # See the OAuth Discovery spec for more info on static consumers.
+    def load_static_consumer
+      json = JSON.generate(:secret => '')
+      @@store.put(CloudKit::URI.new('/cloudkit_oauth_consumers/cloudkitconsumer'), :json => json)
+    end
+  end
+end

data/lib/cloudkit/openid_filter.rb

@@ -0,0 +1,236 @@
+module CloudKit
+
+  # An OpenIDFilter provides OpenID authentication, listening for upstream
+  # OAuth authentication and bypassing if already authorized.
+  #
+  # The root URI, "/", is always bypassed. More URIs can also be bypassed using
+  # the :allow option:
+  #
+  #   use Rack::Session::Pool
+  #   use OpenIDFilter, :allow => ['/foo', '/bar']
+  #
+  # In addition to the :allow option, a block can also be used for more complex
+  # decisions:
+  #
+  #   use Rack::Session::Pool
+  #   use OpenIDFilter, :allow => ['/foo'] do |url|
+  #     bar(url) # some method returning true or false
+  #   end
+  #
+  # Responds to the following URIs:
+  #   /login
+  #   /logout
+  #   /openid_complete
+  #
+  class OpenIDFilter
+    include Util
+
+    @@lock  = Mutex.new
+    @@store = nil
+
+    def initialize(app, options={}, &bypass_route_callback)
+      @app     = app
+      @options = options
+      @bypass_route_callback = bypass_route_callback || Proc.new {|url| url == '/'}
+    end
+
+    def call(env)
+      @@lock.synchronize do
+        @@store = OpenIDStore.new
+        @users  = UserStore.new
+      end unless @@store
+
+      request = Request.new(env)
+      request.announce_auth(CLOUDKIT_OPENID_FILTER_KEY)
+
+      case request
+      when r(:get, request.login_url); request_login(request)
+      when r(:post, request.login_url); begin_openid_login(request)
+      when r(:get, '/openid_complete'); complete_openid_login(request)
+      when r(:post, request.logout_url); logout(request)
+      else
+        if bypass?(request)
+          @app.call(env)
+        else
+          if request.env[CLOUDKIT_AUTH_CHALLENGE]
+            store_location(request)
+            erb(
+              request,
+              :openid_login,
+              request.env[CLOUDKIT_AUTH_CHALLENGE].merge('Content-Type' => 'text/html'),
+              401)
+          elsif !request.via.include?(CLOUDKIT_OAUTH_FILTER_KEY)
+            store_location(request)
+            login_redirect(request)
+          else
+            Rack::Response.new('server misconfigured', 500).finish
+          end
+        end
+      end
+    end
+
+    def logout(request)
+      user_uri = request.session.delete('user_uri')
+      result   = @users.get(user_uri)
+      user     = result.parsed_content
+      user.delete('remember_me_token')
+      user.delete('remember_me_expiration')
+      json = JSON.generate(user)
+      @users.put(user_uri, :etag => result.etag, :json => json)
+
+      request.env[CLOUDKIT_AUTH_KEY] = nil
+      request.flash['info'] = 'You have been logged out.'
+      response = Rack::Response.new(
+        [],
+        302,
+        {'Location' => request.login_url, 'Content-Type' => 'text/html'})
+      response.delete_cookie('remember_me')
+      response.finish
+    end
+
+    def request_login(request)
+      erb(request, :openid_login)
+    end
+
+    def begin_openid_login(request)
+      begin
+        response = openid_consumer(request).begin(request[:openid_url])
+      rescue => e
+        request.flash[:error] = e
+        return login_redirect(request)
+      end
+
+      redirect_url = response.redirect_url(base_url(request), full_url(request))
+      Rack::Response.new([], 302, {'Location' => redirect_url}).finish
+    end
+
+    def complete_openid_login(request)
+      begin
+        idp_response = openid_consumer(request).complete(request.params, full_url(request))
+      rescue => e
+        request.flash[:error] = e
+        return login_redirect(request)
+      end
+
+      if idp_response.is_a?(OpenID::Consumer::FailureResponse)
+        request.flash[:error] = idp_response.message
+        return login_redirect(request)
+      end
+
+      result = @users.get(
+        '/cloudkit_users',
+        # '/cloudkit_login_view',
+        :identity_url => idp_response.endpoint.claimed_id)
+      user_uris = result.parsed_content['uris']
+
+      if user_uris.empty?
+        json     = JSON.generate(:identity_url => idp_response.endpoint.claimed_id)
+        result   = @users.post('/cloudkit_users', :json => json)
+        user_uri = result.parsed_content['uri']
+      else
+        user_uri = user_uris.first
+      end
+      user_result = @users.resolve_uris([user_uri]).first
+      user        = user_result.parsed_content
+
+      if request.session['user_uri'] = user_uri
+        request.current_user = user_uri
+        user['remember_me_expiration'] = two_weeks_from_now
+        user['remember_me_token'] = Base64.encode64(
+          OpenSSL::Random.random_bytes(32)).gsub(/\W/,'')
+        url      = request.session.delete('return_to')
+        response = Rack::Response.new(
+          [],
+          302,
+          {'Location' => (url || '/'), 'Content-Type' => 'text/html'})
+        response.set_cookie(
+          'remember_me', {
+            :value   => user['remember_me_token'],
+            :expires => Time.at(user['remember_me_expiration']).utc})
+        json = JSON.generate(user)
+        @users.put(user_uri, :etag => user_result.etag, :json => json)
+        request.flash[:notice] = 'You have been logged in.'
+        response.finish
+      else
+        request.flash[:error] = 'Could not log on with your OpenID.'
+        login_redirect(request)
+      end
+    end
+
+    def login_redirect(request)
+      Rack::Response.new([], 302, {'Location' => request.login_url}).finish
+    end
+
+    def base_url(request)
+      "#{request.scheme}://#{request.env['HTTP_HOST']}/"
+    end
+
+    def full_url(request)
+      base_url(request) + 'openid_complete'
+    end
+
+    def logged_in?(request)
+      logged_in = user_in_session?(request) || valid_remember_me_token?(request)
+      request.current_user = request.session['user_uri'] if logged_in
+      logged_in
+    end
+
+    def user_in_session?(request)
+      request.session['user_uri'] != nil
+    end
+
+    def store_location(request)
+      request.session['return_to'] = request.url
+    end
+
+    def root_request?(request)
+      request.path_info == '/' || request.path_info == '/favicon.ico'
+    end
+
+    def valid_auth_key?(request)
+      request.env[CLOUDKIT_AUTH_KEY] && request.env[CLOUDKIT_AUTH_KEY] != ''
+    end
+
+    def openid_consumer(request)
+      @openid_consumer ||= OpenID::Consumer.new(
+        request.session, OpenIDStore.new)
+    end
+
+    def valid_remember_me_token?(request)
+      return false unless token = request.cookies['remember_me']
+
+      # result = @users.get('/cloudkit_login_view', :remember_me_token => token)
+      result = @users.get('/cloudkit_users', :remember_me_token => token)
+      return false unless result.status == 200
+
+      user_uris = result.parsed_content['uris']
+      return false unless user_uris.try(:size) == 1
+
+      user_uri    = user_uris.first
+      user_result = @users.resolve_uris([user_uri]).first
+      user        = user_result.parsed_content
+      return false unless Time.now.to_i < user['remember_me_expiration']
+
+      user['remember_me_expiration'] = two_weeks_from_now
+      json = JSON.generate(user)
+      @users.put(user_uri, :etag => user_result.etag, :json => json)
+      request.session['user_uri'] = user_uri
+      true
+    end
+
+    def two_weeks_from_now
+      Time.now.to_i+1209600
+    end
+
+    def allow?(uri)
+      @bypass_route_callback.call(uri) || 
+        @options[:allow] && @options[:allow].include?(uri)
+    end
+
+    def bypass?(request)
+      allow?(request.path_info) ||
+        valid_auth_key?(request) ||
+        logged_in?(request)
+    end
+  end
+end

data/lib/cloudkit/openid_store.rb

@@ -0,0 +1,100 @@
+require 'openid/store/interface'
+module CloudKit
+
+  # An OpenIDStore provides the interface expected by the ruby-openid gem,
+  # mapping it to a CloudKit::Store instance.
+  class OpenIDStore < OpenID::Store::Interface
+    @@store = nil
+
+    # Initialize an OpenIDStore.
+    def initialize
+      unless @@store
+        @@store = Store.new(
+          :collections => [:cloudkit_openid_associations, :cloudkit_openid_nonces])
+      end
+    end
+
+    def get_association(server_url, handle=nil) #:nodoc:
+      options = {:server_url => server_url}
+      options.merge!(:handle => Base64.encode64(handle)) if (handle && handle != '')
+      result = @@store.get(CloudKit::URI.new('/cloudkit_openid_associations'), options)
+      return nil unless result.status == 200
+      return nil if result.parsed_content['total'] == 0
+
+      ignore, associations = resolve_associations(result.parsed_content)
+      return nil if associations.empty?
+
+      associations.sort_by{|a| a['issued']}
+      a = associations[-1]
+      OpenID::Association.new(
+        Base64.decode64(a['handle']),
+        Base64.decode64(a['secret']),
+        Time.at(a['issued']),
+        a['lifetime'],
+        a['assoc_type'])
+    end
+
+    def remove_association(server_url, handle) #:nodoc:
+      result = @@store.get(
+        CloudKit::URI.new('/cloudkit_openid_associations'),
+        :server_url => server_url,
+        :handle     => Base64.encode64(handle))
+      return nil unless result.status == 200
+
+      responses, associations = resolve_associations(result.parsed_content)
+      return nil if associations.empty?
+
+      uris = result.parsed_content['uris']
+      responses.each_with_index do |r, index|
+        @@store.delete(CloudKit::URI.new(uris[index]), :etag => r.etag)
+      end
+    end
+
+    def store_association(server_url, association) #:nodoc:
+      remove_association(server_url, association.handle)
+      json = JSON.generate(
+        :server_url => server_url,
+        :handle     => Base64.encode64(association.handle),
+        :secret     => Base64.encode64(association.secret),
+        :issued     => association.issued.to_i,
+        :lifetime   => association.lifetime,
+        :assoc_type => association.assoc_type)
+      result = @@store.post(CloudKit::URI.new('/cloudkit_openid_associations'), :json => json)
+      return (result.status == 201)
+    end
+
+    def use_nonce(server_url, timestamp, salt) #:nodoc:
+      return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+
+      fragment = ::URI.escape(
+        [server_url, timestamp, salt].join('-'), 
+        Regexp.union(::URI::REGEXP::UNSAFE, '/', ':'))
+      uri    = "/cloudkit_openid_nonces/#{fragment}"
+      result = @@store.put(CloudKit::URI.new(uri), :json => '{}')
+      return (result.status == 201)
+    end
+
+    def self.cleanup #:nodoc:
+      # TODO
+    end
+
+    def self.cleanup_associations #:nodoc:
+      # TODO
+    end
+
+    def self.cleanup_nonces #:nodoc:
+      # TODO
+    end
+
+    # Return the version number for this store.
+    def version; 1; end
+
+    protected
+
+    def resolve_associations(parsed_content) #:nodoc:
+      uri_list = parsed_content['uris'].map! { |u| CloudKit::URI.new(u) }
+      association_responses = @@store.resolve_uris(uri_list)
+      return association_responses, association_responses.map{|a| a.parsed_content}
+    end
+  end
+end

data/lib/cloudkit/rack/builder.rb

@@ -0,0 +1,120 @@
+module Rack #:nodoc:
+  class Builder
+    alias_method :cloudkit_to_app, :to_app
+
+    # Extends Rack::Builder's to_app method to detect if the last piece of
+    # middleware in the stack is a CloudKit shortcut (contain or expose), adding
+    # a default developer page at the root and a 404 everywhere else.
+    def to_app
+      default_app = lambda do |env|
+        if (env['PATH_INFO'] == '/')
+          Rack::Response.new(welcome).finish
+        else
+          Rack::Response.new('not found', 404).finish
+        end
+      end
+      @ins << default_app if @last_cloudkit_id == @ins.last.object_id
+      cloudkit_to_app
+    end
+
+    # Setup resource collections hosted behind OAuth and OpenID auth filters.
+    #
+    # ===Example
+    #   contain :notes, :projects
+    #
+    def contain(*args)
+      @ins << lambda do |app|
+        Rack::Session::Pool.new(
+          CloudKit::OAuthFilter.new(
+            CloudKit::OpenIDFilter.new(
+              CloudKit::Service.new(app, :collections => args.to_a))))
+      end
+      @last_cloudkit_id = @ins.last.object_id
+    end
+
+    # Setup resource collections without authentication.
+    #
+    # ===Example
+    #   expose :notes, :projects
+    #
+    def expose(*args)
+      @ins << lambda do |app|
+        CloudKit::Service.new(app, :collections => args.to_a)
+      end
+      @last_cloudkit_id = @ins.last.object_id
+    end
+
+    def welcome #:nodoc:
+doc = <<HTML
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+  <title>CloudKit</title>
+  <style type="text/css">
+    body {
+      font-family: 'Helvetica', 'Arial', san-serif;
+      font-size: 15px;
+      margin: 0;
+      padding: 0;
+      color: #222222;
+    }
+    h1 {
+      font-family: 'Helvetica Neue', 'Helvetica', 'Arial', san-serif;
+      font-size: 73px;
+      font-weight: bold;
+      line-height: 28px;
+      margin: 20px 0px 20px 0px;
+    }
+    .wrapper {
+      width: 500px;
+      margin: 0 auto;
+      clear: both;
+    }
+    p {
+      margin-top: 0px;
+      line-height: 1.5em;
+    }
+    #header {
+      background-color: #ffffcc;
+      display: block;
+      padding: 2px 0;
+      margin: 35px 0px 10px 0px;
+      border-top: 1px solid #ffcc66;
+      border-bottom: 1px solid #ffcc66;
+    }
+    a {
+      color: #6b8df2;
+      text-decoration: none;
+    }
+    .meta {
+      padding: 7px 7px 7px 7px;
+      background-color: #ffccff;
+      border-top: 1px solid #cc99ff;
+      border-bottom: 1px solid #cc99ff;
+      font-size: 14px;
+      display: block;
+      margin: 10px 0px 10px 0px;
+    }
+  </style>
+</head>
+<body>
+  <div id="header">
+    <div class="wrapper">
+      <h1>CloudKit</h1>
+    </div>
+  </div>
+  <div class="meta">
+    <p class="wrapper">
+      This page is appearing because you have not set up a default app in your
+      rackup file. To learn more about CloudKit, check out
+      <a href="http://getcloudkit.com">the site</a>.
+    </p>
+  </div>
+</body>
+</html>
+HTML
+    end
+  end
+end