cloudkit 0.9.0

data/lib/cloudkit/openid_filter.rb

@@ -0,0 +1,198 @@
+module CloudKit
+  
+  # An OpenIDFilter provides OpenID authentication, listening for upstream
+  # OAuth authentication and bypassing if already authorized.
+  #
+  # Responds to the following URIs:
+  #   /login
+  #   /logout
+  #   /openid_complete
+  #
+  class OpenIDFilter
+    include Util
+
+    @@lock = Mutex.new
+    @@store = nil
+
+    def initialize(app, options={})
+      @app = app; @options = options
+    end
+
+    def call(env)
+      @@lock.synchronize do
+        @@store = OpenIDStore.new(env[storage_uri_key])
+        @users = UserStore.new(env[storage_uri_key])
+        @@store.get_association('x') rescue nil # refresh sqlite3
+      end unless @@store
+
+      request = Request.new(env)
+      request.announce_auth(openid_filter_key)
+
+      case request
+      when r(:get, request.login_url); request_login(request)
+      when r(:post, request.login_url); begin_openid_login(request)
+      when r(:get, '/openid_complete'); complete_openid_login(request)
+      when r(:post, request.logout_url); logout(request)
+      else
+        if (root_request?(request) || valid_auth_key?(request) || logged_in?(request))
+          @app.call(env)
+        else
+          if request.env[challenge_key]
+            store_location(request)
+            erb(request, :openid_login, request.env[challenge_key], 401)
+          elsif !request.via.include?(oauth_filter_key)
+            store_location(request)
+            login_redirect(request)
+          else
+            [500, {}, ['server misconfigured']]
+          end
+        end
+      end
+    end
+
+    def logout(request)
+      user_uri = request.session.delete('user_uri')
+      result   = @users.get(user_uri)
+      user     = result.parsed_content
+      user.delete('remember_me_token')
+      user.delete('remember_me_expiration')
+      json = JSON.generate(user)
+      @users.put(user_uri, :etag => result.etag, :json => json)
+
+      request.env[auth_key] = nil
+      request.flash['info'] = 'You have been logged out.'
+      response = Rack::Response.new([], 302, {'Location' => request.login_url})
+      response.delete_cookie('remember_me')
+      response.finish
+    end
+
+    def request_login(request)
+      erb(request, :openid_login)
+    end
+
+    def begin_openid_login(request)
+      begin
+        response = openid_consumer(request).begin request[:openid_url]
+      rescue => e
+        request.flash[:error] = e
+        return login_redirect(request)
+      end
+
+      redirect_url = response.redirect_url(base_url(request), full_url(request))
+      [302, {'Location' => redirect_url}, []]
+    end
+
+    def complete_openid_login(request)
+      begin
+        idp_response = openid_consumer(request).complete(request.params, full_url(request))
+      rescue => e
+        request.flash[:error] = e
+        return login_redirect(request)
+      end
+
+      if idp_response.is_a?(OpenID::Consumer::FailureResponse)
+        request.flash[:error] = idp_response.message
+        return login_redirect(request)
+      end
+
+      result = @users.get(
+        '/cloudkit_login_view',
+        :identity_url => idp_response.endpoint.claimed_id)
+      user_uris = result.parsed_content['uris']
+
+      if user_uris.empty?
+        json     = JSON.generate(:identity_url => idp_response.endpoint.claimed_id)
+        result   = @users.post('/cloudkit_users', :json => json)
+        user_uri = result.parsed_content['uri']
+      else
+        user_uri = user_uris.first
+      end
+      user_result = @users.resolve_uris([user_uri]).first
+      user        = user_result.parsed_content
+
+      if request.session['user_uri'] = user_uri
+        request.current_user = user_uri
+        user['remember_me_expiration'] = two_weeks_from_now
+        user['remember_me_token'] = Base64.encode64(
+          OpenSSL::Random.random_bytes(32)).gsub(/\W/,'')
+        url      = request.session.delete('return_to')
+        response = Rack::Response.new([], 302, {'Location' => (url || '/')})
+        response.set_cookie(
+          'remember_me', {
+            :value => user['remember_me_token'],
+            :expires => Time.at(user['remember_me_expiration']).utc})
+        json = JSON.generate(user)
+        @users.put(user_uri, :etag => user_result.etag, :json => json)
+        request.flash[:notice] = 'You have been logged in.'
+        response.finish
+      else
+        request.flash[:error] = 'Could not log on with your OpenID.'
+        login_redirect(request)
+      end
+    end
+
+    def login_redirect(request)
+      [302, {'Location' => request.login_url}, []]
+    end
+
+    def base_url(request)
+      "#{request.scheme}://#{request.env['HTTP_HOST']}/"
+    end
+
+    def full_url(request)
+      base_url(request) + 'openid_complete'
+    end
+
+    def logged_in?(request)
+      logged_in = user_in_session?(request) || valid_remember_me_token?(request)
+      request.current_user = request.session['user_uri'] if logged_in
+      logged_in
+    end
+
+    def user_in_session?(request)
+      request.session['user_uri'] != nil
+    end
+
+    def store_location(request)
+      request.session['return_to'] = request.url
+    end
+
+    def root_request?(request)
+      request.path_info == '/' || request.path_info == '/favicon.ico'
+    end
+
+    def valid_auth_key?(request)
+      request.env[auth_key] && request.env[auth_key] != ''
+    end
+
+    def openid_consumer(request)
+      @openid_consumer ||= OpenID::Consumer.new(
+        request.session, OpenIDStore.new)
+    end
+
+    def valid_remember_me_token?(request)
+      return false unless token = request.cookies['remember_me']
+
+      result = @users.get('/cloudkit_login_view', :remember_me_token => token)
+      return false unless result.status == 200
+
+      user_uris = result.parsed_content['uris']
+      return false unless user_uris.try(:size) == 1
+
+      user_uri    = user_uris.first
+      user_result = @users.resolve_uris([user_uri]).first
+      user        = user_result.parsed_content
+      return false unless Time.now.to_i < user['remember_me_expiration']
+
+      user['remember_me_expiration'] = two_weeks_from_now
+      json = JSON.generate(user)
+      @users.put(user_uri, :etag => user_result.etag, :json => json)
+      request.session['user_uri'] = user_uri
+      true
+    end
+
+    def two_weeks_from_now
+      Time.now.to_i+1209600
+    end
+  end
+end

data/lib/cloudkit/openid_store.rb

@@ -0,0 +1,101 @@
+require 'openid/store/interface'
+module CloudKit
+
+  # An OpenIDStore provides the interface expected by the ruby-openid gem,
+  # mapping it to a CloudKit::Store instance.
+  class OpenIDStore < OpenID::Store::Interface
+    @@store = nil
+
+    # Initialize an OpenIDStore and its required views.
+    def initialize(uri=nil)
+      unless @@store
+        association_view = ExtractionView.new(
+          :cloudkit_openid_server_handles,
+          :observe => :cloudkit_openid_associations,
+          :extract => [:server_url, :handle])
+        @@store = Store.new(
+          :collections => [:cloudkit_openid_associations, :cloudkit_openid_nonces],
+          :views       => [association_view],
+          :adapter     => SQLAdapter.new(uri))
+      end
+    end
+
+    def get_association(server_url, handle=nil) #:nodoc:
+      options = {:server_url => server_url}
+      options.merge!(:handle => Base64.encode64(handle)) if (handle && handle != '')
+      result = @@store.get('/cloudkit_openid_server_handles', options)
+      return nil unless result.status == 200
+      return nil if result.parsed_content['total'] == 0
+
+      ignore, associations = resolve_associations(result.parsed_content)
+      return nil if associations.empty?
+
+      associations.sort_by{|a| a['issued']}
+      a = associations[-1]
+      OpenID::Association.new(
+        Base64.decode64(a['handle']),
+        Base64.decode64(a['secret']),
+        Time.at(a['issued']),
+        a['lifetime'],
+        a['assoc_type'])
+    end
+
+    def remove_association(server_url, handle) #:nodoc:
+      result = @@store.get(
+        '/cloudkit_openid_server_handles',
+        :server_url => server_url,
+        :handle     => Base64.encode64(handle))
+      return nil unless result.status == 200
+
+      responses, associations = resolve_associations(result.parsed_content)
+      return nil if associations.empty?
+
+      uris = result.parsed_content['uris']
+      responses.each_with_index do |r, index|
+        @@store.delete(uris[index], :etag => r.etag)
+      end
+    end
+
+    def store_association(server_url, association) #:nodoc:
+      remove_association(server_url, association.handle)
+      json = JSON.generate(
+        :server_url => server_url,
+        :handle     => Base64.encode64(association.handle),
+        :secret     => Base64.encode64(association.secret),
+        :issued     => association.issued.to_i,
+        :lifetime   => association.lifetime,
+        :assoc_type => association.assoc_type)
+      result = @@store.post('/cloudkit_openid_associations', :json => json)
+      return (result.status == 201)
+    end
+
+    def use_nonce(server_url, timestamp, salt) #:nodoc:
+      return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+
+      fragment = URI.escape([server_url, timestamp, salt].join('-'))
+      uri      = "/cloudkit_openid_nonces/#{fragment}"
+      result   = @@store.put(uri, :json => '{}')
+      return (result.status == 201)
+    end
+
+    def self.cleanup #:nodoc:
+      # TODO
+    end
+
+    def self.cleanup_associations #:nodoc:
+      # TODO
+    end
+
+    def self.cleanup_nonces #:nodoc:
+      # TODO
+    end
+
+    protected
+
+    def resolve_associations(parsed_content) #:nodoc:
+      uri_list = parsed_content['uris']
+      association_responses = @@store.resolve_uris(uri_list)
+      return association_responses, association_responses.map{|a| a.parsed_content}
+    end
+  end
+end

data/lib/cloudkit/rack/builder.rb

@@ -0,0 +1,120 @@
+module Rack #:nodoc:
+  class Builder
+    alias_method :cloudkit_to_app, :to_app
+
+    # Extends Rack::Builder's to_app method to detect if the last piece of
+    # middleware in the stack is a CloudKit shortcut (contain or expose), adding
+    # adding a default developer page at the root and a 404 everywhere else.
+    def to_app
+      default_app = lambda do |env|
+        if (env['PATH_INFO'] == '/')
+          [200, {'Content-Type' => 'text/html'}, [welcome]]
+        else
+          [404, {}, []]
+        end
+      end
+      @ins << default_app if @last_cloudkit_id == @ins.last.object_id
+      cloudkit_to_app
+    end
+
+    # Setup resource collections hosted behind OAuth and OpenID auth filters.
+    #
+    # ===Example
+    #   contain :notes, :projects
+    #
+    def contain(*args)
+      @ins << lambda do |app|
+        Rack::Session::Pool.new(
+          CloudKit::OAuthFilter.new(
+            CloudKit::OpenIDFilter.new(
+              CloudKit::Service.new(app, :collections => args.to_a))))
+      end
+      @last_cloudkit_id = @ins.last.object_id
+    end
+
+    # Setup resource collections without authentication.
+    #
+    # ===Example
+    #   expose :notes, :projects
+    #
+    def expose(*args)
+      @ins << lambda do |app|
+        CloudKit::Service.new(app, :collections => args.to_a)
+      end
+      @last_cloudkit_id = @ins.last.object_id
+    end
+
+    def welcome #:nodoc:
+doc = <<HTML
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+  <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
+  <title>CloudKit via cURL</title>
+  <style type="text/css">
+    body {
+      font-family: 'Helvetica', 'Arial', san-serif;
+      font-size: 15px;
+      margin: 0;
+      padding: 0;
+      color: #222222;
+    }
+    h1 {
+      font-family: 'Helvetica Neue', 'Helvetica', 'Arial', san-serif;
+      font-size: 73px;
+      font-weight: bold;
+      line-height: 28px;
+      margin: 20px 0px 20px 0px;
+    }
+    .wrapper {
+      width: 500px;
+      margin: 0 auto;
+      clear: both;
+    }
+    p {
+      margin-top: 0px;
+      line-height: 1.5em;
+    }
+    #header {
+      background-color: #ffffcc;
+      display: block;
+      padding: 2px 0;
+      margin: 35px 0px 10px 0px;
+      border-top: 1px solid #ffcc66;
+      border-bottom: 1px solid #ffcc66;
+    }
+    a {
+      color: #6b8df2;
+      text-decoration: none;
+    }
+    .meta {
+      padding: 7px 7px 7px 7px;
+      background-color: #ffccff;
+      border-top: 1px solid #cc99ff;
+      border-bottom: 1px solid #cc99ff;
+      font-size: 14px;
+      display: block;
+      margin: 10px 0px 10px 0px;
+    }
+  </style>
+</head>
+<body>
+  <div id="header">
+    <div class="wrapper">
+      <h1>CloudKit</h1>
+    </div>
+  </div>
+  <div class="meta">
+    <p class="wrapper">
+      This page is appearing because you have not set up a default app in your
+      rackup file. To learn more about CloudKit, check out
+      <a href="http://getcloudkit.com">the site</a>.
+    </p>
+  </div>
+</body>
+</html>
+HTML
+    end
+  end
+end

data/lib/cloudkit/rack/router.rb

@@ -0,0 +1,20 @@
+module Rack #:nodoc:
+
+  # A minimal router providing just what is needed for the OAuth and OpenID
+  # filters.
+  class Router
+    
+    # Create an instance of Router to match on method, path and params.
+    def initialize(method, path, params=[])
+      @method = method.to_s.upcase; @path = path; @params = params
+    end
+
+    # By overriding the case comparison operator, we can match routes in a case
+    # statement.
+    #
+    # See also: CloudKit::Util#r, CloudKit::Request#match?
+    def ===(request)
+      request.match?(@method, @path, @params)
+    end
+  end
+end

data/lib/cloudkit/request.rb

@@ -0,0 +1,159 @@
+module CloudKit
+
+  # A subclass of Rack::Request providing CloudKit-specific features.
+  class Request < Rack::Request
+    include CloudKit::Util
+    alias_method :cloudkit_params, :params
+
+    def initialize(env)
+      super(env)
+    end
+
+    # Return a merged set of both standard params and OAuth header params.
+    def params
+      @cloudkit_params ||= cloudkit_params.merge(oauth_header_params)
+    end
+
+    # Return true if method, path, and required_params match.
+    def match?(method, path, required_params=[])
+      (request_method == method) &&
+        path_info.match(path.gsub(':id', '*')) && # just enough to work for now
+        param_match?(required_params)
+    end
+
+    # Return true of the array of required params match the request params. If
+    # a hash in passed in for a param, its value is also used in the match.
+    def param_match?(required_params)
+      required_params.all? do |required_param|
+        case required_param
+        when Hash
+          key = required_param.keys.first
+          return false unless params.has_key? key
+          return false unless params[key] == required_param[key]
+        when String
+          return false unless params.has_key? required_param
+        else
+          false
+        end
+        true
+      end
+    end
+
+    # Return OAuth header params in a hash.
+    def oauth_header_params
+      # This is a copy of the same method from the OAuth gem.
+      # TODO: Refactor the OAuth gem so that this method is available via a
+      # mixin, outside of the request proxy context.
+      %w( X-HTTP_AUTHORIZATION Authorization HTTP_AUTHORIZATION ).each do |header|
+        next unless @env.include?(header)
+        header = @env[header]
+        next unless header[0,6] == 'OAuth '
+        oauth_param_string = header[6,header.length].split(/[,=]/)
+        oauth_param_string.map!{|v| unescape(v.strip)}
+        oauth_param_string.map!{|v| v =~ /^\".*\"$/ ? v[1..-2] : v}
+        oauth_params = Hash[*oauth_param_string.flatten]
+        oauth_params.reject!{|k,v| k !~ /^oauth_/}
+        return oauth_params
+      end
+      return {}
+    end
+
+    # Unescape a value according to the OAuth spec.
+    def unescape(value)
+      URI.unescape(value.gsub('+', '%2B'))
+    end
+
+    # Return the last path element in the request URI.
+    def last_path_element
+      path_element(-1)
+    end
+
+    # Return a specific path element
+    def path_element(index)
+      path_info.split('/')[index] rescue nil
+    end
+
+    # Return an array containing one entry for each piece of upstream
+    # middleware. This is in the same spirit as Via headers in HTTP, but does
+    # not use the header because the transition from one piece of middleware to
+    # the next does not use HTTP.
+    def via
+      @env[via_key].split(', ') rescue []
+    end
+
+    # Return parsed contents of an If-Match header.
+    #
+    # Note: Only a single ETag is useful in the context of CloudKit, so a list
+    # is treated as one ETag; the result of using the wrong ETag or a list of
+    # ETags is the same in the context of PUT and DELETE where If-Match
+    # headers are required.
+    def if_match
+      etag = @env['HTTP_IF_MATCH']
+      return nil unless etag
+      etag.strip!
+      etag = unquote(etag)
+      return nil if etag == '*'
+      etag
+    end
+
+    # Add a via entry to the Rack environment.
+    def inject_via(key)
+      items = via << key
+      @env[via_key] = items.join(', ')
+    end
+
+    # Return the current user URI.
+    def current_user
+      return nil unless @env[auth_key] && @env[auth_key] != ''
+      @env[auth_key]
+    end
+
+    # Set the current user URI.
+    def current_user=(user)
+      @env[auth_key] = user
+    end
+
+    # Return true if authentication is being used.
+    def using_auth?
+      @env[auth_presence_key] != nil
+    end
+
+    # Report to downstream middleware that authentication is in use.
+    def announce_auth(via)
+      inject_via(via)
+      @env[auth_presence_key] = 1
+    end
+
+    # Return the session associated with this request.
+    def session
+      @env['rack.session']
+    end
+
+    # Return the login URL for this request. This is stashed in the Rack
+    # environment so the OpenID and OAuth middleware can cooperate during the
+    # token authorization step in the OAuth flow.
+    def login_url
+      @env[login_url_key] || '/login'
+    end
+
+    # Set the login url for this request.
+    def login_url=(url)
+      @env[login_url_key] = url
+    end
+
+    # Return the logout URL for this request.
+    def logout_url
+      @env[logout_url_key] || '/logout'
+    end
+
+    # Set the logout URL for this request.
+    def logout_url=(url)
+      @env[logout_url_key] = url
+    end
+
+    # Return the flash session for this request.
+    def flash
+      session[flash_key] ||= CloudKit::FlashSession.new
+    end
+  end
+end