devise_castle 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: e509c6594a298c779e9e682385bca11b4731ed22
+  data.tar.gz: fba122942aeaf4b8a4875284fb65a34d14e507f7
+SHA512:
+  metadata.gz: ca5a1d49f20a03317dba378c8017b51d314bc209d49eed7b21b646782325a7661556097aa05a46df143f32bff77c836ee6b1290f9a08ea8122c9f4044c005ca5
+  data.tar.gz: 3683b87fbbce2fdb04a9ce8fc090686a0f055d885586f2bf36eb2d5d1dcec9d5eb22c8dcee4b322851dfb89762c009bc29a4a29b3b52ab497deb2263b40e66d3

data/app/controllers/devise/devise_castle_controller.rb

@@ -0,0 +1,60 @@
+class Devise::DeviseCastleController < DeviseController
+  include Devise::Controllers::Helpers
+
+  before_filter :return_not_found, except: :new
+
+  before_filter do
+    env['castle.skip_authorization'] = true
+  end
+
+  def new
+    challenge = castle.challenges.create
+    Devise.mappings.keys.flatten.any? do |scope|
+      redirect_to send(
+        "edit_#{scope}_two_factor_authentication_path", challenge.id)
+    end
+  end
+
+  def edit
+    @challenge = castle.challenges.find(params[:id])
+
+    # Prevent "undefined method `errors' for nil:NilClass"
+    self.resource = resource_class.new
+
+    render action: "#{@challenge.delivery_method}/edit"
+  end
+
+  def update
+    challenge_id = params.require(:challenge_id)
+    code = params.require(:code)
+
+    begin
+      castle.challenges.verify(challenge_id, response: code)
+
+      castle.trust_device if params[:trust_device]
+
+      Devise.mappings.keys.flatten.any? do |scope|
+        redirect_to after_sign_in_path_for(scope)
+      end
+    rescue Castle::Error
+      sign_out_with_message(:no_retries_remaining, :alert)
+    end
+  end
+
+  protected
+
+  def sign_out_with_message(message, kind = :notice)
+    signed_out = sign_out(resource_name)
+    set_flash_message kind, message if signed_out
+    redirect_to after_sign_out_path_for(resource_name)
+  end
+
+  private
+
+  def return_not_found
+    unless castle.mfa_in_progress?
+      redirect_to after_sign_in_path_for(resource_name)
+    end
+  end
+
+end

data/app/controllers/devise/two_factor_authentication_controller.rb

@@ -0,0 +1,3 @@
+module Devise
+  class TwoFactorAuthenticationController < DeviseCastleController; end
+end

data/app/controllers/devise_castle/sessions_controller.rb

@@ -0,0 +1,17 @@
+class DeviseCastle::SessionsController < Devise::SessionsController
+  unloadable unless Rails.version =~/^4/
+
+  protected
+
+  def auth_options
+    # find the username
+    key = serialize_options(resource)[:methods].first
+    username = sign_in_params[key]
+
+    # find the user if any
+    user = resource_class.find_for_authentication(key => username)
+
+    # make it available to Warden hooks
+    super.merge(username: username, user: user)
+  end
+end

data/app/views/devise/two_factor_authentication/authenticator/edit.html.erb

@@ -0,0 +1,14 @@
+<h2><%= t "devise.two_factor_authentication.header" %></h2>
+
+<p><%= t "devise.two_factor_authentication.edit.authenticator.instructions" %></p>
+
+<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
+  <%= devise_error_messages! %>
+  <p><%= label_tag :code, t("devise.two_factor_authentication.edit.common.code_label") %><br />
+  <%= text_field_tag :code %></p>
+  <p><%= check_box_tag :trust_device %> <%= label_tag :trust_device %></p>
+  <%= hidden_field_tag(:challenge_id, @challenge.id) %>
+  <p><%= submit_tag t("devise.two_factor_authentication.edit.common.submit_button") %></p>
+<% end -%>
+
+<p><%= t "devise.two_factor_authentication.edit.common.recovery_message" %>

data/app/views/devise/two_factor_authentication/sms/edit.html.erb

@@ -0,0 +1,17 @@
+<h2><%= t "devise.two_factor_authentication.header" %></h2>
+
+<p>
+  <%= t "devise.two_factor_authentication.edit.sms.instructions" %>
+  <%= link_to t("devise.two_factor_authentication.edit.sms.resend"), send("new_#{resource_name}_two_factor_authentication_path") %>.
+</p>
+
+<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
+  <%= devise_error_messages! %>
+  <p><%= label_tag :code, t("devise.two_factor_authentication.edit.common.code_label") %><br />
+  <%= text_field_tag :code %></p>
+  <p><%= check_box_tag :trust_device %> <%= label_tag :trust_device %></p>
+  <%= hidden_field_tag(:challenge_id, @challenge.id) %>
+  <p><%= submit_tag t("devise.two_factor_authentication.edit.common.submit_button") %></p>
+<% end -%>
+
+<p><%= t "devise.two_factor_authentication.edit.common.recovery_message" %>

data/app/views/devise/two_factor_authentication/yubikey/edit.html.erb

@@ -0,0 +1,14 @@
+<h2><%= t "devise.two_factor_authentication.header" %></h2>
+
+<p><%= t "devise.two_factor_authentication.edit.yubikey.instructions" %></p>
+
+<%= form_tag([resource_name, :two_factor_authentication], :method => :put) do %>
+  <%= devise_error_messages! %>
+  <p><%= label_tag :code, t("devise.two_factor_authentication.edit.common.code_label") %><br />
+  <%= text_field_tag :code %></p>
+  <p><%= check_box_tag :trust_device %> <%= label_tag :trust_device %></p>
+  <%= hidden_field_tag(:challenge_id, @challenge.id) %>
+  <p><%= submit_tag t("devise.two_factor_authentication.edit.common.submit_button") %></p>
+<% end -%>
+
+<p><%= t "devise.two_factor_authentication.edit.common.recovery_message" %>

data/lib/devise_castle.rb

@@ -0,0 +1,29 @@
+require 'active_support/concern'
+require 'devise'
+require 'devise_castle/hooks'
+require 'devise_castle/routes'
+require 'devise_castle/hooks'
+require 'devise_castle/import'
+require 'devise_castle/mapping'
+require 'castle'
+
+module Devise
+  mattr_accessor :castle_api_secret
+  @@castle_api_secret = ''
+end
+
+module DeviseCastle
+  module Controllers
+    autoload :Helpers, 'devise_castle/controllers/helpers'
+  end
+end
+
+if defined?(Rails::Railtie)
+  require 'devise_castle/railtie'
+  Rails::Engine
+end
+
+Devise.add_module(:castle,
+  :controller => :two_factor_authentication,
+  :route => :castle,
+  :model  => 'devise_castle/model')

data/lib/devise_castle/controllers/helpers.rb

@@ -0,0 +1,29 @@
+module DeviseCastle
+  module Controllers
+    module Helpers
+      extend ActiveSupport::Concern
+
+      included do
+        rescue_from Castle::UserUnauthorizedError do |error|
+          Devise.mappings.keys.flatten.any? do |scope|
+            warden.logout(scope)
+            throw :warden, :scope => scope, :message => :signed_out
+          end
+        end
+
+        rescue_from Castle::ChallengeRequiredError do |error|
+          Devise.mappings.keys.flatten.any? do |scope|
+            if request.format.present? and request.format.html?
+              session["#{scope}_return_to"] = request.path if request.get?
+              # todo: doesn't seem to work
+              redirect_to send("new_#{scope}_two_factor_authentication_path")
+            else
+              render nothing: true, status: :unauthorized
+            end
+          end
+        end
+      end
+
+    end
+  end
+end

data/lib/devise_castle/hooks.rb

@@ -0,0 +1,50 @@
+# Instantiate Castle client on every request
+Warden::Manager.on_request do |warden|
+  warden.request.env['castle'] =
+    Castle::Client.new(warden.request, warden.cookies)
+end
+
+# Track logout.succeeded
+Warden::Manager.before_logout do |record, warden, opts|
+  if record.respond_to?(:castle_id)
+    castle = warden.request.env['castle']
+    castle.logout
+    castle.track(user_id: record._castle_id, name: '$logout.succeeded')
+  end
+end
+
+# Track login.failed
+Warden::Manager.before_failure do |env, opts|
+  if opts[:action] == 'unauthenticated' && opts[:username]
+
+    user_id = if opts[:user].respond_to?(:castle_id)
+      opts[:user]._castle_id
+    end
+
+    castle = env['castle']
+    castle.track(
+      name: '$login.failed',
+      user_id: user_id,
+      details: {
+        '$login' => opts[:username]
+      })
+  end
+end
+
+# Track login.succeeded
+Warden::Manager.after_set_user :except => :fetch do |record, warden, opts|
+  if record.respond_to?(:castle_id)
+    castle = warden.request.env['castle']
+    castle.track(user_id: record._castle_id, name: '$login.succeeded')
+    castle.login(record._castle_id, email: record.email)
+  end
+end
+
+# Continous authentication
+Warden::Manager.after_set_user do |record, warden, opts|
+  if record.respond_to?(:castle_id)
+    env = warden.request.env
+    castle = env['castle']
+    castle.authorize! unless env['castle.skip_authorization']
+  end
+end

data/lib/devise_castle/import.rb

@@ -0,0 +1,85 @@
+module DeviseCastle
+  class ImportError < Exception; end
+
+  class Import
+    attr_reader :resource_class, :batch_size
+
+    def initialize(options = {})
+      begin
+        @resource_class = eval(options[:resource_class])
+      rescue NameError
+        raise ImportError, "No such class: #{options[:resource_class]}"
+      end
+
+      unless supported_orm?
+        raise ImportError, "Only ActiveRecord and Mongoid models are supported"
+      end
+
+      unless Castle.config.api_secret.present?
+        raise ImportError, "Please add an Castle API secret to your devise.rb"
+      end
+
+      @batch_size = [(options[:batch_size] || 100), 100].min
+    end
+
+    def self.run(*args)
+      new(*args).run
+    end
+
+    def run
+      batches do |batch, resources|
+        begin
+          users = Castle::User.import(users: batch)
+        rescue Castle::Error => error
+          raise ImportError, error.message
+        end
+
+        users.zip(resources).each do |user, resource|
+          resource.castle_id = user.id
+          resource.save(validate: false)
+        end
+      end
+    end
+
+    def batches
+      if active_record?
+        resource_class.where("castle_id IS NULL").find_in_batches(:batch_size => batch_size) do |resources|
+          resources_for_wire = map_resources_to_castle_format(resources)
+          yield(resources_for_wire, resources) unless resources.count.zero?
+        end
+      elsif mongoid?
+        0.step(resource_class.where(:castle_id => nil).count, batch_size) do |offset|
+          resources_for_wire = map_resources_to_castle_format(resource_class.limit(batch_size).skip(offset))
+          yield(resources_for_wire, resources) unless resources.count.zero?
+        end
+      end
+    end
+
+    def map_resources_to_castle_format(resources)
+      resources.map do |resource|
+        format = {}
+        format[:email] = resource.email unless resource.email.blank?
+        format[:id] = resource._castle_id
+        format[:created_at] = resource.created_at if resource.respond_to? :created_at
+        format
+      end.compact
+    end
+
+    def prepare_batch(batch)
+      { :users => batch }.to_json
+    end
+
+    def active_record?
+      (defined?(ActiveRecord::Base) && (resource_class < ActiveRecord::Base))
+    end
+
+    def mongoid?
+      (defined?(Mongoid::Document) && (resource_class < Mongoid::Document))
+    end
+
+    def supported_orm?
+      active_record? || mongoid?
+    end
+
+  end
+end

data/lib/devise_castle/mapping.rb

@@ -0,0 +1,14 @@
+module DeviseCastle
+  module Mapping
+    def self.included(base)
+      base.alias_method_chain :default_controllers, :castle
+    end
+
+    private
+    def default_controllers_with_castle(options)
+      options[:controllers] ||= {}
+      options[:controllers][:sessions] ||= "devise_castle/sessions"
+      default_controllers_without_castle(options)
+    end
+  end
+end

data/lib/devise_castle/model.rb

@@ -0,0 +1,52 @@
+module Devise
+  module Models
+    module Castle
+      extend ActiveSupport::Concern
+
+      ::Castle.api_secret = Devise.castle_api_secret
+
+      included do
+        before_destroy :destroy_castle_user
+
+        def destroy_castle_user
+          castle_user_block do
+            ::Castle::User.destroy_existing(id)
+          end
+        end
+
+        def castle_user_block
+          begin
+            yield
+          rescue ::Castle::Error
+            true
+          end
+        end
+
+        # Override this in your Devise model to use a custom identifier
+        # for the Castle API:s
+        def castle_id
+          id
+        end
+
+        # Since the identifier will be used in API routes, it needs to be
+        # URI encoded
+        def _castle_id
+          URI.encode(castle_id.to_s)
+        end
+      end
+
+      # Overwrites valid_for_authentication? from Devise::Models::Authenticatable
+      # for verifying whether a user is allowed to sign in or not.
+      def valid_for_authentication?
+        return super unless persisted?
+
+        if super
+          true
+        else
+          # TODO: track unsuccessful login
+          false
+        end
+      end
+    end
+  end
+end

data/lib/devise_castle/railtie.rb

@@ -0,0 +1,11 @@
+module DeviseCastle
+  class Engine < ::Rails::Engine
+    ActiveSupport.on_load(:action_controller) do
+      include DeviseCastle::Controllers::Helpers
+    end
+
+    config.after_initialize do
+      Devise::Mapping.send :include, DeviseCastle::Mapping
+    end
+  end
+end

data/lib/devise_castle/routes.rb

@@ -0,0 +1,9 @@
+module ActionDispatch::Routing
+  class Mapper
+    protected
+
+    def devise_castle(mapping, controllers)
+      resources :two_factor_authentication, :only => [:new, :show, :update, :edit], :path => mapping.path_names[:two_factor_authentication], :controller => controllers[:two_factor_authentication]
+    end
+  end
+end

data/lib/devise_castle/version.rb

@@ -0,0 +1,3 @@
+module DeviseCastle
+  VERSION = "1.0.0".freeze
+end

data/lib/generators/active_record/devise_castle_generator.rb

@@ -0,0 +1,14 @@
+require 'rails/generators/active_record'
+
+module ActiveRecord
+  module Generators
+    class DeviseCastleGenerator < ActiveRecord::Generators::Base
+      source_root File.expand_path("../templates", __FILE__)
+
+      def copy_devise_castle_migration
+        migration_template "migration.rb", "db/migrate/add_castle_to_#{table_name}.rb"
+      end
+
+    end
+  end
+end

data/lib/generators/active_record/templates/migration.rb

@@ -0,0 +1,13 @@
+class AddCastleTo<%= table_name.camelize %> < ActiveRecord::Migration
+  def up
+    change_table :<%= table_name %> do |t|
+      t.string   :castle_id
+    end
+
+    add_index :<%= table_name %>, :castle_id, :unique => true
+  end
+
+  def down
+    remove_column :<%= table_name %>, :castle_id
+  end
+end

data/lib/generators/devise_castle/devise_castle_generator.rb

@@ -0,0 +1,18 @@
+module DeviseCastle
+  module Generators
+    class DeviseCastleGenerator < Rails::Generators::NamedBase
+      namespace "devise_castle"
+
+      desc "Add :castle directive in the given model. Also generate migration for ActiveRecord"
+
+      def inject_devise_castle_content
+        path = File.join("app", "models", "#{file_path}.rb")
+        if File.exists?(path)
+          inject_into_file(path, "castle, :", :after => "devise :")
+        end
+      end
+
+      hook_for :orm
+    end
+  end
+end

data/lib/generators/devise_castle/import_generator.rb

@@ -0,0 +1,12 @@
+module DeviseCastle
+  module Generators
+    class ImportGenerator < Rails::Generators::NamedBase
+      desc "Import users to Castle"
+
+      def import_users_to_castle
+        Import.run(resource_class: class_name)
+      end
+
+    end
+  end
+end

data/lib/generators/devise_castle/install_generator.rb

@@ -0,0 +1,32 @@
+module DeviseCastle
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path("../../templates", __FILE__)
+      desc "Add DeviseCastle config variables to the Devise initializer"
+      argument :api_secret, :desc => "Your Castle API secret, which can be found on your Castle dashboard."
+
+      def add_config_options_to_initializer
+        devise_initializer_path = "config/initializers/devise.rb"
+        if File.exist?(devise_initializer_path)
+          old_content = File.read(devise_initializer_path)
+
+          if old_content.match(Regexp.new(/^\s*# ==> Configuration for :castle\n/))
+            false
+          else
+            inject_into_file(devise_initializer_path, :before => "  # ==> Mailer Configuration\n") do
+<<-CONTENT
+  # ==> Configuration for :castle
+  config.castle_api_secret = '#{api_secret}'
+
+CONTENT
+            end
+          end
+        end
+      end
+
+      def copy_locale
+        copy_file "../../../config/locales/en.yml", "config/locales/devise_castle.en.yml"
+      end
+    end
+  end
+end

data/lib/generators/devise_castle/views_generator.rb

@@ -0,0 +1,18 @@
+require 'generators/devise/views_generator'
+
+module DeviseCastle
+  module Generators
+    class ViewsGenerator < Rails::Generators::Base
+      desc 'Copies all DeviseCastle views to your application.'
+
+      argument :scope, :required => false, :default => nil,
+                       :desc => "The scope to copy views to"
+
+      include ::Devise::Generators::ViewPathTemplates
+      source_root File.expand_path("../../../../app/views/devise", __FILE__)
+      def copy_views
+        view_directory :two_factor_authentication
+      end
+    end
+  end
+end

data/lib/generators/mongoid/devise_castle_generator.rb

@@ -0,0 +1,8 @@
+require 'generators/devise/orm_helpers'
+
+module Mongoid
+  module Generators
+    class DeviseCastleGenerator < Rails::Generators::NamedBase
+    end
+  end
+end

metadata

@@ -0,0 +1,136 @@
+--- !ruby/object:Gem::Specification
+name: devise_castle
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Johan Brissmyr
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-02-19 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: castle-rb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.1.0
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.9'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '3.1'
+description: Devise extension for Castle. Secure your authentication stack with real-time
+  monitoring, instantly notifying you and your users on potential account hijacks.
+email: johan@castle.io
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/controllers/devise/devise_castle_controller.rb
+- app/controllers/devise/two_factor_authentication_controller.rb
+- app/controllers/devise_castle/sessions_controller.rb
+- app/views/devise/two_factor_authentication/authenticator/edit.html.erb
+- app/views/devise/two_factor_authentication/sms/edit.html.erb
+- app/views/devise/two_factor_authentication/yubikey/edit.html.erb
+- lib/devise_castle.rb
+- lib/devise_castle/controllers/helpers.rb
+- lib/devise_castle/hooks.rb
+- lib/devise_castle/import.rb
+- lib/devise_castle/mapping.rb
+- lib/devise_castle/model.rb
+- lib/devise_castle/railtie.rb
+- lib/devise_castle/routes.rb
+- lib/devise_castle/version.rb
+- lib/generators/active_record/devise_castle_generator.rb
+- lib/generators/active_record/templates/migration.rb
+- lib/generators/devise_castle/devise_castle_generator.rb
+- lib/generators/devise_castle/import_generator.rb
+- lib/generators/devise_castle/install_generator.rb
+- lib/generators/devise_castle/views_generator.rb
+- lib/generators/mongoid/devise_castle_generator.rb
+homepage: https://github.com/castle/devise_castle
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.3
+signing_key: 
+specification_version: 4
+summary: Devise extension for Castle
+test_files: []