ditty 0.6.0 → 0.7.0.pre.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b6858577e8b718519ffc9090091e2709558d0ffd52d938469cb28758bcb45317
-  data.tar.gz: 55d43869a651d32b3dcbcedf093a5c7ef2a01fa83335d7a36c7f3475b61d695b
+  metadata.gz: 3c189c1afda14a46a7d4011c7d2ea9a675c3efaf8800287379e66b2d0a8f7938
+  data.tar.gz: 788dfa56d302d52afca0ff0d42bd1769abb78b5e991c586edf4a6b6a38430384
 SHA512:
-  metadata.gz: e5606f0ac962ce44b97b08408f6d18bcff35271b87ff4fd88af1a42f85d4f890edafaca116a438b7652fe7b52eb7407074a531c7fba7c63387fe5ff71093ccb7
-  data.tar.gz: ca27dfe35f0249414bf54367880bc11c199cead75a45a2fbb809e20d42d626ba734c43b0c02a82729473b8365f4ff1ec835708a29b188d5f2d1700d112a5eaec
+  metadata.gz: fddf3ffc9c33965ecc3e093c0fc21f4ce689eb110ab351f1a331cd7a9477bea416e3d6bbdc6141e9858d55db4d5cf48ad15c1e22bb930462fd245b0853cde042
+  data.tar.gz: 2bb572a73c374592ee7c526a7fb0df708bf43ed533ca4898dddd347f2b06afba687662dc234b0e1566856161b8d44de656eca567cdd0da2d0b17925afc01346b

data/.rubocop.yml

@@ -1,13 +1,10 @@
 Metrics/LineLength:
   Max: 120
 
-Style/Documentation:
-  Enabled: false
-
 Style/NumericPredicate:
   Enabled: false
 
-Style/LeadingCommentSpace:
+Layout/LeadingCommentSpace:
   Exclude:
     - 'config.ru'
 

data/config.ru

@@ -5,29 +5,15 @@ use Rack::Session::Cookie,
     key: '_Ditty_session',
     # :secure=>!TEST_MODE, # Uncomment if only allowing https:// access
     secret: File.read('.session_secret')
-use Rack::Protection::RemoteToken
-use Rack::Protection::SessionHijacking
 
 require 'ditty/components/app'
 Ditty.component :app
 
-require 'omniauth'
-require 'omniauth/identity'
-OmniAuth.config.logger = Ditty::Services::Logger.instance
-OmniAuth.config.on_failure = proc { |env|
-  OmniAuth::FailureEndpoint.new(env).redirect_to_failure
-}
-require 'ditty/controllers/main'
-require 'ditty/models/identity'
+require 'ditty/services/authentication'
 use OmniAuth::Builder do
-  # The identity provider is used by the App.
-  provider :identity,
-           fields: [:username],
-           callback_path: '/auth/identity/callback',
-           model: Ditty::Identity,
-           on_login: Ditty::Main,
-           on_registration: Ditty::Main,
-           locate_conditions: ->(req) { { username: req['username'] } }
+  Ditty::Services::Authentication.config.each do |prov, config|
+    provider prov, *config[:arguments]
+  end
 end
 
 run Rack::URLMap.new Ditty::Components.routes

data/ditty.gemspec

@@ -38,11 +38,13 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'omniauth-identity', '~> 1.0'
   spec.add_dependency 'pundit', '~> 1.0'
   spec.add_dependency 'rack-contrib', '~> 1.0'
+  spec.add_dependency 'rack_csrf', '~> 1.0'
   spec.add_dependency 'rake', '~> 12.0'
   spec.add_dependency 'sequel', '>= 4.0'
   spec.add_dependency 'sinatra', '>= 2.0'
   spec.add_dependency 'sinatra-contrib', '~> 2.0'
   spec.add_dependency 'sinatra-flash', '~> 0.3'
+  spec.add_dependency 'sinatra-param', '~> 1.5'
   spec.add_dependency 'tilt', '>= 2'
   spec.add_dependency 'thor', '>= 0.20'
   spec.add_dependency 'will_paginate', '>= 3.1'

data/lib/ditty/components/app.rb

@@ -5,7 +5,7 @@ require 'ditty'
 module Ditty
   class App
     def self.load
-      controllers = File.expand_path('../../controllers', __FILE__)
+      controllers = File.expand_path('../controllers', __dir__)
       Dir.glob("#{controllers}/*.rb").each { |f| require f }
 
       require 'ditty/models/user'
@@ -20,17 +20,18 @@ module Ditty
     end
 
     def self.migrations
-      File.expand_path('../../../../migrate', __FILE__)
+      File.expand_path('../../../migrate', __dir__)
     end
 
     def self.view_folder
-      File.expand_path('../../../../views', __FILE__)
+      File.expand_path('../../../views', __dir__)
     end
 
     def self.routes
       load
       {
         '/' => ::Ditty::Main,
+        '/auth' => ::Ditty::Auth,
         '/users' => ::Ditty::Users,
         '/roles' => ::Ditty::Roles,
         '/audit-logs' => ::Ditty::AuditLogs

data/lib/ditty/controllers/application.rb

@@ -4,6 +4,7 @@ require 'wisper'
 require 'oga'
 require 'sinatra/base'
 require 'sinatra/flash'
+require 'sinatra/param'
 require 'sinatra/respond_with'
 require 'ditty/helpers/views'
 require 'ditty/helpers/pundit'
@@ -12,6 +13,7 @@ require 'ditty/services/logger'
 require 'active_support'
 require 'active_support/inflector'
 require 'rack/contrib'
+require 'rack/csrf'
 
 module Ditty
   class Application < Sinatra::Base
@@ -21,14 +23,20 @@ module Ditty
     set :map_path, nil
     set :view_location, nil
     set :model_class, nil
+    set :raise_sinatra_param_exceptions, true
+    set track_actions: false
+
     # The order here is important, since Wisper has a deprecated method respond_with method
     helpers Wisper::Publisher
     helpers Helpers::Pundit, Helpers::Views, Helpers::Authentication
+    helpers Sinatra::Param
 
     register Sinatra::Flash, Sinatra::RespondWith
 
+    use Rack::Csrf, raise: ENV['APP_ENV'] == 'development' unless ENV['APP_ENV'] == 'test'
     use Rack::PostBodyContentTypeParser
     use Rack::MethodOverride
+    use Rack::NestedParams
 
     helpers do
       def base_path
@@ -73,7 +81,7 @@ module Ditty
         status 401
         format.html do
           flash[:warning] = 'Please log in first.'
-          redirect with_layout("#{settings.map_path}/auth/identity")
+          redirect with_layout("#{settings.map_path}/auth/login")
         end
         format.json do
           json code: 401, errors: ['Not Authenticated']
@@ -96,6 +104,19 @@ module Ditty
       end
     end
 
+    error Sinatra::Param::InvalidParameterError do
+      respond_to do |format|
+        status 400
+        format.html do
+          flash.now[:danger] = env['sinatra.error'].message
+          haml :'400', locals: { title: '4 oh oh' }, layout: layout
+        end
+        format.json do
+          json code: 400, errors: { env['sinatra.error'].param => env['sinatra.error'].message }, full_errors: [env['sinatra.error'].message]
+        end
+      end
+    end
+
     error ::Sequel::ForeignKeyConstraintViolation do
       error = env['sinatra.error']
       broadcast(:application_error, error)
@@ -127,17 +148,19 @@ module Ditty
     end
 
     before(/.*/) do
-      ::Ditty::Services::Logger.instance.debug "Running with #{self.class}"
+      ::Ditty::Services::Logger.instance.debug "Running with #{self.class} - #{request.path_info}"
       if request.path =~ /.*\.json\Z/
         content_type :json
         request.path_info = request.path_info.gsub(/.json$/, '')
+      elsif request.env['ACCEPT']
+        content_type request.env['ACCEPT']
+      else
+        content_type(:json) if request.accept.count.eql?(1) && request.accept.first.to_s.eql?('*/*')
       end
-      # Ensure the accept header is set. People forget to include it in API requests
-      content_type(:json) if request.accept.count.eql?(1) && request.accept.first.to_s.eql?('*/*')
     end
 
     after do
-      return if params['layout'].nil?
+      return if params[:layout].nil?
       response.body = response.body.map do |resp|
         document = Oga.parse_html(resp)
         document.css('a').each do |elm|

data/lib/ditty/controllers/auth.rb

@@ -0,0 +1,179 @@
+require 'ditty/controllers/application'
+require 'ditty/services/email'
+require 'securerandom'
+
+module Ditty
+  class Auth < Application
+    set track_actions: true
+
+    def find_template(views, name, engine, &block)
+      super(views, name, engine, &block) # Root
+      super(::Ditty::App.view_folder, name, engine, &block) # Basic Plugin
+    end
+
+    def redirect_path
+      return "#{settings.map_path}/" unless env['omniauth.origin']
+      return "#{settings.map_path}/" if env['omniauth.origin'] =~ %r{/#{settings.map_path}/auth/?}
+      env['omniauth.origin']
+    end
+
+    def omniauth_callback(provider)
+      return failed_login unless env['omniauth.auth']
+      user = User.first(email: env['omniauth.auth']['info']['email'])
+      user = register_user if user.nil? && ['ldap', 'google_oauth2'].include?(provider)
+      return failed_login if user.nil?
+      successful_login(user)
+    end
+
+    def failed_login
+      broadcast(:user_failed_login, target: self, details: "IP: #{request.ip}")
+      flash[:warning] = 'Invalid credentials. Please try again.'
+      redirect "#{settings.map_path}/auth/login"
+    end
+
+    def successful_login(user)
+      halt 200 if request.xhr?
+      self.current_user = user
+      broadcast(:user_login, target: self, details: "IP: #{request.ip}")
+      flash[:success] = 'Logged In'
+      redirect redirect_path
+    end
+
+    def register_user
+      user = User.create(email: env['omniauth.auth']['info']['email'])
+      broadcast(:user_register, target: self, values: { user: user }, details: "IP: #{request.ip}")
+      flash[:info] = 'Successfully Registered.'
+      user
+    end
+
+    before '/login' do
+      return if User.where(roles: Role.find_or_create(name: 'super_admin')).count.positive?
+      flash[:info] = 'Please register the super admin user.'
+      redirect "#{settings.map_path}/auth/register"
+    end
+
+    # TODO: Make this work for both LDAP and Identity
+    get '/login' do
+      authorize ::Ditty::Identity, :login
+
+      haml :'auth/login', locals: { title: 'Log In' }
+    end
+
+    get '/forgot-password' do
+      authorize ::Ditty::Identity, :forgot_password
+
+      haml :'auth/forgot_password', locals: { title: 'Forgot your password?' }
+    end
+
+    post '/forgot-password' do
+      authorize ::Ditty::Identity, :forgot_password
+
+      param :email, String, required: true
+      email = params[:email]
+      identity = Identity[username: email]
+      if identity
+        # Update record
+        token = SecureRandom.hex(16)
+        identity.update(reset_token: token, reset_requested: Time.now)
+        # Send Email
+        reset_url = "#{request.base_url}#{settings.map_path}/reset-password?token=#{token}"
+        Ditty::Services::Email.deliver(
+          :forgot_password,
+          email,
+          locals: { identity: identity, reset_url: reset_url, request: request }
+        )
+      end
+      flash[:info] = 'An email was sent to the email provided with instructions on how to reset your password'
+      redirect '/login'
+    end
+
+    get '/reset-password' do
+      authorize ::Ditty::Identity.new, :reset_password
+
+      param :token, String, required: true
+      identity = Identity[reset_token: params[:token]]
+      halt 404 unless identity && identity.reset_requested && identity.reset_requested > (Time.now - (24 * 60 * 60))
+
+      haml :'auth/reset_password', locals: { title: 'Reset your password', identity: identity }
+    end
+
+    put '/reset-password' do
+      param :token, String, required: true
+      identity = Identity[reset_token: params[:token]]
+
+      halt 404 unless identity
+      authorize identity, :reset_password
+
+      identity_params = permitted_attributes(Identity, :update)
+      identity.set identity_params.merge(reset_token: nil, reset_requested: nil)
+      if identity.valid? && identity.save
+        broadcast(:identity_update_password, target: self, details: "IP: #{request.ip}")
+        flash[:success] = 'Password Updated'
+        redirect "#{settings.map_path}/auth/login"
+      else
+        broadcast(:identity_update_password_failed, target: self, details: "IP: #{request.ip}")
+        haml :'auth/reset_password', locals: { title: 'Reset your password', identity: identity }
+      end
+    end
+
+    # Register Page
+    get '/register' do
+      authorize ::Ditty::User.new, :register
+
+      identity = Identity.new
+      haml :'auth/register', locals: { title: 'Register', identity: identity }
+    end
+
+    # Register Action
+    post '/register/identity' do
+      param :identity, Hash, required: true
+      identity = Identity.new(params[:identity])
+      user = User.new(email: identity.username)
+      authorize user, :register
+
+      begin
+        DB.transaction do
+          user.save
+          user.add_identity identity
+          broadcast(:user_register, target: self, values: { user: user }, details: "IP: #{request.ip}")
+          flash[:info] = 'Successfully Registered. Please log in'
+          redirect "#{settings.map_path}/auth/login"
+        end
+      rescue Sequel::ValidationFailed
+        flash.now[:warning] = 'Could not complete the registration. Please try again.'
+        haml :'auth/register', locals: { identity: identity }
+      end
+    end
+
+    # Logout Action
+    delete '/' do
+      broadcast(:user_logout, target: self, details: "IP: #{request.ip}")
+      logout
+
+      halt 200 if request.xhr?
+      flash[:info] = 'Logged Out'
+      redirect(Ditty::Services::Settings[:logout_redirect_path] || "#{settings.map_path}/")
+    end
+
+    # Unauthenticated
+    get '/unauthenticated' do
+      redirect back
+    end
+
+    # Auth Failure
+    get '/failure' do
+      failed_login
+    end
+
+    # Identity
+    # LDAP
+    post '/:provider/callback' do |provider|
+      omniauth_callback provider
+    end
+
+    # Google OAuth login
+    get '/:provider/callback' do |provider|
+      omniauth_callback provider
+    end
+  end
+end

data/lib/ditty/controllers/component.rb

@@ -31,9 +31,7 @@ module Ditty
 
     after '/' do
       return if settings.environment == 'production' || request.request_method != 'GET'
-      if (response.successful? || response.redirection?) && @skip_verify == false
-        verify_policy_scoped
-      end
+      verify_policy_scoped if (response.successful? || response.redirection?) && @skip_verify == false
     end
 
     # List

data/lib/ditty/controllers/main.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
 require 'ditty/controllers/application'
-require 'ditty/services/email'
-require 'securerandom'
+require 'ditty/models/role'
+require 'ditty/models/user'
 
 module Ditty
   class Main < Application
@@ -13,16 +13,10 @@ module Ditty
       super(::Ditty::App.view_folder, name, engine, &block) # Basic Plugin
     end
 
-    CHECK_PATHS = [settings.map_path, "#{settings.map_path}/auth/identity"].freeze
-
-    before(/.*/) do
-      return unless CHECK_PATHS.include? request.path
-      # Redirect to the registration page if there's no SA user
-      sa = Role.find_or_create(name: 'super_admin')
-      if User.where(roles: sa).count == 0
-        flash[:info] = 'Please register the super admin user.'
-        redirect "#{settings.map_path}/auth/identity/register"
-      end
+    before '/' do
+      return if User.where(roles: Role.find_or_create(name: 'super_admin')).count.positive?
+      flash[:info] = 'Please register the super admin user.'
+      redirect "#{settings.map_path}/auth/register"
     end
 
     # Home Page
@@ -30,148 +24,5 @@ module Ditty
       authenticate!
       haml :index, locals: { title: 'Home' }
     end
-
-    # OmniAuth Identity Stuff
-    # Log in Page
-    get '/auth/identity' do
-      haml :'identity/login', locals: { title: 'Log In' }
-    end
-
-    get '/auth/identity/forgot' do
-      haml :'identity/forgot', locals: { title: 'Forgot your password?' }
-    end
-
-    post '/auth/identity/forgot' do
-      email = params['email']
-      identity = Identity[username: email]
-      if identity
-        # Update record
-        token = SecureRandom.hex(16)
-        identity.update(reset_token: token, reset_requested: Time.now)
-        # Send Email
-        reset_url = "#{request.base_url}#{settings.map_path}/auth/identity/reset?token=#{token}"
-        Ditty::Services::Email.deliver(
-          :forgot_password,
-          email,
-          locals: { identity: identity, reset_url: reset_url, request: request }
-        )
-      end
-      flash[:info] = 'An email was sent to the email provided with instructions on how to reset your password'
-      redirect '/auth/identity'
-    end
-
-    get '/auth/identity/reset' do
-      identity = Identity[reset_token: params['token']]
-      halt 404 unless identity && identity.reset_requested && identity.reset_requested > (Time.now - (24 * 60 * 60))
-
-      haml :'identity/reset', locals: { title: 'Reset your password', identity: identity }
-    end
-
-    put '/auth/identity/reset' do
-      identity = Identity[reset_token: params['token']]
-      halt 404 unless identity && identity.reset_requested && identity.reset_requested > (Time.now - (24 * 60 * 60))
-
-      identity_params = permitted_attributes(Identity, :update)
-
-      identity.set identity_params.merge(reset_token: nil, reset_requested: nil)
-      if identity.valid? && identity.save
-        broadcast(:identity_update_password, target: self, details: "IP: #{request.ip}")
-        flash[:success] = 'Password Updated'
-        redirect "#{settings.map_path}/auth/identity"
-      else
-        broadcast(:identity_update_password_failed, target: self, details: "IP: #{request.ip}")
-        haml :'identity/reset', locals: { title: 'Reset your password', identity: identity }
-      end
-    end
-
-    get '/auth/failure' do
-      broadcast(:user_failed_login, target: self, details: "IP: #{request.ip}")
-      flash[:warning] = 'Invalid credentials. Please try again.'
-      redirect "#{settings.map_path}/auth/identity"
-    end
-
-    # Register Page
-    get '/auth/identity/register' do
-      authorize ::Ditty::Identity, :register
-
-      identity = Identity.new
-      haml :'identity/register', locals: { title: 'Register', identity: identity }
-    end
-
-    # Register Action
-    post '/auth/identity/new' do
-      authorize ::Ditty::Identity, :register
-
-      identity = Identity.new(params['identity'])
-      begin
-        DB.transaction do
-          identity.save # Will trigger a Sequel::ValidationFailed exception if the model is incorrect
-          user = User.find(email: identity.username)
-          if user.nil?
-            user = User.create(email: identity.username)
-
-            broadcast(:user_register, target: self, values: { user: user }, details: "IP: #{request.ip}")
-          end
-          user.add_identity identity
-          flash[:info] = 'Successfully Registered. Please log in'
-          redirect "#{settings.map_path}/auth/identity"
-        end
-      rescue Sequel::ValidationFailed
-        flash.now[:warning] = 'Could not complete the registration. Please try again.'
-        haml :'identity/register', locals: { identity: identity }
-      end
-    end
-
-    # Logout Action
-    delete '/auth/identity' do
-      broadcast(:user_logout, target: self, details: "IP: #{request.ip}")
-      logout
-      flash[:info] = 'Logged Out'
-
-      redirect "#{settings.map_path}/"
-    end
-
-    post '/auth/identity/callback' do
-      if env['omniauth.auth']
-        # Successful Login
-        user = User.find(email: env['omniauth.auth']['info']['email'])
-        self.current_user = user
-        broadcast(:user_login, target: self, details: "IP: #{request.ip}")
-        flash[:success] = 'Logged In'
-        redirect env['omniauth.origin'] || "#{settings.map_path}/"
-      else
-        # Failed Login
-        broadcast(:identity_failed_login, target: self, details: "IP: #{request.ip}")
-        flash[:warning] = 'Invalid credentials. Please try again.'
-        redirect "#{settings.map_path}/auth/identity"
-      end
-    end
-
-    get '/auth/:provider/callback' do
-      if env['omniauth.auth']
-        # Successful Login
-        user = User.find(email: env['omniauth.auth']['info']['email'])
-        if user.nil?
-          DB.transaction do
-            user = User.create(email: env['omniauth.auth']['info']['email'])
-            broadcast(:user_register, target: self, values: { user: user }, details: "IP: #{request.ip}")
-          end
-        end
-        self.current_user = user
-        broadcast(:user_login, target: self, details: "IP: #{request.ip}")
-        flash[:success] = 'Logged In'
-        redirect env['omniauth.origin'] || "#{settings.map_path}/"
-      else
-        # Failed Login
-        broadcast(:user_failed_login, target: self, details: "IP: #{request.ip}")
-        flash[:warning] = 'Invalid credentials. Please try again.'
-        redirect "#{settings.map_path}/auth/identity"
-      end
-    end
-
-    # Unauthenticated
-    get '/unauthenticated' do
-      redirect "#{settings.map_path}/auth/identity"
-    end
   end
 end