eactionpack 2.1.2

data/lib/action_controller/session/cookie_store.rb

@@ -0,0 +1,166 @@
+require 'cgi'
+require 'cgi/session'
+require 'openssl'       # to generate the HMAC message digest
+
+# This cookie-based session store is the Rails default. Sessions typically
+# contain at most a user_id and flash message; both fit within the 4K cookie
+# size limit. Cookie-based sessions are dramatically faster than the
+# alternatives.
+#
+# If you have more than 4K of session data or don't want your data to be
+# visible to the user, pick another session store.
+#
+# CookieOverflow is raised if you attempt to store more than 4K of data.
+# TamperedWithCookie is raised if the data integrity check fails.
+#
+# A message digest is included with the cookie to ensure data integrity:
+# a user cannot alter his +user_id+ without knowing the secret key included in
+# the hash. New apps are generated with a pregenerated secret in
+# config/environment.rb. Set your own for old apps you're upgrading.
+#
+# Session options:
+#
+# * <tt>:secret</tt>: An application-wide key string or block returning a string
+#   called per generated digest. The block is called with the CGI::Session
+#   instance as an argument. It's important that the secret is not vulnerable to
+#   a dictionary attack. Therefore, you should choose a secret consisting of
+#   random numbers and letters and more than 30 characters. Examples:
+#
+#     :secret => '449fe2e7daee471bffae2fd8dc02313d'
+#     :secret => Proc.new { User.current_user.secret_key }
+#
+# * <tt>:digest</tt>: The message digest algorithm used to verify session
+#   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
+#   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
+#
+# To generate a secret key for an existing application, run
+# "rake secret" and set the key in config/environment.rb.
+#
+# Note that changing digest or secret invalidates all existing sessions!
+class CGI::Session::CookieStore
+  # Cookies can typically store 4096 bytes.
+  MAX = 4096
+  SECRET_MIN_LENGTH = 30 # characters
+
+  # Raised when storing more than 4K of session data.
+  class CookieOverflow < StandardError; end
+
+  # Raised when the cookie fails its integrity check.
+  class TamperedWithCookie < StandardError; end
+
+  # Called from CGI::Session only.
+  def initialize(session, options = {})
+    # The session_key option is required.
+    if options['session_key'].blank?
+      raise ArgumentError, 'A session_key is required to write a cookie containing the session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase" } in config/environment.rb'
+    end
+
+    # The secret option is required.
+    ensure_secret_secure(options['secret'])
+
+    # Keep the session and its secret on hand so we can read and write cookies.
+    @session, @secret = session, options['secret']
+
+    # Message digest defaults to SHA1.
+    @digest = options['digest'] || 'SHA1'
+
+    # Default cookie options derived from session settings.
+    @cookie_options = {
+      'name'    => options['session_key'],
+      'path'    => options['session_path'],
+      'domain'  => options['session_domain'],
+      'expires' => options['session_expires'],
+      'secure'  => options['session_secure']
+    }
+
+    # Set no_hidden and no_cookies since the session id is unused and we
+    # set our own data cookie.
+    options['no_hidden'] = true
+    options['no_cookies'] = true
+  end
+
+  # To prevent users from using something insecure like "Password" we make sure that the
+  # secret they've provided is at least 30 characters in length.
+  def ensure_secret_secure(secret)
+    # There's no way we can do this check if they've provided a proc for the
+    # secret.
+    return true if secret.is_a?(Proc)
+
+    if secret.blank?
+      raise ArgumentError, %Q{A secret is required to generate an integrity hash for cookie session data. Use config.action_controller.session = { :session_key => "_myapp_session", :secret => "some secret phrase of at least #{SECRET_MIN_LENGTH} characters" } in config/environment.rb}
+    end
+
+    if secret.length < SECRET_MIN_LENGTH
+      raise ArgumentError, %Q{Secret should be something secure, like "#{CGI::Session.generate_unique_id}".  The value you provided, "#{secret}", is shorter than the minimum length of #{SECRET_MIN_LENGTH} characters}
+    end
+  end
+
+  # Restore session data from the cookie.
+  def restore
+    @original = read_cookie
+    @data = unmarshal(@original) || {}
+  end
+
+  # Wait until close to write the session data cookie.
+  def update; end
+
+  # Write the session data cookie if it was loaded and has changed.
+  def close
+    if defined?(@data) && !@data.blank?
+      updated = marshal(@data)
+      raise CookieOverflow if updated.size > MAX
+      write_cookie('value' => updated) unless updated == @original
+    end
+  end
+
+  # Delete the session data by setting an expired cookie with no data.
+  def delete
+    @data = nil
+    clear_old_cookie_value
+    write_cookie('value' => nil, 'expires' => 1.year.ago)
+  end
+
+  # Generate the HMAC keyed message digest. Uses SHA1 by default.
+  def generate_digest(data)
+    key = @secret.respond_to?(:call) ? @secret.call(@session) : @secret
+    OpenSSL::HMAC.hexdigest(OpenSSL::Digest::Digest.new(@digest), key, data)
+  end
+
+  private
+    # Marshal a session hash into safe cookie data. Include an integrity hash.
+    def marshal(session)
+      data = ActiveSupport::Base64.encode64(Marshal.dump(session)).chop
+      "#{data}--#{generate_digest(data)}"
+    end
+
+    # Unmarshal cookie data to a hash and verify its integrity.
+    def unmarshal(cookie)
+      if cookie
+        data, digest = cookie.split('--')
+
+        # Do two checks to transparently support old double-escaped data.
+        unless digest == generate_digest(data) || digest == generate_digest(data = CGI.unescape(data))
+          delete
+          raise TamperedWithCookie
+        end
+
+        Marshal.load(ActiveSupport::Base64.decode64(data))
+      end
+    end
+
+    # Read the session data cookie.
+    def read_cookie
+      @session.cgi.cookies[@cookie_options['name']].first
+    end
+
+    # CGI likes to make you hack.
+    def write_cookie(options)
+      cookie = CGI::Cookie.new(@cookie_options.merge(options))
+      @session.cgi.send :instance_variable_set, '@output_cookies', [cookie]
+    end
+
+    # Clear cookie value so subsequent new_session doesn't reload old data.
+    def clear_old_cookie_value
+      @session.cgi.cookies[@cookie_options['name']].clear
+    end
+end

data/lib/action_controller/session/drb_server.rb

@@ -0,0 +1,32 @@
+#!/usr/local/bin/ruby -w
+                                                                                
+# This is a really simple session storage daemon, basically just a hash, 
+# which is enabled for DRb access.
+                                                                                
+require 'drb'
+
+session_hash = Hash.new
+session_hash.instance_eval { @mutex = Mutex.new }
+
+class <<session_hash
+  def []=(key, value)
+    @mutex.synchronize do
+      super(key, value)
+    end
+  end
+  
+  def [](key)
+    @mutex.synchronize do
+      super(key)
+    end
+  end
+  
+  def delete(key)
+    @mutex.synchronize do
+      super(key)
+    end
+  end
+end
+
+DRb.start_service('druby://127.0.0.1:9192', session_hash)
+DRb.thread.join

data/lib/action_controller/session/drb_store.rb

@@ -0,0 +1,35 @@
+require 'cgi'
+require 'cgi/session'
+require 'drb'
+ 
+class CGI #:nodoc:all
+  class Session
+    class DRbStore
+      @@session_data = DRbObject.new(nil, 'druby://localhost:9192')
+ 
+      def initialize(session, option=nil)
+        @session_id = session.session_id
+      end
+ 
+      def restore
+        @h = @@session_data[@session_id] || {}
+      end
+ 
+      def update
+        @@session_data[@session_id] = @h
+      end
+ 
+      def close
+        update
+      end
+ 
+      def delete
+        @@session_data.delete(@session_id)
+      end
+      
+      def data
+        @@session_data[@session_id]
+      end
+    end
+  end
+end

data/lib/action_controller/session/mem_cache_store.rb

@@ -0,0 +1,98 @@
+# cgi/session/memcached.rb - persistent storage of marshalled session data
+#
+# == Overview
+#
+# This file provides the CGI::Session::MemCache class, which builds
+# persistence of storage data on top of the MemCache library.  See
+# cgi/session.rb for more details on session storage managers.
+#
+
+begin
+  require 'cgi/session'
+  require_library_or_gem 'memcache'
+
+  class CGI
+    class Session
+      # MemCache-based session storage class.
+      #
+      # This builds upon the top-level MemCache class provided by the
+      # library file memcache.rb.  Session data is marshalled and stored
+      # in a memcached cache.
+      class MemCacheStore
+        def check_id(id) #:nodoc:#
+          /[^0-9a-zA-Z]+/ =~ id.to_s ? false : true
+        end
+
+        # Create a new CGI::Session::MemCache instance
+        #
+        # This constructor is used internally by CGI::Session. The
+        # user does not generally need to call it directly.
+        #
+        # +session+ is the session for which this instance is being
+        # created. The session id must only contain alphanumeric
+        # characters; automatically generated session ids observe
+        # this requirement.
+        #
+        # +options+ is a hash of options for the initializer. The
+        # following options are recognized:
+        #
+        # cache::  an instance of a MemCache client to use as the
+        #      session cache.
+        #
+        # expires:: an expiry time value to use for session entries in
+        #     the session cache. +expires+ is interpreted in seconds
+        #     relative to the current time if it�s less than 60*60*24*30
+        #     (30 days), or as an absolute Unix time (e.g., Time#to_i) if
+        #     greater. If +expires+ is +0+, or not passed on +options+,
+        #     the entry will never expire.
+        #
+        # This session's memcache entry will be created if it does
+        # not exist, or retrieved if it does.
+        def initialize(session, options = {})
+          id = session.session_id
+          unless check_id(id)
+            raise ArgumentError, "session_id '%s' is invalid" % id
+          end
+          @cache = options['cache'] || MemCache.new('localhost')
+          @expires = options['expires'] || 0
+          @session_key = "session:#{id}"
+          @session_data = {}
+          # Add this key to the store if haven't done so yet
+          unless @cache.get(@session_key)
+            @cache.add(@session_key, @session_data, @expires)
+          end
+        end
+
+        # Restore session state from the session's memcache entry.
+        #
+        # Returns the session state as a hash.
+        def restore
+          @session_data = @cache[@session_key] || {}
+        end
+
+        # Save session state to the session's memcache entry.
+        def update
+          @cache.set(@session_key, @session_data, @expires)
+        end
+      
+        # Update and close the session's memcache entry.
+        def close
+          update
+        end
+
+        # Delete the session's memcache entry.
+        def delete
+          @cache.delete(@session_key)
+          @session_data = {}
+        end
+        
+        def data
+          @session_data
+        end
+
+      end
+    end
+  end
+rescue LoadError
+  # MemCache wasn't available so neither can the store be
+end

data/lib/action_controller/session_management.rb

@@ -0,0 +1,158 @@
+require 'action_controller/session/cookie_store'
+require 'action_controller/session/drb_store'
+require 'action_controller/session/mem_cache_store'
+if Object.const_defined?(:ActiveRecord)
+  require 'action_controller/session/active_record_store'
+end
+
+module ActionController #:nodoc:
+  module SessionManagement #:nodoc:
+    def self.included(base)
+      base.class_eval do
+        extend ClassMethods
+        alias_method_chain :process, :session_management_support
+        alias_method_chain :process_cleanup, :session_management_support
+      end
+    end
+
+    module ClassMethods
+      # Set the session store to be used for keeping the session data between requests.
+      # By default, sessions are stored in browser cookies (<tt>:cookie_store</tt>),
+      # but you can also specify one of the other included stores (<tt>:active_record_store</tt>,
+      # <tt>:p_store</tt>, <tt>:drb_store</tt>, <tt>:mem_cache_store</tt>, or
+      # <tt>:memory_store</tt>) or your own custom class.
+      def session_store=(store)
+        ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager] =
+          store.is_a?(Symbol) ? CGI::Session.const_get(store == :drb_store ? "DRbStore" : store.to_s.camelize) : store
+      end
+
+      # Returns the session store class currently used.
+      def session_store
+        ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:database_manager]
+      end
+
+      # Returns the hash used to configure the session. Example use:
+      #
+      #   ActionController::Base.session_options[:session_secure] = true # session only available over HTTPS
+      def session_options
+        ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS
+      end
+      
+      # Specify how sessions ought to be managed for a subset of the actions on
+      # the controller. Like filters, you can specify <tt>:only</tt> and
+      # <tt>:except</tt> clauses to restrict the subset, otherwise options
+      # apply to all actions on this controller.
+      #
+      # The session options are inheritable, as well, so if you specify them in
+      # a parent controller, they apply to controllers that extend the parent.
+      #
+      # Usage:
+      #
+      #   # turn off session management for all actions.
+      #   session :off
+      #
+      #   # turn off session management for all actions _except_ foo and bar.
+      #   session :off, :except => %w(foo bar)
+      #
+      #   # turn off session management for only the foo and bar actions.
+      #   session :off, :only => %w(foo bar)
+      #
+      #   # the session will only work over HTTPS, but only for the foo action
+      #   session :only => :foo, :session_secure => true
+      #
+      #   # the session will only be disabled for 'foo', and only if it is
+      #   # requested as a web service
+      #   session :off, :only => :foo,
+      #           :if => Proc.new { |req| req.parameters[:ws] }
+      #
+      #   # the session will be disabled for non html/ajax requests
+      #   session :off, 
+      #     :if => Proc.new { |req| !(req.format.html? || req.format.js?) }
+      #
+      #   # turn the session back on, useful when it was turned off in the
+      #   # application controller, and you need it on in another controller
+      #   session :on
+      #
+      # All session options described for ActionController::Base.process_cgi
+      # are valid arguments.
+      def session(*args)
+        options = args.extract_options!
+
+        options[:disabled] = false if args.delete(:on)
+        options[:disabled] = true if !args.empty?
+        options[:only] = [*options[:only]].map { |o| o.to_s } if options[:only]
+        options[:except] = [*options[:except]].map { |o| o.to_s } if options[:except]
+        if options[:only] && options[:except]
+          raise ArgumentError, "only one of either :only or :except are allowed"
+        end
+
+        write_inheritable_array("session_options", [options])
+      end
+
+      # So we can declare session options in the Rails initializer.
+      alias_method :session=, :session
+
+      def cached_session_options #:nodoc:
+        @session_options ||= read_inheritable_attribute("session_options") || []
+      end
+
+      def session_options_for(request, action) #:nodoc:
+        if (session_options = cached_session_options).empty?
+          {}
+        else
+          options = {}
+
+          action = action.to_s
+          session_options.each do |opts|
+            next if opts[:if] && !opts[:if].call(request)
+            if opts[:only] && opts[:only].include?(action)
+              options.merge!(opts)
+            elsif opts[:except] && !opts[:except].include?(action)
+              options.merge!(opts)
+            elsif !opts[:only] && !opts[:except]
+              options.merge!(opts)
+            end
+          end
+          
+          if options.empty? then options
+          else
+            options.delete :only
+            options.delete :except
+            options.delete :if
+            options[:disabled] ? false : options
+          end
+        end
+      end
+    end
+
+    def process_with_session_management_support(request, response, method = :perform_action, *arguments) #:nodoc:
+      set_session_options(request)
+      process_without_session_management_support(request, response, method, *arguments)
+    end
+
+    private
+      def set_session_options(request)
+        request.session_options = self.class.session_options_for(request, request.parameters["action"] || "index")
+      end
+      
+      def process_cleanup_with_session_management_support
+        clear_persistent_model_associations
+        process_cleanup_without_session_management_support
+      end
+
+      # Clear cached associations in session data so they don't overflow
+      # the database field.  Only applies to ActiveRecordStore since there
+      # is not a standard way to iterate over session data.
+      def clear_persistent_model_associations #:doc:
+        if defined?(@_session) && @_session.respond_to?(:data)
+          session_data = @_session.data
+
+          if session_data && session_data.respond_to?(:each_value)
+            session_data.each_value do |obj|
+              obj.clear_association_cache if obj.respond_to?(:clear_association_cache)
+            end
+          end
+        end
+      end
+  end
+end