els_token 1.0.0

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,9 @@
+= ELS Token
+
+A simple library for interfacing with forgeRock OpenAM REST Interface.
+
+Still pretty much in development but kind of workable.
+
+= TODO
+Refactor to remove explicit Rack based session interrogation.
+Refactor and fix tests

data/Rakefile

@@ -0,0 +1,38 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'ElsToken'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'lib'
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+
+task :default => :test

data/lib/cert/AOLMemberCA

@@ -0,0 +1,47 @@
+-----BEGIN CERTIFICATE-----
+MIIEKzCCAxOgAwIBAgIBBzANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
+bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTA0MDYwNDE3
+MjYzOVoXDTI5MDYwNDE3MjYzOVowZzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCFZp
+cmdpbmlhMQ8wDQYDVQQHEwZEdWxsZXMxHDAaBgNVBAoTE0FtZXJpY2EgT25saW5l
+IEluYy4xFjAUBgNVBAMTDUFPTCBNZW1iZXIgQ0EwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQD4Y9jxzNYRbwXh1p9DJycl+q9nh3Ss3Nb8wpq9M3JOZbBa
+zev4qWlIOW5oLnEWbp5ZfMJ8ze1uQ9gJQk4Nmn3utVojgdKkW6lRVBzf9oTfGcM+
+lC2NuhD46EMIDzI1bDUx+NbT/Akx1qmheiAGWQzgK42EwzegCB7xNXMQ3U/9DHKT
+Jm6vxRw548rzlW8wwoU9TYQgyD490EDW/gZKGHMLbldn24PBE2aX071ZvH76LzZF
+FM28v6tod79I6xGJTmqE810c5WtqAOZrjUikCbkh3C1mKfRWnvAFaP/MwcmIvNIs
+C68ddBqGaKRtFHTsJID4lbnzLjw9IG8JAjjqOjgFAgMBAAGjgeUwgeIwDgYDVR0P
+AQH/BAQDAgGGMB0GA1UdDgQWBBRhppltJJ8OEYjmOeD+dNEFaVKpQzAfBgNVHSME
+GDAWgBQArdmj9nn2bnSpfzM9gRfXTM8z3jAPBgNVHRMBAf8EBTADAQH/MEgGA1Ud
+IARBMD8wPQYEVR0gADA1MDMGCCsGAQUFBwIBFidodHRwczovL3BraS1pbmZvLmFv
+bC5jb20vQU9ML2luZGV4Lmh0bWwwNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2Ny
+bC5hb2wuY29tL0FPTC9NYXN0ZXJDUkwuY3JsMA0GCSqGSIb3DQEBBQUAA4IBAQAM
+nbzMHdQukRuvoDrrzV78JSopjrMg4Bc3+vy7xbUUuxxmDm9YX8Zx0BOJx60jC+1M
+uFjB48KkJExldg2zhmRPKLrPlvhlmg6CJvWChU41ILNFzGDuD04glDorL8sjEJtG
+G37DVnVJJKS4TZ8caNTm8i+vju0rt+WWaxw9jb8g028tVC+ceTX92gbeaCAgS69d
+q15mwxRke/cC5ieWrRgeq/OCYPxMX7YKUnuenDsuzjxCXzZta/6hdooiIf1b6L1/
+n85RdEhsrLXRomr6B0Te0NupjRgf8bnF6Crruj07GIzADDCzySEcM0w6SVPUqLq6
+OCM9OmWCXnlxFfglK30Z
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDpDCCAoygAwIBAgIBATANBgkqhkiG9w0BAQUFADBjMQswCQYDVQQGEwJVUzEc
+MBoGA1UEChMTQW1lcmljYSBPbmxpbmUgSW5jLjE2MDQGA1UEAxMtQW1lcmljYSBP
+bmxpbmUgUm9vdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAxMB4XDTAyMDUyODA2
+MDAwMFoXDTM3MTExOTIwNDMwMFowYzELMAkGA1UEBhMCVVMxHDAaBgNVBAoTE0Ft
+ZXJpY2EgT25saW5lIEluYy4xNjA0BgNVBAMTLUFtZXJpY2EgT25saW5lIFJvb3Qg
+Q2VydGlmaWNhdGlvbiBBdXRob3JpdHkgMTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKgv6KRpBgNHw+kqmP8ZonCaxlCyfqXfaE0bfA+2l2h9LaaLl+lk
+hsmj76CGv2BlnEtUiMJIxUo5vxTjWVXlGbR0yLQFOVwWpeKVBeASrlmLojNoWBym
+1BW32J/X3HGrfpq/m44zDyL9Hy7nBzbvYjnF3cu6JRQj3gzGPTzOggjmZj7aUTsW
+OqMFf6Dch9Wc/HKpoH145LcxVR5lu9RhsCFg7RAycsWSJR74kEoYeEfffjA3PlAb
+2xzTa5qGUwew76wGePiEmf4hjUyAtgyC9mZweRrTT6PP8c9GsEsPPt2IYriMqQko
+O3rHl+Ee5fSfwMCuJKDIodkP1nsmgmkyPacCAwEAAaNjMGEwDwYDVR0TAQH/BAUw
+AwEB/zAdBgNVHQ4EFgQUAK3Zo/Z59m50qX8zPYEX10zPM94wHwYDVR0jBBgwFoAU
+AK3Zo/Z59m50qX8zPYEX10zPM94wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB
+BQUAA4IBAQB8itEfGDeC4Liwo+1WlchiYZwFos3CYiZhzRAW18y0ZTTQEYqtqKkF
+Zu90821fnZmv9ov761KyBZiibyrFVL0lvV+uyIbqRizBs73B6UlwGBaXCBOMIOAb
+LjpHyx7kADCVW/RFo8AasAFOq73AI25jP4BKxQft3OJvx8Fi8eNy1gTIdGcL+oir
+oQHIb/AUr9KZzVGTfu0uOMe9zkZQPXLjeSWdm4grECDdpbgyn43gKd8hdIaC2y+C
+MMbHNYaz+ZZfRtsMRf3zUMNvxsNIrUam4SdHCh0Om7bCd39j8uB9Gr784N/Xx6ds
+sPmuujz9dLQR6FgNgLzTqIA6me11zEZ7
+-----END CERTIFICATE-----

data/lib/els_token.rb

@@ -0,0 +1,161 @@
+require 'els_token/module_inheritable_attributes'
+require 'els_token/els_user'
+require 'net/http'
+require 'uri'
+
+module ElsToken
+  
+  RootCA = "#{File.dirname(__FILE__)}/../cert/AOLMemberCA"
+  
+  def self.included(base)
+    base.extend ClassMethods
+    base.send :include, ElsToken::ModuleInheritableAttributes
+    base.send :mattr_inheritable, :els_options
+    base.instance_variable_set("@els_options", {})
+  end
+
+  module ClassMethods
+    
+    # els_config expects a nice hash telling
+    # it if it will have a fake user (handy for dev)
+    # and the url of the openAM REST API.
+    # { faker => { user => 'username',
+    #             :environments => ['dev','test'] },
+    #   uri => 'https://openam.url' }
+    #
+    #   class MyController
+    #     include ElsToken
+    #     els_config options_hash
+    #   end
+    def els_config(options = {})
+      @els_options = options
+    end
+  
+  end
+
+  # authenticates against ELS and returns the user token
+  def authenticate(username,password)
+
+    begin
+      response = els_http_request("/authenticate","uri=realm=aolcorporate&username=#{username}&password=#{password}")
+      if response.code.eql? "200"
+        # return the token
+        response.body.chomp.sub(/token\.id=/,"")
+      else
+        raise response.error! 
+      end
+    rescue Net::HTTPExceptions => e1
+      raise e1, "token retrieval failed for #{username}"
+    rescue Exception => e
+      # Do not expect these. Wrapping the exception so
+      # as to not reveal the passed in password
+      raise e, "unable to fetch token for #{username}"
+    end
+  end
+  
+  def is_token_valid?(token)
+    response = els_http_request("/isTokenValid","tokenid=#{token}")
+    if response.code.eql? "200"
+      true
+    else
+      false
+    end
+  end
+
+  #extract the token from the rack cookie
+  def is_cookie_token_valid?
+    return true if fake_it?
+    token = cookies[self.class.els_options['cookie']]
+    if token.nil? || !is_token_valid?(token)
+      false
+    else
+      true
+    end
+  end
+
+  # obtain a full ElsIdentity object
+  def get_token_identity(token)
+    response = els_http_request("/attributes","subjectid=#{token}")
+    if response.code.eql? "200"
+      ElsIdentity.new(response.body)
+    else
+      response.error!
+    end
+  end
+  
+  # When used inside a rack environment
+  # will attempt to retrieve the user token
+  # from the session cookie and return a full
+  # identity
+  def get_identity
+    return fake_id if fake_it?
+    begin
+      if is_cookie_token_valid?
+        get_token_identity cookies[self.class.els_options['cookie']]
+      else
+        raise "token is invalid"
+      end
+    rescue Exception => e
+      raise e
+    end
+  end 
+      
+  def method_missing(m, *args, &block)
+    puts "Drop the crack pipe - There is no method called #{m}"
+  end
+
+  private
+  
+  def els_http_request(url_base_extension, query_string)
+    uri = URI.parse(self.class.els_options['uri'] + url_base_extension)
+    uri.query=query_string
+    http = Net::HTTP.new(uri.host,uri.port)
+    http.use_ssl = true
+    
+    # Override the default CA if option is
+    # passed in
+    if rootca = self.class.els_options[:cert]
+      if File.exist? rootca
+        http.ca_file = rootca
+      elsif Dir.exist? rootca
+        http.ca.path = rootca
+      else
+        # throw - if option passed in we are not
+        # going to attempt to use the default cert
+        raise "${rootca} cannot be found"
+      end
+    else
+      http.ca_file = RootCA
+    end
+        
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    http.verify_depth = 5
+    
+    request = Net::HTTP::Get.new(uri.request_uri)
+
+    http.request(request)
+  end
+  
+  def fake_it?
+    self.class.els_options.has_key? 'faker'
+  end
+
+  def fake_id
+    unless @fake_id
+      id = ElsIdentity.new
+      id.instance_variable_set("@roles",self.class.els_options['faker']['roles'])
+      id.instance_variable_set("@mail",self.class.els_options['faker']['mail'])
+      id.instance_variable_set("@last_name",self.class.els_options['faker']['last_name'])
+      id.instance_variable_set("@first_name",self.class.els_options['faker']['first_name'])
+      id.instance_variable_set("@uac",self.class.els_options['faker']['uac'])
+      id.instance_variable_set("@dn",self.class.els_options['faker']['dn'])
+      id.instance_variable_set("@common_name",self.class.els_options['faker']['common_name'])
+      id.instance_variable_set("@employee_number",self.class.els_options['faker']['employee_number'])
+      id.instance_variable_set("@display_name",self.class.els_options['faker']['display_name'])
+      id.instance_variable_set("@token_id",self.class.els_options['faker']['token_id'])
+      @fake_id = id
+    end
+    @fake_id
+  end
+
+end

data/lib/els_token/els_user.rb

@@ -0,0 +1,81 @@
+module ElsToken
+  
+  
+  
+  class ElsIdentity
+    attr_reader :roles, :mail, :last_name, :first_name, :uac, :dn, :common_name
+    attr_reader :employee_number, :display_name, :name, :token_id
+
+    def cdid
+      @name
+    end
+
+    def has_role?(role)
+      @roles.include? role
+    end
+
+    def initialize(rest_response = nil)
+      @roles = []
+      parse(rest_response) if rest_response
+      @lines = nil
+    end
+
+    private
+
+
+      def parse(response)
+        @lines = response.lines
+        begin
+          while @lines.peek
+            line = @lines.next.chomp
+            case
+              when line =~ /userdetails\.role/
+                @roles    << line.split(",")[0].sub(/^userdetails\.role=id=/,"")
+
+              when line =~ /userdetails\.token\.id/
+                @token_id = line.sub(/userdetails\.token\.id=/,"")
+
+              when line =~ /name=mail/
+                self_set :mail
+
+              when line =~ /attribute\.name=sn/
+                self_set :last_name
+
+              when line =~ /name=useraccountcontrol/
+                self_set :uac
+                @uac = (uac.to_i & 2 == 0) ? "enabled" : "disabled"
+
+              when line =~ /name=givenname/
+                self_set :first_name
+
+              when line =~ /name=distinguishedname/
+                self_set :dn
+
+              when line =~ /name=employeenumber/
+                self_set :employee_number
+
+              when line =~ /name=cn/
+                self_set :common_name
+
+              when line =~ /name=name/
+                self_set :name
+
+              when line =~ /name=displayname/
+                self_set :display_name
+            end
+          end
+        rescue 
+          # nadda
+        end
+      end
+
+      USER_ATTRIB_VALUE = /^userdetails\.attribute\.value=/
+
+      def self_set(v)
+        self.instance_variable_set("@#{v.to_s}",
+          @lines.next.chomp.sub(USER_ATTRIB_VALUE,""))
+      end
+
+  end
+  
+end

data/lib/els_token/module_inheritable_attributes.rb

@@ -0,0 +1,35 @@
+# With thanks to HTTParty: https://github.com/jnunemaker/httparty/blob/master/lib/httparty/module_inheritable_attributes.rb
+module ElsToken
+  module ModuleInheritableAttributes
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      def mattr_inheritable(*args)
+        @mattr_inheritable_attrs ||= [:mattr_inheritable_attrs]
+        @mattr_inheritable_attrs += args
+        args.each do |arg|
+          module_eval %(class << self; attr_accessor :#{arg} end)
+        end
+        @mattr_inheritable_attrs
+      end
+
+      def inherited(subclass)
+        super
+        @mattr_inheritable_attrs.each do |inheritable_attribute|
+          ivar = "@#{inheritable_attribute}"
+          subclass.instance_variable_set(ivar, instance_variable_get(ivar).clone)
+          if instance_variable_get(ivar).respond_to?(:merge)
+            method = <<-EOM
+              def self.#{inheritable_attribute}
+                #{ivar} = superclass.#{inheritable_attribute}.merge #{ivar}
+              end
+            EOM
+            subclass.class_eval method
+          end
+        end
+      end
+    end
+  end
+end

data/lib/els_token/version.rb

@@ -0,0 +1,3 @@
+module ElsToken
+  VERSION = "1.0.0"
+end

data/lib/tasks/els_token_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :els_token do
+#   # Task goes here
+# end

data/test/dummy/Gemfile

@@ -0,0 +1,3 @@
+source "http://rubygems.org"
+
+gem 'rails', '~> 3.2.0'

data/test/dummy/Gemfile.lock

@@ -0,0 +1,85 @@
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.2.8)
+      actionpack (= 3.2.8)
+      mail (~> 2.4.4)
+    actionpack (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      journey (~> 1.0.4)
+      rack (~> 1.4.0)
+      rack-cache (~> 1.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.1.3)
+    activemodel (3.2.8)
+      activesupport (= 3.2.8)
+      builder (~> 3.0.0)
+    activerecord (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activeresource (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
+    activesupport (3.2.8)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.2)
+    builder (3.0.3)
+    erubis (2.7.0)
+    hike (1.2.1)
+    i18n (0.6.1)
+    journey (1.0.4)
+    json (1.7.5)
+    mail (2.4.4)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    mime-types (1.19)
+    multi_json (1.3.6)
+    polyglot (0.3.3)
+    rack (1.4.1)
+    rack-cache (1.2)
+      rack (>= 0.4)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.2.8)
+      actionmailer (= 3.2.8)
+      actionpack (= 3.2.8)
+      activerecord (= 3.2.8)
+      activeresource (= 3.2.8)
+      activesupport (= 3.2.8)
+      bundler (~> 1.0)
+      railties (= 3.2.8)
+    railties (3.2.8)
+      actionpack (= 3.2.8)
+      activesupport (= 3.2.8)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (>= 0.14.6, < 2.0)
+    rake (0.9.2.2)
+    rdoc (3.12)
+      json (~> 1.4)
+    sprockets (2.1.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    thor (0.16.0)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.33)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  rails (~> 3.2.0)