esp-auth 1.0.0

data/config/initializers/devise.rb

@@ -0,0 +1,223 @@
+# Use this hook to configure devise mailer, warden hooks and so forth.
+# Many of these configuration options can be set straight in your model.
+Devise.setup do |config|
+  # ==> Mailer Configuration
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
+  # config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+
+  # Configure the class responsible to send e-mails.
+  # config.mailer = "Devise::Mailer"
+
+  # Automatically apply schema changes in tableless databases
+  config.apply_schema = false
+
+  # ==> ORM configuration
+  # Load and configure the ORM. Supports :active_record (default) and
+  # :mongoid (bson_ext recommended) by default. Other ORMs may be
+  # available as additional gems.
+  require 'devise/orm/active_record'
+
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating a user. The default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating a user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply a hash where the value is a boolean determining whether
+  # or not authentication should be aborted when the value is not present.
+  # config.authentication_keys = [ :email ]
+
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to the
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
+  # Configure which authentication keys should be case-insensitive.
+  # These keys will be downcased upon creating or modifying a user and when used
+  # to authenticate or find a user. Default is :email.
+  config.case_insensitive_keys = []
+
+  # Configure which authentication keys should have whitespace stripped.
+  # These keys will have whitespace before and after removed upon creating or
+  # modifying a user and when used to authenticate or find a user. Default is :email.
+  config.strip_whitespace_keys = []
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # It can be set to an array that will enable params authentication only for the
+  # given strategies, for example, `config.params_authenticatable = [:database]` will
+  # enable it only for database (email + password) authentication.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # It can be set to an array that will enable http authentication only for the
+  # given strategies, for example, `config.http_authenticatable = [:token]` will
+  # enable it only for token authentication.
+  # config.http_authenticatable = false
+
+  # If http headers should be returned for AJAX requests. True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication. "Application" by default.
+  # config.http_authentication_realm = "Application"
+
+  # It will change confirmation, password recovery and other workflows
+  # to behave the same regardless if the e-mail provided was right or wrong.
+  # Does not affect registerable.
+  # config.paranoid = true
+
+  # By default Devise will store the user in session. You can skip storage for
+  # :http_auth and :token_auth by adding those symbols to the array below.
+  # Notice that if you are skipping storage for all authentication paths, you
+  # may want to disable generating routes to Devise's sessions controller by
+  # passing :skip => :sessions to `devise_for` in your config/routes.rb
+  config.skip_session_storage = [:http_auth]
+
+  # ==> Configuration for :database_authenticatable
+  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # using other encryptors, it sets how many times you want the password re-encrypted.
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments.
+  config.stretches = Rails.env.test? ? 1 : 10
+
+  # Setup a pepper to generate the encrypted password.
+  # config.pepper = "ae446f37fc90fcaf3e69e6778874d32d05bdc3b515a5f2029ae43947a3596bcce76380251d9b77019827a7c16439fe7efddcb46988a4eda678f570b6488f5c57"
+
+  # ==> Configuration for :confirmable
+  # A period that the user is allowed to access the website even without
+  # confirming his account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming his account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming his account.
+  # config.allow_unconfirmed_access_for = 2.days
+
+  # If true, requires any email changes to be confirmed (exctly the same way as
+  # initial account confirmation) to be applied. Requires additional unconfirmed_email
+  # db field (see migrations). Until confirmed new email is stored in
+  # unconfirmed email column, and copied to email column on successful confirmation.
+  config.reconfirmable = true
+
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
+  # ==> Configuration for :rememberable
+  # The time the user will be remembered without asking for credentials again.
+  # config.remember_for = 2.weeks
+
+  # If true, extends the user's remember period when remembered via cookie.
+  # config.extend_remember_period = false
+
+  # If true, uses the password salt as remember token. This should be turned
+  # to false if you are not using database authenticatable.
+  config.use_salt_as_remember_token = true
+
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.cookie_options = {}
+
+  # ==> Configuration for :validatable
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
+
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
+
+  # ==> Configuration for :timeoutable
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
+
+  # ==> Configuration for :lockable
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
+
+  # Defines which key will be used when locking and unlocking an account
+  # config.unlock_keys = [ :email ]
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
+  # config.unlock_strategy = :both
+
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> Configuration for :recoverable
+  #
+  # Defines which key will be used when recovering the password for an account
+  # config.reset_password_keys = [ :email ]
+
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 6.hours
+
+  # ==> Configuration for :encryptable
+  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # REST_AUTH_SITE_KEY to pepper)
+  # config.encryptor = :sha512
+
+  # ==> Configuration for :token_authenticatable
+  # Defines name of the authentication token params key
+  # config.token_authentication_key = :auth_token
+
+  # ==> Scopes configuration
+  # Turn scoped views on. Before rendering "sessions/new", it will first check for
+  # "users/sessions/new". It's turned off by default because it's slower if you
+  # are using only default views.
+  # config.scoped_views = false
+
+  # Configure the default scope given to Warden. By default it's the first
+  # devise role declared in your routes (usually :user).
+  # config.default_scope = :user
+
+  # Configure sign_out behavior.
+  # Sign_out action can be scoped (i.e. /users/sign_out affects only :user scope).
+  # The default is true, which means any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = true
+
+  # ==> Navigation configuration
+  # Lists the formats that should be treated as navigational. Formats like
+  # :html, should redirect to the sign in page when the user does not have
+  # access, but formats like :xml or :json, should return 401.
+  #
+  # If you have any extra navigational formats, like :iphone or :mobile, you
+  # should add them to the navigational formats lists.
+  #
+  # The "*/*" below is required to match Internet Explorer requests.
+  # config.navigational_formats = ["*/*", :html]
+
+  # The default HTTP method used to sign out a resource. Default is :delete.
+  config.sign_out_via = :delete
+
+  # ==> OmniAuth
+  # Add a new OmniAuth provider. Check the wiki for more information on setting
+  # up on your models and hooks.
+  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
+
+  # ==> Warden configuration
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
+  #
+  # config.warden do |manager|
+  #   manager.intercept_401 = false
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
+  # end
+end

data/config/locales/ru.yml

@@ -0,0 +1,35 @@
+ru:
+  activerecord:
+    attributes:
+      permission:
+        polimorphic_context:  Контекст
+        context:              Категория
+        role:                 Роль
+        user_search:          Пользователь
+
+    models:
+      permission:             Право доступа
+
+  views:
+    pagination:
+      next:                   "→"
+      last:                   Последняя страница
+      previous:               "←"
+      first:                  Первая страница
+      truncate:               ...
+
+  permissions:
+    'Are you sure?':          Вы уверены, в том что хотите удалить запись?
+    'You are sign in as':     Вы вошли как
+    'You are adding role to': Вы добавляете роль для
+    back_to_manage:           Назад в раздел управления контентом
+    cancel:                   Отмена
+    create:                   Создать
+    create_permission:        Создать право доступа
+    delete:                   Удалить
+    new:                      Добавить право доступа
+    not_selected:             -- не выбрано --
+    search:                   Поиск
+    show_permissions:         Показать права доступа
+    sign_out:                 Выход
+    title:                    Управление правами доступа

data/config/routes.rb

@@ -0,0 +1,25 @@
+EspAuth::Engine.routes.draw do
+  resources :permissions, :only => [:new, :create, :destroy]
+
+  resources :users, :only => :index do
+    resources :permissions, :only => [:new, :create]
+  end
+
+  match '/users/search' => "users#search"
+
+  get 'sign_out' => 'sessions#destroy', :as => :destroy_user_session
+
+  root :to => 'users#index'
+end
+
+Rails.application.routes.draw do
+  devise_for :users, :path => 'auth', controllers: {omniauth_callbacks:'esp_auth/omniauth_callbacks'}, :skip => [:sessions]
+
+  devise_scope :users do
+    get 'sign_in' => redirect('/auth/auth/identity'), :as => :new_user_session
+  end
+
+  mount EspAuth::Engine => '/auth'
+
+end rescue NameError
+

data/lib/esp-auth.rb

@@ -0,0 +1,19 @@
+require "esp_auth/engine"
+
+require 'ancestry'
+require 'cancan'
+require 'curb'
+require 'devise'
+require 'default_value_for'
+require 'has_enum'
+require 'has_scope'
+require 'has_searcher'
+require 'inherited_resources'
+require 'jquery-rails'
+require 'kaminari'
+require 'sprockets'
+require 'sass-rails'
+require 'sunspot_rails'
+
+module EspAuth
+end

data/lib/esp_auth/engine.rb

@@ -0,0 +1,41 @@
+module EspAuth
+  class Engine < Rails::Engine
+    isolate_namespace EspAuth
+
+    config.after_initialize do
+      begin
+        Settings.resolve!
+      rescue => e
+        puts "WARNING! #{e.message}"
+      end
+    end
+
+    initializer "sso_client.devise", :before => 'devise.omniauth' do |app|
+      require File.expand_path("../../../lib/omniauth/strategies/identity", __FILE__)
+
+      Settings.define 'sso.url',    :env_var => 'SSO_URL',    :required => true
+      Settings.define 'sso.key',    :env_var => 'SSO_KEY',    :required => true
+      Settings.define 'sso.secret', :env_var => 'SSO_SECRET', :required => true
+
+      Devise.setup do |config|
+        config.omniauth :identity, Settings['sso.key'], Settings['sso.secret'], :client_options => {:site => Settings['sso.url']}
+      end
+    end
+
+    config.to_prepare do
+      ActionController::Base.class_eval do
+        def self.esp_load_and_authorize_resource
+          inherit_resources
+          load_and_authorize_resource
+
+          before_filter :authenticate_user!
+          before_filter :authorize_user_can_manage_application!
+        end
+        protected
+        def authorize_user_can_manage_application!
+            authorize! :manage, :application
+        end
+      end
+    end
+  end
+end

data/lib/esp_auth/spec_helper.rb

@@ -0,0 +1,68 @@
+module EspAuth
+  module SpecHelper
+
+    def ability_for(user)
+      Ability.new(user)
+    end
+
+    def user
+      @user ||= User.create! :uid => 1, :name => 'User'
+    end
+
+    def another_user
+      @another_user ||= User.create! :uid => 2, :name => 'Another user'
+    end
+
+    def create_context(parent=nil)
+      Context.create! :title => 'context', :parent => parent
+    end
+
+    def create_subcontext(context)
+      Subcontext.create! :title => 'subcontext', :context => context
+    end
+
+    def root
+      @root ||= create_context
+    end
+
+    def child_1
+      @child_1 ||= create_context root
+    end
+
+    def child_1_1
+      @child_1_1 ||= create_context child_1
+    end
+
+    def child_1_2
+      @child_1_2 ||= create_context child_1
+    end
+
+    def child_2
+      @child_2 ||= create_context root
+    end
+
+    def subcontext(context)
+      @subcontext ||= create_subcontext(context)
+    end
+
+    def another_subcontext(context)
+      @another_subcontext ||= create_subcontext(context)
+    end
+
+    Permission.enums[:role].each do | role |
+      define_method "#{role}_of" do |context|
+        user.tap do | user |
+          user.permissions.create! :context => context, :role => role
+        end
+      end
+    end
+
+    Permission.enums[:role].each do | role |
+      define_method "another_#{role}_of" do |context|
+        another_user.tap do | another_user |
+          another_user.permissions.create! :context => context, :role => role
+        end
+      end
+    end
+  end
+end

data/lib/esp_auth/version.rb

@@ -0,0 +1,3 @@
+module EspAuth
+  VERSION = "1.0.0"
+end

data/lib/generators/esp_auth/install/install_generator.rb

@@ -0,0 +1,49 @@
+require 'rails/generators/migration'
+
+module EspAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path('../templates', __FILE__)
+
+      def self.next_migration_number(dirname)
+        @number ||= Time.now.strftime('%Y%m%d%H%M%S').to_i
+        @number += 1
+      end
+
+      def create_models
+        template 'app/models/ability.rb'
+        template 'app/models/user.rb'
+        template 'app/models/context.rb'
+        template 'app/models/permission.rb'
+        template 'app/models/subcontext.rb'
+      end
+
+      def create_controllers
+        template 'app/controllers/manage/application_controller.rb'
+      end
+
+      def create_config
+        template 'config/schedule.rb'
+        template 'config/locales/permissions_enum.ru.yml'
+      end
+
+      def create_seeds
+        template 'db/seeds.rb'
+      end
+
+      def create_specs
+        template 'spec/models/ability_spec.rb'
+      end
+
+      def create_migrations
+        migration_template 'db/migrate/esp_auth_create_users.rb'
+        migration_template 'db/migrate/esp_auth_create_contexts.rb'
+        migration_template 'db/migrate/esp_auth_create_permissions.rb'
+        migration_template 'db/migrate/esp_auth_create_subcontexts.rb'
+      end
+
+    end
+  end
+end

data/lib/generators/esp_auth/install/templates/app/controllers/manage/application_controller.rb

@@ -0,0 +1,3 @@
+class Manage::ApplicationController < ApplicationController
+  esp_load_and_authorize_resource
+end

data/lib/generators/esp_auth/install/templates/app/models/ability.rb

@@ -0,0 +1,41 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    return unless user
+
+    ## common
+    can :manage, Context do | context |
+      user.manager_of? context
+    end
+
+    can :manage, Permission do | permission |
+      permission.context && user.manager_of?(permission.context)
+    end
+
+    can [:new, :create], Permission do | permission |
+      !permission.context && user.manager?
+    end
+
+    can [:search, :index], User do
+      user.manager?
+    end
+
+    can :manage, :application do
+      user.permissions.exists?
+    end
+
+    can :manage, :permissions do
+      user.manager?
+    end
+
+    ## app specific
+    can :manage, Subcontext do | subcontext |
+      user.manager_of? subcontext.context
+    end
+
+    can :manage, Subcontext do | subcontext |
+      user.manager_of? subcontext
+    end
+  end
+end

data/lib/generators/esp_auth/install/templates/app/models/context.rb

@@ -0,0 +1,27 @@
+class Context < ActiveRecord::Base
+
+  default_scope order('weight')
+
+  attr_accessible :id, :title, :ancestry, :weight, :parent
+
+  has_many :subcontexts
+  has_many :permissions, :as => :context
+
+
+  alias_attribute :to_s, :title
+
+  has_ancestry
+
+end
+# == Schema Information
+#
+# Table name: contexts
+#
+#  id         :integer         not null, primary key
+#  title      :string(255)
+#  ancestry   :string(255)
+#  weight     :string(255)
+#  created_at :datetime        not null
+#  updated_at :datetime        not null
+#
+

data/lib/generators/esp_auth/install/templates/app/models/permission.rb

@@ -0,0 +1,69 @@
+class Permission < ActiveRecord::Base
+  attr_accessor :user_search, :user_uid, :user_name, :user_email, :polimorphic_context
+
+  belongs_to :context, :polymorphic => true
+  belongs_to :user
+
+  scope :for_role, ->(role) { where(:role => role) }
+  scope :for_context_ancestors, ->(context, ids=context.ancestor_ids) do
+    where(:context_id => ids,
+          :context_type => (context.class.ancestors - context.class.included_modules).map(&:name))
+  end
+  scope :for_context, ->(context) { where(:context_id => context.id, :context_type => context.class) }
+
+  scope :for_context_and_ancestors, ->(context) do
+    if context.respond_to?(:ancestor_ids)
+      for_context_ancestors(context, context.ancestor_ids + [context.id])
+    else
+      for_context(context)
+    end
+  end
+
+  after_initialize :set_user, :if => :user_uid_present?
+  after_initialize :set_context, :if => :polimorphic_context_present?
+
+  after_create :user_index!
+  after_destroy :user_index!
+
+  validates_presence_of :polimorphic_context, :unless => :context
+
+  validates_presence_of :role, :user, :context
+
+  validates_presence_of :user_search, :unless => :user
+
+  validates_uniqueness_of :role, :scope => [:user_id, :context_id, :context_type]
+
+  has_enum :role
+
+
+  private
+
+    def set_user
+      self.user = User.find_or_initialize_by_uid(user_uid).tap do |user|
+        user.update_attributes :name => user_name, :email => user_email
+      end
+    end
+
+    def set_context
+      underscored_context_type, self.context_id = polimorphic_context.match(/(\w+)_(\d+)/)[1..2]
+      self.context_type = underscored_context_type.camelize
+    end
+
+    delegate :index!, :to => :user, :prefix => true
+    delegate :present?, :to => :polimorphic_context, :prefix => true
+    delegate :present?, :to => :user_uid, :prefix => true
+end
+
+# == Schema Information
+#
+# Table name: permissions
+#
+#  id           :integer         not null, primary key
+#  user_id      :integer
+#  context_id   :integer
+#  context_type :string(255)
+#  role         :string(255)
+#  created_at   :datetime        not null
+#  updated_at   :datetime        not null
+#
+

data/lib/generators/esp_auth/install/templates/app/models/subcontext.rb

@@ -0,0 +1,21 @@
+class Subcontext < ActiveRecord::Base
+  belongs_to :context
+  has_many :permissions, :as => :context
+
+  alias_attribute :to_s, :title
+
+  def depth
+    context.depth + 1
+  end
+end
+# == Schema Information
+#
+# Table name: subcontexts
+#
+#  id         :integer         not null, primary key
+#  title      :string(255)
+#  context_id :integer
+#  created_at :datetime        not null
+#  updated_at :datetime        not null
+#
+