etna 0.1.11

data/lib/etna/hmac.rb

@@ -0,0 +1,86 @@
+module Etna
+  class Hmac
+    # These are the items that need to be signed
+    SIGN_ITEMS=[ :method, :host, :path, :expiration, :nonce, :id, :headers ]
+    SIGN_ITEMS.each { |item| attr_reader item }
+
+    def initialize application, params
+      @application = application
+
+      @test_signature = params.delete(:test_signature)
+
+      SIGN_ITEMS.each do |item|
+        raise ArgumentError, "Hmac requires param #{item}" unless params[item]
+        instance_variable_set("@#{item}", params[item])
+      end
+
+      @id = @id.to_sym
+
+      raise ArgumentError, "Headers must be a Hash" unless @headers.is_a?(Hash)
+    end
+
+    # this returns arguments for URI::HTTP.build
+    def url_params
+      params = {
+        signature: signature,
+        expiration: @expiration,
+        nonce: @nonce,
+        id: @id.to_s,
+        headers: @headers.keys.join(','),
+      }.merge(@headers).map do |name, value|
+        [
+          "X-Etna-#{ name.to_s.split(/_/).map(&:capitalize).join('-') }",
+          value
+        ]
+      end.to_h
+
+      return {
+        host: @host,
+        path: @path,
+        query: URI.encode_www_form(params)
+      }
+    end
+
+    def valid?
+      valid_id? && valid_signature? && valid_timestamp?
+    end
+
+    def signature
+      @application.sign.hmac(text_to_sign, @application.config(:hmac_keys)[@id])
+    end
+
+    private
+
+    def valid_signature?
+      signature == @test_signature
+    end
+
+    def valid_timestamp?
+      DateTime.parse(@expiration) >= DateTime.now
+    end
+
+    def valid_id?
+      @application.config(:hmac_keys).key?(@id)
+    end
+
+    # This scheme is adapted from the Hawk spec
+    # (github:hueniverse/hawk) and the Acquia HTTP
+    # Hmac spec (github:acquia/http-hmac-spec)
+
+
+    def text_to_sign
+      [
+        # these come from the route
+        @method,
+        @host,
+        @path,
+
+        # these are set as headers or params
+        @nonce,
+        @id,
+        @headers.map{|l| l.join('=')}.join(';'),
+        @expiration,
+      ].join("\n")
+    end
+  end
+end

data/lib/etna/logger.rb

@@ -0,0 +1,29 @@
+require 'logger'
+
+module Etna
+  class Logger < ::Logger
+    def initialize(log_dev, age, size)
+      super
+
+      self.formatter = proc do |severity, datetime, progname, msg|
+        format(severity, datetime, progname, msg)
+      end
+    end
+
+    def format(severity, datetime, progname, msg)
+      "#{severity}:#{datetime.iso8601} #{msg}\n"
+    end
+
+    def log_error(e)
+      error(e.message)
+      e.backtrace.each do |trace|
+        error(trace)
+      end
+    end
+
+    def log_request(request)
+      request.env['etna.logger'] = self
+      request.env['etna.request_id'] = (rand*36**6).to_i.to_s(36)
+    end
+  end
+end

data/lib/etna/parse_body.rb

@@ -0,0 +1,41 @@
+module Etna
+  class ParseBody
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      params = env['rack.request.params'] || {}
+
+      case env['CONTENT_TYPE']
+      when %r{application/json}i
+        body = env['rack.input'].read
+        if body =~ %r/^\s*\{/
+          params.update(
+            JSON.parse(body)
+          )
+        end
+      when %r{application/x-www-form-urlencoded}i
+        params.update(
+          Rack::Utils.parse_nested_query(
+            env['rack.input'].read
+          )
+        )
+      when %r{multipart/form-data}i
+        params.update(
+          Rack::Multipart.parse_multipart(env)
+        )
+      end
+      # Always parse the params that are url-encoded.
+      params.update(
+        Rack::Utils.parse_nested_query(
+          env['QUERY_STRING'], '&'
+        )
+      )
+      env.update(
+        'rack.request.params' => params
+      )
+      @app.call(env)
+    end
+  end
+end

data/lib/etna/route.rb

@@ -0,0 +1,165 @@
+module Etna
+  class Route
+    attr_reader :name
+
+    def initialize(method, route, options, &block)
+      @method = method
+      @action = options[:action]
+      @auth = options[:auth]
+      @name = route_name(options)
+      @route = route.gsub(/\A(?=[^\/])/, '/')
+      @block = block
+    end
+
+    def to_hash
+      {
+        method: @method,
+        route: @route,
+        name: @name.to_s,
+        params: parts
+      }.compact
+    end
+
+    def matches?(request)
+      @method == request.request_method && request.path.match(route_regexp)
+    end
+
+    NAMED_PARAM=/:([\w]+)/
+    GLOB_PARAM=/\*([\w]+)$/
+
+    PARAM_TYPES=[ NAMED_PARAM, GLOB_PARAM ]
+
+    UNSAFE=/[^\-_.!~*'()a-zA-Z\d;\/?:@&=+$,]/
+
+    def self.path(route, params=nil)
+      if params
+        PARAM_TYPES.reduce(route) do |path,pat|
+          path.gsub(pat) do
+           URI.encode( params[$1.to_sym], UNSAFE)
+          end
+        end
+      else
+        route
+      end
+    end
+
+    def path(params=nil)
+      self.class.path(@route, params)
+    end
+
+    def parts
+      part_list = PARAM_TYPES.map do |pat|
+        "(?:#{pat.source})"
+      end
+      @route.scan(
+        /(?:#{part_list.join('|')})/
+      ).flatten.compact
+    end
+
+    def call(app, request)
+      update_params(request)
+
+      unless authorized?(request)
+        return [ 403, { 'Content-Type' => 'application/json' }, [ { error: 'You are forbidden from performing this action.' }.to_json ] ]
+      end
+
+      if @action
+        controller, action = @action.split('#')
+        controller_class = Kernel.const_get(
+          :"#{controller.camel_case}Controller"
+        )
+        logger = request.env['etna.logger']
+        user = request.env['etna.user']
+
+        params = request.env['rack.request.params'].map do |key,value|
+          value = value.to_s
+          value = value[0..500] + "..." + value[-100..-1] if value.length > 600
+          [ key, value ]
+        end.to_h
+
+        logger.warn("User #{user ? user.email : :unknown} calling #{controller}##{action} with params #{params}")
+        return controller_class.new(request, action).response
+      elsif @block
+        application = Etna::Application.find(app.class).class
+        controller_class = application.const_defined?(:Controller) ? application.const_get(:Controller) : Etna::Controller
+
+        controller_class.new(request).response(&@block)
+      end
+    end
+
+    # the route does not require authorization
+    def noauth?
+      @auth && @auth[:noauth]
+    end
+
+    private
+
+    def authorized?(request)
+      # If there is no @auth requirement, they are ok - this doesn't preclude
+      # them being rejected in the controller response
+      !@auth || @auth[:noauth] || (user_authorized?(request) && hmac_authorized?(request))
+    end
+
+    def user_authorized?(request)
+      # this is true if there are no user requirements
+      return true unless @auth[:user]
+
+      user = request.env['etna.user']
+
+      # if there is a user requirement, we must have a user
+      return false unless user
+
+      params = request.env['rack.request.params']
+
+      @auth[:user].all? do |constraint, param_name|
+        user.respond_to?(constraint) && user.send(constraint, params[param_name])
+      end
+    end
+
+    def hmac_authorized?(request)
+      # either there is no hmac requirement, or we have a valid hmac
+      !@auth[:hmac] || request.env['etna.hmac'].valid?
+    end
+
+    def route_name(options)
+      # use the given one if you can
+      return options[:as] if options[:as]
+
+      # otherwise formulate it from the action if possible
+      return options[:action].sub(/#/,'_').to_sym if options[:action]
+
+      # unnamed route
+      return nil
+    end
+
+    def update_params(request)
+      match = route_regexp.match(request.path)
+      request.env['rack.request.params'].update(
+        Hash[
+          match.names.map(&:to_sym).zip(
+            match.captures.map do |capture|
+              URI.decode(capture)
+            end
+          )
+        ]
+      )
+    end
+
+    def route_regexp
+      @route_regexp ||=
+        Regexp.new(
+          '\A' +
+          @route.
+            # any :params match separator-free strings
+            gsub(NAMED_PARAM, '(?<\1>[^\.\/\?]+)').
+            # any *params match arbitrary strings
+            gsub(GLOB_PARAM, '(?<\1>.+)').
+            # ignore any trailing slashes in the route
+            gsub(/\/\z/, '') +
+          # trailing slashes in the path can be ignored
+          '/?' +
+          '\z'
+        )
+    end
+  end
+end

data/lib/etna/server.rb

@@ -0,0 +1,84 @@
+# This class handles the http request and routing.
+module Etna
+  class Server
+    class << self
+      def route(method, path, options={}, &block)
+        @routes ||= []
+
+        @routes << Etna::Route.new(
+          method,
+          path,
+          (@default_options || {}).merge(options),
+          &block
+        )
+      end
+
+      def find_route(request)
+        @routes.find do |route|
+          route.matches? request
+        end
+      end
+
+      def with(options={}, &block)
+        @default_options = options
+        instance_eval(&block)
+        @default_options = nil
+      end
+
+      def get(path, options={}, &block)
+        route('GET', path, options, &block)
+      end
+
+      def post(path, options={}, &block)
+        route('POST', path, options, &block)
+      end
+
+      def put(path, options={}, &block)
+        route('PUT', path, options, &block)
+      end
+
+      def delete(path, options={}, &block)
+        route('DELETE', path, options, &block)
+      end
+
+      def route_path(request,name,params={})
+        route = routes.find do |route|
+          route.name.to_s == name.to_s
+        end
+        return route ? route.path(params) : nil
+      end
+
+      attr_reader :routes
+    end
+
+    def call(env)
+      request = Rack::Request.new(env)
+
+      request.env['etna.server'] = self
+
+      application.logger.log_request(request)
+
+      route = self.class.find_route(request)
+
+      if route
+        @params = request.env['rack.request.params']
+        return route.call(self, request)
+      end
+
+      [404, {}, ["There is no such path '#{request.path}'"]]
+    end
+
+    def initialize
+      # Setup logging.
+      application.setup_logger
+    end
+
+    private
+
+    # The base application class is a singleton independent of this rack server,
+    # holding e.g. configuration.
+    def application
+      @application ||= Etna::Application.instance
+    end
+  end
+end

data/lib/etna/sign_service.rb

@@ -0,0 +1,67 @@
+# General signing/hashing utilities.
+require 'jwt'
+require 'securerandom'
+
+module Etna
+  class SignService
+    def initialize(application)
+      @application = application
+    end
+
+    def hash_password(password)
+      signature(
+        [ password, @application.config(:pass_salt) ],
+        @application.config(:pass_algo)
+      )
+    end
+
+    def hmac(message, key)
+      OpenSSL::HMAC.hexdigest(
+        'SHA256',
+        key,
+        message
+      )
+    end
+
+    def jwt_token(payload)
+      return JWT.encode(
+        payload,
+        private_key,
+        @application.config(:token_algo)
+      )
+    end
+
+    def uid(size=nil)
+      SecureRandom.hex(size)
+    end
+
+    def jwt_decode(token)
+      return JWT.decode(
+        token,
+        public_key,
+        true,
+        algorithm: @application.config(:token_algo)
+      )
+    end
+
+    def private_key
+      @private_key ||= OpenSSL::PKey::RSA.new(@application.config(:rsa_private))
+    end
+
+    def public_key
+      @public_key ||= OpenSSL::PKey::RSA.new(@application.config(:rsa_public))
+    end
+
+    def generate_private_key(key_size)
+      OpenSSL::PKey::RSA.generate(key_size)
+    end
+
+    private
+
+    def signature(params, algo)
+      algo = algo.upcase.to_sym
+      raise "Unknown signature algorithm!" unless [ :MD5, :SHA256 ].include?(algo)
+      Digest.const_get(algo).hexdigest(params.join)
+    end
+  end
+end

data/lib/etna/spec/auth.rb

@@ -0,0 +1,28 @@
+module Etna::Spec
+  module Auth
+    AUTH_USERS = {
+      superuser: {
+        email: 'zeus@olympus.org', first: 'Zeus', perm: 'A:administration'
+      },
+      admin: {
+        email: 'hera@olympus.org', first: 'Hera', perm: 'a:labors'
+      },
+      editor: {
+        email: 'eurystheus@twelve-labors.org', first: 'Eurystheus', perm: 'E:labors'
+      },
+      restricted_editor: {
+        email: 'copreus@twelve-labors.org', first: 'Copreus', perm: 'e:labors'
+      },
+      viewer: {
+        email: 'hercules@twelve-labors.org', first: 'Hercules', perm: 'v:labors'
+      },
+      non_user: {
+        email: 'nessus@centaurs.org', first: 'Nessus', perm: ''
+      }
+    }
+
+    def auth_header(user_type)
+      header(*Etna::TestAuth.token_header(AUTH_USERS[user_type]))
+    end
+  end
+end

data/lib/etna/spec.rb

@@ -0,0 +1 @@
+require_relative 'spec/auth'

data/lib/etna/symbolize_params.rb

@@ -0,0 +1,30 @@
+module Etna
+  class SymbolizeParams
+    def initialize(server)
+      @server = server
+    end
+
+    def call(env)
+      env['rack.request.params'] = symbolize(env['rack.request.params']) || {}
+
+      @server.call(env)
+    end
+
+    private
+
+    def symbolize(obj)
+      if obj.is_a?(Hash)
+        return obj.reduce({}) do |memo,(k,v)|
+          memo[k.to_sym] =  symbolize(v)
+          memo 
+        end
+      elsif obj.is_a?(Array)
+        return obj.reduce([]) do |memo,v|
+          memo << symbolize(v)
+          memo
+        end
+      end
+      obj
+    end
+  end
+end

data/lib/etna/test_auth.rb

@@ -0,0 +1,80 @@
+require_relative 'user'
+
+# This is an authentication layer you can use in testing. It will make an
+# Etna::User as usual that your controller can respond to; you can pass
+# permissions for this user directly in the Authorization header
+module Etna
+  class TestAuth < Auth
+    def self.token_header(params)
+      token = Base64.strict_encode64(params.to_json)
+      return [ 'Authorization', "Etna #{token}" ]
+    end
+
+    def self.token_param(params)
+      token = Base64.strict_encode64(params.to_json)
+      return [ Etna::Auth.etna_url_param(:authorization).to_s, "Etna #{token}" ]
+    end
+
+    def self.hmac_header(signature)
+      return [ Etna::Auth.etna_url_param(:signature).to_s, signature ]
+    end
+
+    def self.hmac_params(params)
+      return {
+        expiration: params.delete(:expiration) || DateTime.now.iso8601,
+        id: params.delete(:id) || 'etna',
+        nonce: 'nonce',
+        signature: params.delete(:signature) || 'invalid',
+        headers: params.keys.join(',')
+      }.merge(params).map do |item, value|
+        [ Etna::Auth.etna_url_param(item).to_s, value ]
+      end.to_h
+    end
+
+    def approve_user(request)
+      token = auth(request,:etna)
+
+      return false unless token
+
+      # here we simply base64-encode our user hash and pass it through
+      payload = JSON.parse(Base64.decode64(token))
+
+      request.env['etna.user'] = Etna::User.new(payload.map{|k,v| [k.to_sym, v]}.to_h, token)
+    end
+
+    def approve_hmac(request)
+      hmac_signature = etna_param(request, :signature) || 'invalid'
+
+      headers = (etna_param(request, :headers)&.split(/,/) || []).map do |header|
+        [ header.to_sym, etna_param(request, header) ]
+      end.to_h
+
+      hmac_params = {
+        method: request.request_method,
+        host: request.host,
+        path: request.path,
+
+        expiration: etna_param(request, :expiration) || DateTime.now.iso8601,
+        id: etna_param(request, :id) || 'etna',
+        nonce: etna_param(request, :nonce) || 'nonce',
+        headers: headers,
+        test_signature: hmac_signature
+      }
+
+      hmac = Etna::TestHmac.new(application, hmac_params)
+
+      request.env['etna.hmac'] = hmac
+
+      return nil unless hmac.valid?
+
+      params(request).update(headers)
+
+      return true
+    end
+  end
+  class TestHmac < Hmac
+    def valid?
+      @test_signature == 'valid'
+    end
+  end
+end

data/lib/etna/user.rb

@@ -0,0 +1,79 @@
+module Etna
+  class User
+    ROLE_NAMES = {
+      'A' => :admin,
+      'E' => :editor,
+      'V' => :viewer
+    }
+
+    def initialize params, token=nil
+      @first, @last, @email, @encoded_permissions = params.values_at(:first, :last, :email, :perm)
+      @token = token unless !token
+      raise ArgumentError, "No email given!" unless @email
+    end
+
+    attr_reader :first, :last, :email, :token
+
+    def permissions
+      @permissions ||= @encoded_permissions.split(/\;/).map do |roles|
+        role, projects = roles.split(/:/)
+
+        projects.split(/\,/).reduce([]) do |perms,project_name|
+          perms.push([
+            project_name,
+            {
+              role: ROLE_NAMES[role.upcase],
+              restricted: role == role.upcase
+            }
+          ])
+        end
+      end.inject([],:+).to_h
+    end
+
+    def name
+      "#{first} #{last}"
+    end
+
+    def projects
+      permissions.keys
+    end
+
+    ROLE_MATCH = {
+      admin: /[Aa]/,
+      editor: /[Ee]/,
+      viewer: /[Vv]/,
+      restricted: /[AEV]/,
+    }
+    def has_roles(project, *roles)
+      perm = permissions[project.to_s]
+
+      return false unless perm
+
+      return roles.map(&:to_sym).include?(perm[:role])
+    end
+
+    def is_superuser? project=nil
+      has_roles(:administration, :admin)
+    end
+
+    def can_edit? project
+      is_superuser? || has_roles(project, :admin, :editor)
+    end
+
+    def can_view? project
+      is_superuser? || has_roles(project, :admin, :editor, :viewer)
+    end
+
+    # superusers - administrators of the Administration group - cannot
+    # automatically see restricted data, they should be granted
+    # project-specific access.
+    def can_see_restricted? project
+      perm = permissions[project.to_s]
+      perm && perm[:restricted]
+    end
+
+    def is_admin? project
+      is_superuser? || has_roles(project, :admin)
+    end
+  end
+end