ey_gatekeeper 0.1.34

data/lib/ey_gatekeeper/access_control_list.rb

@@ -0,0 +1,133 @@
+require 'uri'
+require 'cgi'
+
+module EY
+  module GateKeeper
+
+    # An individual control, probably within a list.
+    # Example: AccessControl.new('xdna://foobars', ['GET', 'PUT', 'DELETE'])
+    class AccessControl
+      attr_reader :path, :methods
+
+      def initialize(path, *methods)
+        @path, @methods = path, methods.flatten.map {|m| m.to_s.upcase }
+      end
+
+      def allow?(method)
+        methods.include?(method.to_s.upcase)
+      end
+
+      def suitable_for?(test_path)
+        test_path     = URI.escape(URI.unescape(test_path))
+        test_path_uri = URI.parse(test_path)
+
+        matches?(test_path_uri) && parameters_satisfied?(test_path_uri)
+      end
+
+      def matches?(test_path_uri)
+        path_without_parameters == 'xdna://' ||
+          "xdna:/#{test_path_uri.path}".match(%r{^#{path_without_parameters}(\/|$)})
+      end
+
+      def parameters_satisfied?(test_path_uri)
+        (required_parameters - CGI.parse(test_path_uri.query || '').keys).empty?
+      end
+
+      def required_parameters
+        @required_parameters ||= CGI.parse(query || '').keys
+      end
+
+      # can't use URI for these right now since it barfs on _ in the
+      # hostname portion
+      def path_without_parameters
+        path.split('?').first
+      end
+
+      def query
+        path.split('?', 2)[1]
+      end
+
+      # Intersect 2 acccess controls
+      def &(other_control)
+        AccessControl.new(path, other_control.methods & methods)
+      end
+    end
+
+    # A list of AccessControl objects. Can check a request method and path against all controls in the list.
+    # Example: AccessControlList.new({ 'xdna://foobars' => ['GET', 'PUT', 'DELETE'], 'xdna://foobazes' => [] })
+    class AccessControlList
+      attr_reader :list
+
+      def initialize(list)
+        @list = case list
+                  when Hash
+                    list.map {|path, methods| AccessControl.new(path, methods) }
+                  when Array
+                    list
+                  end
+      end
+
+      def allow?(method, path)
+        control = control_for(path)
+        control && control.allow?(method.to_s.upcase)
+      end
+
+      def deny?(method, path)
+        !allow?(method, path)
+      end
+
+      def control_for(path)
+        matches = list.find_all {|c| c.suitable_for?(path) }
+        matches.sort_by {|c| c.path.size }.last
+      end
+
+      def paths
+        list.map {|c| c.path }
+      end
+
+      def [](path)
+        list.detect {|c| c.path == path }
+      end
+
+      # Intersect the two lists
+      def &(other_list)
+        new_list = (paths + other_list.paths).uniq.map do |path|
+          if self[path] && other_list[path]
+            # If both lists have the path, do a simple control AND
+            self[path] & other_list[path]
+          elsif self[path]
+            # If only one side has the path, see if there's a less specific control we can AND with
+            pare_down(self[path], other_list)
+          elsif other_list[path]
+            # Same for here, just opposite
+            pare_down(other_list[path], self)
+          end
+        end.compact
+
+        AccessControlList.new(new_list)
+      end
+
+      def to_hash
+        {}.tap do |result|
+          list.each do |control|
+            result.update(control.path => control.methods)
+          end
+        end
+      end
+
+      private
+
+      def pare_down(target, possibilities)
+        # Find a less specific control with the longest path
+        # starting with target.path. We can then use that control for
+        # performing an AND. This covers the xdna:// vs. xdna://foos
+        # case.
+        most_specific_less_specific_control = possibilities.list.
+          find_all {|p| p.path == 'xdna://' || target.path =~ %r{^#{p.path}(\/|$)} }.sort_by {|p| p.path.size }.last
+        return unless most_specific_less_specific_control
+
+        target & most_specific_less_specific_control
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/client/consumer.rb

@@ -0,0 +1,63 @@
+module EY
+  module GateKeeper
+    module Client
+      class Consumer < Rack::Client::Simple
+        attr_accessor :token, :key, :secret, :impersonation_token
+
+        def initialize(key, secret, options = {})
+          @key = key
+          @secret = secret
+          @endpoint = options[:endpoint]
+          @token = nil
+
+          if @endpoint
+            super(build_app(options), @endpoint)
+          else
+            super(build_app(options))
+          end
+        end
+
+        def token
+          get('/cloudkit-meta')
+          @token
+        end
+
+        def impersonate!(impersonation_token)
+          @impersonation_token = case impersonation_token
+                                   when EY::GateKeeper::Token
+                                     impersonation_token.token
+                                   when String, NilClass
+                                     impersonation_token
+                                   end
+        end
+
+        def just_me!
+          impersonate!(nil)
+        end
+
+        def effective_access_controls
+          response = get('/_effective_access_controls')
+          if response.status == 200 && response.content_type == 'application/json'
+            JSON.parse(response.body) # rack-client collapses the body for us
+          else
+            {}
+          end
+        end
+
+        def build_app(options)
+          inner_app = options.fetch(:app, Rack::Client::Handler::NetHTTP.new)
+          token_setter = method(:token=)
+          key_method = method(:key)
+          secret_method = method(:secret)
+          impersonation_token_method = method(:impersonation_token)
+
+          Rack::Builder.app do |builder|
+            builder.use EY::GateKeeper::Client::Middleware::Authentication, key_method, secret_method, token_setter, impersonation_token_method
+            builder.run inner_app
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/client/middlewares/authentication.rb

@@ -0,0 +1,77 @@
+module EY
+  module GateKeeper
+    module Client
+      module Middleware
+        class Authentication
+
+          def initialize(app, key_callback, secret_callback, token_setter, impersonation_token_callback)
+            @app, @key_callback, @secret_callback, @token_setter, @impersonation_token_callback =
+              app, key_callback, secret_callback, token_setter, impersonation_token_callback
+          end
+
+          def need_token?
+            @token.nil? || @token.expired?
+          end
+
+          def add_token_to(env)
+            if @token
+              env.update('HTTP_AUTH_TOKEN' => @token.token)
+            end
+          end
+
+          def add_impersonation_token_to(env)
+            impersonation_token = @impersonation_token_callback.call
+            if impersonation_token
+              env.update('HTTP_X_IMPERSONATION_TOKEN' => impersonation_token)
+            end
+          end
+
+          def call(env)
+            if need_token?
+              get_token(env.dup)
+            end
+
+            add_token_to(env)
+            add_impersonation_token_to(env)
+
+            app_response = EY::GateKeeper::Client::ServerResponse.new(@app.call(env))
+            return app_response unless @token
+
+            if app_response.needs_gatekeeper_token_refresh?
+              get_token(env.dup)
+              add_token_to(env)
+              app_response = EY::GateKeeper::Client::ServerResponse.new(@app.call(env))
+            end
+
+            app_response.to_rack
+          end
+
+          def get_token(env)
+            if auth_response = authenticate(env)
+              @token = EY::GateKeeper::Token.new(auth_response)
+            else
+              @token = nil
+            end
+            @token_setter.call(@token) if @token_setter
+          end
+
+          def authenticate(env)
+            key = @key_callback.call
+            secret = @secret_callback.call
+
+            env.update('HTTP_AUTHORIZATION' => ["#{key}:#{secret}"].pack("m*").gsub("\n", ""))
+            env.update('REQUEST_PATH' => '/_authenticate')
+            env.update('PATH_INFO' => '/_authenticate')
+
+            auth_response = EY::GateKeeper::Client::ServerResponse.new(@app.call(env))
+
+            if auth_response.status == 200
+              JSON.parse(auth_response.body.join)
+            end
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/client/middlewares/service_token_authentication.rb

@@ -0,0 +1,39 @@
+module EY
+  module GateKeeper
+    module Client
+      module Middleware
+        # This middleware is for use by service clients.
+        #
+        # Given the service client's app to run along with a
+        # gatekeeper endpoint, key, and secret it will contact the
+        # gatekeeper and retrieve a token. The token will then be
+        # passed as part of the request in the `Auth-Token` header.
+        # @param app The service client's Rack::Client application (passed automatically when this middleware is `use`d
+        # @param [String] gatekeeper_endpoint URL of the gatekeeper to fetch the token from
+        # @param [String] xdna_key Xdna key to authenticate against the gatekeeper with
+        # @param [String] xdna_secret Xdna secret to authenticate against the gatekeeper with
+        class ServiceTokenAuthentication
+
+          def initialize(app, gatekeeper_endpoint, xdna_key, xdna_secret)
+            @app, @gatekeeper_endpoint, @xdna_key, @xdna_secret =
+              app, gatekeeper_endpoint, xdna_key, xdna_secret
+          end
+
+          def call(env)
+            env.merge!('HTTP_AUTH_TOKEN' => current_token.token)
+            @app.call(env)
+          end
+
+          def gatekeeper_client
+            @gatekeeper_client ||= EY::GateKeeper.new(@xdna_key, @xdna_secret, :endpoint => @gatekeeper_endpoint)
+          end
+
+          def current_token
+            gatekeeper_client.token
+          end
+
+        end
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/client/server_response.rb

@@ -0,0 +1,37 @@
+module EY
+  module GateKeeper
+    module Client
+      class ServerResponse < Rack::Response
+
+        def initialize(response)
+          status, headers, body = response
+          super(body, status, headers)
+        end
+
+        def unauthorized?
+          status == 401
+        end
+
+        def is_gatekeeper_unauthorized?
+          (unauthorized? && headers['X-Gatekeeper-Authentication-Error']) ? true : false
+        end
+
+        def indicates_any_auth_error?(*messages)
+          if auth_error_header = headers['X-Gatekeeper-Authentication-Error']
+            messages.map { |message| EY::GateKeeper::Responses.string(message) }.include?(auth_error_header)
+          else
+            false
+          end
+        end
+
+        def needs_gatekeeper_token_refresh?
+          is_gatekeeper_unauthorized? && indicates_any_auth_error?(:expired_token, :expired_impersonation_token)
+        end
+
+        def to_rack
+          [status, headers, body]
+        end
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/client.rb

@@ -0,0 +1,44 @@
+require 'rack/client'
+
+module EY
+  module GateKeeper
+    module Client
+
+      def self.master_key
+        '77zxcvbnm77'
+      end
+
+      def self.master_secret
+        '77zxcvbnm77'
+      end
+
+      def self.master_user
+        'xcloud'
+      end
+
+      def self.new(*a)
+        EY::GateKeeper::Client::Consumer.new(*a)
+      end
+
+      def self.mock(key = self.master_key, secret = self.master_secret, options = {})
+        mock_options = {
+          :endpoint => 'http://gatekeeper.local/',
+          :app      => mock_app(master_key, master_secret, master_user)
+        }
+
+        new(key, secret, mock_options.merge(options))
+      end
+
+      def self.mock_app(master_key = self.master_key, master_secret = self.master_secret, master_user = self.master_user)
+        Rack::Builder.app do |builder|
+          builder.run EY::GateKeeper::Server.app(:master_key => master_key, :master_secret => master_secret, :master_user => master_user)
+        end
+      end
+    end
+  end
+end
+
+require 'ey_gatekeeper/client/middlewares/authentication'
+require 'ey_gatekeeper/client/middlewares/service_token_authentication'
+require 'ey_gatekeeper/client/server_response'
+require 'ey_gatekeeper/client/consumer'

data/lib/ey_gatekeeper/responses.rb

@@ -0,0 +1,67 @@
+module EY
+  module GateKeeper
+    module Responses
+
+      #The canned responses
+      CANNED_RESPONSES = {
+        :unable_to_create_token           => 'unable to create token',
+        :invalid_authentication           => 'invalid authentication info',
+        :no_authentication                => 'no authentication info',
+        :no_token                         => 'no token specified',
+        :invalid_token                    => 'invalid token specified',
+        :expired_token                    => 'expired token specified',
+        :token_insufficient               => 'token has insufficient access',
+        :invalid_impersonation_token      => 'invalid impersonation token specified',
+        :expired_impersonation_token      => 'expired impersonation token specified',
+        :impersonation_token_insufficient => 'impersonation token has insufficient access'
+      }.freeze
+
+      #Get the response string via symbol
+      def self.string(lookup = nil)
+        CANNED_RESPONSES.fetch(lookup,'')
+      end
+
+      #A list of possible response symbols
+      def self.possible_responses
+        CANNED_RESPONSES.keys
+      end
+
+
+      #Standard Unauthorized rsponse. Just add message
+      # @param [String] message the messsage to add into the response
+      #
+      # @return [Array] a standard Rack 3 member array response. The Headers contain the message provided
+      def unauthorized_response(message)
+        [
+          401,
+         {
+           'Content-Type' => 'text/plain',
+           'Content-Length' => '0',
+           'X-Gatekeeper-Authentication-Error' => message.is_a?(Symbol) ? EY::GateKeeper::Responses.string(message) : message.to_s
+         },
+         []
+        ]
+      end
+
+      #Standard token response
+      # @param [Hash] token the hash of the token data
+      # The response body is a json encoded hash and contains the token (keyed as 'token') and it's expiration (keyed as 'expires')
+      #
+      # @return [Array] a standard Rack 3 member array response
+      def token_response(token)
+        response = {
+          'token' => token['uri'].split("/")[2],
+          'expires' => token['expires']
+         }.to_json
+        [
+          200,
+          {
+            'Content-Type' => 'application/json',
+            'Content-Length' => response.length.to_s,
+          },
+          [response]
+        ]
+      end
+    end
+  end
+end

data/lib/ey_gatekeeper/token.rb

@@ -0,0 +1,29 @@
+module EY
+  module GateKeeper
+    class Token
+
+      attr_reader :token_data
+
+      def initialize(token_data)
+        @token_data = token_data
+      end
+
+      def expired?
+        if @token_data['expires']
+          Time.now.utc.to_i >= @token_data['expires'].to_i
+        else
+          true
+        end
+      end
+
+      def token
+        @token_data['token']
+      end
+
+      def to_s
+        token
+      end
+
+    end
+  end
+end

data/lib/ey_gatekeeper/util.rb

@@ -0,0 +1,23 @@
+module EY
+  module GateKeeper
+    module Util
+
+      if ENV['DEBUG_GATEKEEPER']
+        def debug(message)
+          puts message
+        end
+      else
+        def debug(message); end
+      end
+
+      def random_sha
+        Digest::SHA256.hexdigest((1..1000).map { |i| rand.to_s }.join)
+      end
+
+      def root_or_meta?(env)
+        env['PATH_INFO'] == '/' || env['PATH_INFO'] == '/cloudkit-meta'
+      end
+
+    end
+  end
+end

data/lib/ey_gatekeeper/version.rb

@@ -0,0 +1,5 @@
+module EY
+  module GateKeeper
+    VERSION = '0.1.34'
+  end
+end

data/lib/ey_gatekeeper.rb

@@ -0,0 +1,54 @@
+module EY
+  module GateKeeper
+    def self.new(*a)
+      if mocking?
+        EY::GateKeeper::Client.mock(*a)
+      else
+        EY::GateKeeper::Client.new(*a)
+      end
+    end
+
+    def self.mock!
+      @mocking = true
+
+      require 'ey_gatekeeper/server'
+      EY::GateKeeper::Server.mock!
+    end
+
+    def self.mocking?
+      @mocking
+    end
+
+    def self.needs_reset?
+      !!@needs_reset
+    end
+
+    def self.was_reset!
+      @needs_reset = false
+    end
+
+    def self.reset!(config = default_mongodb)
+      if mocking?
+        CloudKit.setup_storage_adapter(CloudKit::MemoryTable.new)
+        EY::GateKeeper::AuthStore.setup_master_credentials('77zxcvbnm77','77zxcvbnm77')
+      else
+        raise "Don't use reset! when not mocking"
+      end
+    end
+
+    def self.default_mongodb
+      {
+        :hosts => [["localhost", 27017]],
+        :safe_write_options => {
+          :fsync => false
+        }
+      }
+    end
+  end
+end
+
+require 'ey_gatekeeper/util'
+require 'ey_gatekeeper/responses'
+require 'ey_gatekeeper/token'
+require 'ey_gatekeeper/version'
+require 'ey_gatekeeper/client'