fortifier 0.1.4

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: b6ed6a9fcd00d6437c0c38ce81f6f96efcbfbf7c
+  data.tar.gz: f60fd7efc29b5417730fa253689a86ca4b621156
+SHA512:
+  metadata.gz: 8c1b60d42998963ee270b24a23f984c04cddc7ea73ee339f76b591e8ccc6ca77bc80a53b347effe550a5591dc7cf29dd909ee7880d758aa13512920efca40c84
+  data.tar.gz: 47f5af0a072b921c33fbd5aba58894d40f17c8a7f4ff3798aadb33baebb92e3827c9267574885d81878904e68114ffd1c3acd5071457ffe162204f497a4b1914

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2013 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,3 @@
+= Fortifier
+
+This project rocks and uses MIT-LICENSE.

data/Rakefile

@@ -0,0 +1,29 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'Fortifier'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+
+Bundler::GemHelper.install_tasks
+

data/app/controllers/fortifier/application_controller.rb

@@ -0,0 +1,17 @@
+module Fortifier
+  class ApplicationController < ActionController::Base
+
+    before_action :restrict_access
+
+    private
+
+    def restrict_access
+      authenticate_or_request_with_http_token do | token, options |
+        # TODO: (DS) Need to have an API_KEY constant defined at
+        # deploy time.
+        defined?(API_KEY) ? token == API_KEY : false
+      end
+    end
+
+  end
+end

data/app/controllers/fortifier/auth_users_controller.rb

@@ -0,0 +1,107 @@
+require_dependency "fortifier/application_controller"
+
+module Fortifier
+  APP_ID_ABAQIS = 'abaqis'
+  APP_ID_EMP_SAT = 'employee_satisfaction'
+
+  class AuthUsersController < Fortifier::ApplicationController
+    respond_to :json
+
+    def authenticate
+      results = api.authenticate(params["login"], 
+                                 params["password"], 
+                                 request.env["HTTP_USER_AGENT"], 
+                                 request.ip)
+
+      render json: results
+    end
+
+    def authenticate_uuid
+      results = api.authenticate_uuid(params["uuid"], 
+                                      params["password"], 
+                                      request.env["HTTP_USER_AGENT"], 
+                                      request.ip)
+
+      render json: results
+    end
+
+    def authenticate_batch_sso
+      results = api.authenticate_batch_sso(params["account-id"], 
+                                           params["user-token"], 
+                                           request.env["HTTP_USER_AGENT"], 
+                                           request.ip)
+
+      render json: results
+    end
+
+    def authenticate_on_demand_sso
+      results = api.authenticate_on_demand_sso(params["password"], 
+                                               request.env["HTTP_USER_AGENT"], 
+                                               request.ip)
+
+      render json: results
+    end
+
+    def validate
+      render json: api.validate(params[:auth_user])
+    end
+
+    def batch_update
+      render json: api.batch_update(params['user_info'])
+    end
+
+    def create
+      render json: api.create(params[:auth_user])
+    end
+
+    def update
+      render json: api.update(params[:auth_user])
+    end
+
+    def change_password
+      render json: api.change_password(params[:auth_user])
+    end
+
+    def reset_password
+      render json: api.reset_password(params[:auth_user])
+    end
+
+    def create_password_reset_token
+      render json: api.create_password_reset_token(params[:email])
+    end
+
+    def link
+      render json: api.link(params[:auth_user])
+    end
+
+    def unlink
+      render json: api.unlink(params[:auth_user])
+    end
+
+    def find_auth_user
+      render json: api.find_auth_user(params[:auth_user].keys.first, params[:auth_user].values.first)
+    end
+
+    def find_auth_user_emails
+      render json: api.find_auth_user_emails(params[:uuids])
+    end
+
+    def search_for_auth_users
+      render json: api.search_for_auth_users(safe_params)
+    end
+
+    def auth_users_by_uuids
+      render json: api.auth_users_by_uuids(params[:uuids])
+    end
+
+    private
+
+    def api
+      @api ||= AuthUserApi.new
+    end
+
+    def safe_params
+      params.permit(:search,:sortcol,:sortdir,:per_page,:page,:app_uuid,:account_uuid)
+    end
+  end
+end

data/app/helpers/fortifier/application_helper.rb

@@ -0,0 +1,4 @@
+module Fortifier
+  module ApplicationHelper
+  end
+end

data/app/helpers/fortifier/auth_users_helper.rb

@@ -0,0 +1,4 @@
+module Fortifier
+  module AuthUsersHelper
+  end
+end

data/app/helpers/fortifier/date_helper.rb

@@ -0,0 +1,46 @@
+module Fortifier
+  module DateHelper
+
+    # Produces -> 5/21/2007
+    def american_date(date)
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%-m/%-d/%Y") : date.strftime("%-m/%-d/%Y")) : date
+    end
+
+    #Produces -> 2013-05-21
+    def euro_date(date)
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%Y-%m-%d") : date.strftime("%Y-%m-%d")) : date
+    end
+
+    # Produces -> 5/21/09
+    def short_date(date)
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%-m/%-d/%y") : date.strftime("%-m/%-d/%y")) : date
+    end
+
+    def format_date_long(date)
+      # format example: "July 29, 2013"
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%B %d, %Y") : date.strftime("%B %d, %Y")) : date
+    end
+
+    def format_time_12hr(time)
+      # format example: "4:41pm"
+      return nil if time.nil?
+      (time.is_a?(DateTime) || time.is_a?(Time)) ? time.in_time_zone(DISPLAY_TIME_ZONE).strftime("%l:%M%P").gsub(' ','') : time
+    end
+
+    def american_date_time(date)
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%-m/%-d/%Y %H:%M:%S") : date.strftime("%-m/%-d/%Y %H:%M:%S")) : date
+    end
+
+    # Produces => Mar 10,2010
+    def short_month_date(date)
+      return nil if date.nil?
+      (date.is_a?(Date) || date.is_a?(Time)) ? (date.is_a?(Time) ? date.in_time_zone(DISPLAY_TIME_ZONE).strftime("%b %-d, %Y") : date.strftime("%b %-d, %Y")) : date
+    end
+
+  end
+end

data/app/helpers/fortifier/passwords_helper.rb

@@ -0,0 +1,4 @@
+module Fortifier
+  module PasswordsHelper
+  end
+end

data/app/mailers/fortifier/notifier_mailer.rb

@@ -0,0 +1,66 @@
+module Fortifier
+  class NotifierMailer < ActionMailer::Base
+    add_template_helper(DateHelper)
+    
+    default :from => "abaqis@providigm.com"
+
+    def foreign_access(auth_user, auth_log)
+      @auth_user = auth_user
+      @auth_log = auth_log
+      mail(
+        :to => "software.admin@providigm.com",
+        :subject => "Foreign IP access attempt on: #{host_uri}")
+    end
+
+    def password_expiration(password_model, email)
+      @pw_expiration_date = password_model.expiration_date
+      mail(
+        :to => Rails.env.development? ? $system_mail_recipients : email,
+        :subject => "Password Expiration")
+    end
+    
+    def exception_notification(controller,request,exception)
+      @request = request
+      @controller = controller
+      @exception = exception
+      mail(
+        :to => "software.admin@providigm.com",
+        :from => "abaqis.dev@nursinghomequality.com",
+        :subject => "Error discovered in: #{@request.env["HTTP_HOST"]}")
+    end
+    
+    def task_exception(exception)
+      @exception = exception
+      mail(
+        :to => "software.admin@providigm.com",
+        :from => "abaqis.dev@nursinghomequality.com",
+        :subject => "Error discovered in: #{host_uri}")
+    end
+
+    def account_ip_blocked(auth_user, remote_addr, account)
+      @auth_user = auth_user
+      @remote_addr = remote_addr
+      @account = account #hash
+      mail(
+        :to => Rails.env.development? ? $system_mail_recipients : account[:email],
+        :subject => "IP block")
+    end
+
+    def account_ip_blocked_providigm(auth_user, remote_addr, account)
+      @auth_user = auth_user
+      @remote_addr = remote_addr
+      @account = account #hash
+      recipients = $system_mail_recipients + %w(csrs@providigm.com)
+      mail(
+        :to =>  Rails.env.development? ? $system_mail_recipients : recipients,
+        :subject => "IP block - #{account[:organization] || account[:name]} - #{remote_addr}")
+    end
+
+    private
+
+    def host_uri
+      defined?(HOST_URI) ? HOST_URI : 'local.abaqis.com'
+    end
+
+  end
+end

data/app/models/fortifier/auth_log.rb

@@ -0,0 +1,18 @@
+module Fortifier
+  class AuthLog < ActiveRecord::Base
+  	BLOCK_COUNT = 20 # an ip is actually blocked at 21 failed attempts
+
+  	belongs_to :auth_user
+
+  	def self.block_ip?(remote_addr)
+      # TODO: (DK) remove when no longer needed as reference:
+    	# subselect = "SELECT status FROM fortifier_auth_logs WHERE remote_addr = '#{remote_addr}'
+    	# 						 AND created_at > '#{Time.now.utc - 10.minutes}' ORDER BY id desc LIMIT #{BLOCK_COUNT}"
+    	# count = self.count_by_sql("select count(*) from (#{subselect}) subsel where subsel.status = 0")
+			BLOCK_COUNT == Fortifier::AuthLog.where(remote_addr: remote_addr, status: 0)
+                                        .where('created_at > ?', Time.now.utc-10.minutes)
+                                        .limit(BLOCK_COUNT)
+                                        .count
+  	end
+  end
+end

data/app/models/fortifier/auth_rule.rb

@@ -0,0 +1,11 @@
+module Fortifier
+  class AuthRule < ActiveRecord::Base
+    TYPE_IP_FILTER = "ip_filter"
+    TYPE_PW_EXPIRATION_PERIOD = 'pw_expiration_period'
+    TYPE_PW_LOOKBACK_PERIOD = 'pw_lookback_period'
+
+    serialize :rule_value
+
+    has_many :auth_users_auth_rules
+  end
+end

data/app/models/fortifier/auth_steps/check_for_blocked_ip.rb

@@ -0,0 +1,22 @@
+module Fortifier
+	module AuthSteps
+		class CheckForBlockedIp
+      def self.skip_step?(params)
+        params[:auth_msg].present?
+      end
+
+      def self.invoke(params)
+        auth_user = params[:auth_user]
+        remote_addr = params[:remote_addr]
+        account = params[:account]
+        ip_blocked = AuthLog.block_ip?(remote_addr)
+        if ip_blocked
+          # TODO: (DK) ? auth_log.destroy # this is so one user can't block an IP
+          NotifierMailer.account_ip_blocked(auth_user, remote_addr, account).deliver
+          NotifierMailer.account_ip_blocked_providigm(auth_user, remote_addr, account).deliver
+        end
+        params.merge! auth_msg: ip_blocked ? Messaging::IP_BLOCKED : nil
+      end
+		end
+	end
+end

data/app/models/fortifier/auth_steps/check_for_blocked_user.rb

@@ -0,0 +1,16 @@
+module Fortifier
+	module AuthSteps
+		class CheckForBlockedUser
+      def self.skip_step?(params)
+        auth_user = params[:auth_user]
+        params[:auth_msg].present? || auth_user.blank? || !auth_user.successful_log_in?
+      end
+
+      def self.invoke(params)
+        auth_user = params[:auth_user]
+        auth_user_blocked = auth_user.blocked?
+        params.merge! auth_msg: auth_user_blocked ? Messaging::USER_BLOCKED : nil
+      end
+		end
+	end
+end

data/app/models/fortifier/auth_steps/check_for_us_external_ip.rb

@@ -0,0 +1,14 @@
+module Fortifier
+	module AuthSteps
+		class CheckForUsExternalIp
+      def self.skip_step?(params)
+        params[:auth_msg].present?
+      end
+
+      def self.invoke(params)
+        allowed = MaxMind.valid_ip?(params[:auth_log])
+        params.merge! auth_msg: allowed ? nil : Messaging::MAX_MIND_EXTERNAL_IP
+      end
+		end
+	end
+end

data/app/models/fortifier/auth_steps/check_for_whitelisted_ip.rb

@@ -0,0 +1,38 @@
+module Fortifier
+	module AuthSteps
+		class CheckForWhitelistedIp
+      def self.skip_step?(params)
+        params[:auth_msg].present?
+      end
+
+      def self.invoke(params)
+        remote_addr = params[:auth_log].remote_addr
+        ip_ranges = Fortifier::AuthRule.
+                      joins(:auth_users_auth_rules).
+                      where('auth_user_id = ? and rule_type = ?', params[:auth_user].id, Fortifier::AuthRule::TYPE_IP_FILTER).
+                      pluck(:rule_value).
+                      flatten(1)
+        range_results = []
+        
+        # TODO: (DK) refactor once tests are written for this
+        if ip_ranges.present?
+          ip_ranges.each do |ipr|
+            if ipr.count==1 #e.g. single-string range, like ['192.168.1.1/16']
+              range = (IPAddr.new(ipr.first)) # .to_i here will cause '.include?' to blowup, so don't use
+              range_results << range.include?(IPAddr.new(remote_addr).to_i)
+            elsif ipr.count==2 #e.g. double-string range, like ['192.168.1.1', '192.168.1.255']
+              range = (IPAddr.new(ipr.first).to_i..IPAddr.new(ipr.last).to_i)
+              range_results << range.include?(IPAddr.new(remote_addr).to_i)
+            else
+              # no ip ranges were specified
+              range_results << true
+            end
+          end
+        else
+          range_results << true
+        end
+        params.merge! auth_msg: range_results.include?(true) ? nil : Messaging::EXTERNAL_IP
+      end
+		end
+	end
+end

data/app/models/fortifier/auth_steps/initialize_auth_attempt.rb

@@ -0,0 +1,19 @@
+module Fortifier
+	module AuthSteps
+		class InitializeAuthAttempt
+			def self.invoke(params)
+        secret = params[:secret]
+        auth_user = AuthUser.where(login: params[:login]).first
+				auth_success = secret.blank? || auth_user.blank? ? false : auth_user.authenticated?(secret)
+    		auth_log = Fortifier::AuthLog.create(auth_user: auth_user,
+                                       		     user_agent: params[:user_agent],
+                                       		     remote_addr: params[:remote_addr],
+                                       		     status: (auth_success ? 1 : 0))
+
+    		params.merge! auth_user: auth_user,
+    								    auth_log: auth_log,
+    								    auth_msg: (auth_user && auth_success) ? nil : Messaging::NO_AUTH_USER
+			end
+		end
+	end
+end

data/app/models/fortifier/auth_steps/initialize_batch_sso_auth_attempt.rb

@@ -0,0 +1,18 @@
+module Fortifier
+  module AuthSteps
+    class InitializeBatchSsoAuthAttempt
+      def self.invoke(params)
+        token = params[:token]
+        auth_user = Fortifier::AuthUser.authenticate_batch_sso(params[:account_uuid], token) unless token.blank?
+        auth_log  = Fortifier::AuthLog.create(auth_user: auth_user,
+                                                user_agent: params["HTTP_USER_AGENT"],
+                                                remote_addr: params["IP"],
+                                                status: (auth_user ? 1 : 0))
+
+        params.merge auth_user: auth_user,
+                     auth_log: auth_log,
+                     auth_msg: auth_user ? nil : Messaging::NO_AUTH_USER
+      end
+    end
+  end
+end

data/app/models/fortifier/auth_steps/initialize_on_demand_sso_auth_attempt.rb

@@ -0,0 +1,18 @@
+module Fortifier
+  module AuthSteps
+    class InitializeBatchSsoAuthAttempt
+      def self.invoke(params)
+        token = params[:token]
+        auth_user = Fortifier::AuthUser.authenticate_on_demand_sso(params[:account_uuid], token) unless token.blank?
+        auth_log  = Fortifier::AuthLog.create(auth_user: auth_user,
+                                                user_agent: params["HTTP_USER_AGENT"],
+                                                remote_addr: params["IP"],
+                                                status: (auth_user ? 1 : 0))
+
+        params.merge auth_user: auth_user,
+                     auth_log: auth_log,
+                     auth_msg: auth_user ? nil : Messaging::NO_AUTH_USER
+      end
+    end
+  end
+end

data/app/models/fortifier/auth_steps/messaging.rb

@@ -0,0 +1,16 @@
+module Fortifier
+  module AuthSteps
+    class Messaging
+      GENERIC_FAIL_MESSAGE = :incorrect_login_or_password
+      INVALID_IP_MESSAGE   = :invalid_ip
+
+      NO_AUTH_USER         = GENERIC_FAIL_MESSAGE
+      NO_USER              = GENERIC_FAIL_MESSAGE
+      USER_DISABLED        = GENERIC_FAIL_MESSAGE
+      USER_BLOCKED         = GENERIC_FAIL_MESSAGE
+      IP_BLOCKED           = GENERIC_FAIL_MESSAGE
+      EXTERNAL_IP          = INVALID_IP_MESSAGE
+      MAX_MIND_EXTERNAL_IP = INVALID_IP_MESSAGE
+    end
+  end
+end