g5_authenticatable 0.4.2 → 0.5.0

data/spec/controllers/application_controller_spec.rb

@@ -28,4 +28,16 @@ describe ::ApplicationController do
 
     it_should_behave_like 'a secure controller'
   end
+
+  it 'should mixin pundit authorization' do
+    expect(controller).to respond_to(:authorize)
+  end
+
+  it 'should mixin pundit scoping' do
+    expect(controller).to respond_to(:policy_scope)
+  end
+
+  it 'should mixin authorization error handling' do
+    expect(controller).to respond_to(:user_not_authorized)
+  end
 end

data/spec/controllers/concerns/g5_authenticatable/authorization.rb

@@ -0,0 +1,50 @@
+require 'spec_helper'
+
+describe G5Authenticatable::Authorization, type: :controller do
+  controller(ActionController::Base) do
+    include G5Authenticatable::Authorization
+
+    def index
+      raise Pundit::NotAuthorizedError.new(query: 'index?', record: 'mock_record')
+    end
+  end
+
+  it 'should mixin the authorize method' do
+    expect(controller).to respond_to(:authorize)
+  end
+
+  it 'should mixin the policy_scope method' do
+    expect(controller).to respond_to(:policy_scope)
+  end
+
+  describe '#user_not_authorized' do
+    subject(:user_not_authorized) { get :index, format: format }
+
+    context 'when format is json' do
+      let(:format) { :json }
+
+      it 'is forbidden' do
+        user_not_authorized
+        expect(response).to be_forbidden
+      end
+
+      it 'renders the json error message' do
+        user_not_authorized
+        expect(JSON.parse(response.body)).to eq({'error' => 'Access forbidden'})
+      end
+    end
+
+    context 'when format is html' do
+      let(:format) { :html }
+      it 'is forbidden' do
+        user_not_authorized
+        expect(response).to be_forbidden
+      end
+
+      it 'renders the static 403.html' do
+        user_not_authorized
+        expect(response).to render_template(file: "#{Rails.root}/public/403.html")
+      end
+    end
+  end
+end

data/spec/dummy/app/assets/javascripts/posts.js

@@ -0,0 +1,2 @@
+// Place all the behaviors and hooks related to the matching controller here.
+// All this logic will automatically be available in application.js.

data/spec/dummy/app/assets/stylesheets/posts.css

@@ -0,0 +1,4 @@
+/*
+  Place all the styles related to the matching controller here.
+  They will automatically be included in application.css.
+*/

data/spec/dummy/app/assets/stylesheets/scaffold.css

@@ -0,0 +1,56 @@
+body { background-color: #fff; color: #333; }
+
+body, p, ol, ul, td {
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size:   13px;
+  line-height: 18px;
+}
+
+pre {
+  background-color: #eee;
+  padding: 10px;
+  font-size: 11px;
+}
+
+a { color: #000; }
+a:visited { color: #666; }
+a:hover { color: #fff; background-color:#000; }
+
+div.field, div.actions {
+  margin-bottom: 10px;
+}
+
+#notice {
+  color: green;
+}
+
+.field_with_errors {
+  padding: 2px;
+  background-color: red;
+  display: table;
+}
+
+#error_explanation {
+  width: 450px;
+  border: 2px solid red;
+  padding: 7px;
+  padding-bottom: 0;
+  margin-bottom: 20px;
+  background-color: #f0f0f0;
+}
+
+#error_explanation h2 {
+  text-align: left;
+  font-weight: bold;
+  padding: 5px 5px 5px 15px;
+  font-size: 12px;
+  margin: -7px;
+  margin-bottom: 0px;
+  background-color: #c00;
+  color: #fff;
+}
+
+#error_explanation ul li {
+  font-size: 12px;
+  list-style: square;
+}

data/spec/dummy/app/controllers/application_controller.rb

@@ -1,3 +1,4 @@
 class ApplicationController < ActionController::Base
+  include G5Authenticatable::Authorization
   protect_from_forgery
 end

data/spec/dummy/app/controllers/posts_controller.rb

@@ -0,0 +1,74 @@
+class PostsController < ApplicationController
+  before_action :authenticate_api_user!, unless: :is_navigational_format?
+  before_action :authenticate_user!, if: :is_navigational_format?
+
+  before_action :set_post, only: [:show, :edit, :update, :destroy]
+
+  respond_to :json, except: [:new, :edit]
+  respond_to :html
+
+  # GET /posts
+  def index
+    authorize(Post)
+    @posts = policy_scope(Post)
+    respond_with(@posts)
+  end
+
+  # GET /posts/1
+  def show
+    authorize(@post)
+    respond_with(@post)
+  end
+
+  # GET /posts/new
+  def new
+    @post = Post.new
+    authorize(@post)
+    respond_with(@post)
+  end
+
+  # GET /posts/1/edit
+  def edit
+    authorize(@post)
+    respond_with(@post)
+  end
+
+  # POST /posts
+  def create
+    @post = Post.new(post_params)
+    authorize(@post)
+    if @post.save
+      flash[:notice] = 'Post was successfully created.'
+    end
+    respond_with(@post)
+  end
+
+  # PATCH/PUT /posts/1
+  def update
+    authorize(@post)
+    if @post.update(post_params)
+      flash[:notice] = 'Post was successfully updated.'
+    end
+    respond_with(@post)
+  end
+
+  # DELETE /posts/1
+  def destroy
+    authorize(@post)
+    if @post.destroy
+      flash[:notice] = 'Post was successfully destroyed.'
+    end
+    respond_with(@post)
+  end
+
+  private
+    # Use callbacks to share common setup or constraints between actions.
+    def set_post
+      @post = Post.find(params[:id])
+    end
+
+    # Only allow a trusted parameter "white list" through.
+    def post_params
+      params.require(:post).permit(:content, :author_id)
+    end
+end

data/spec/dummy/app/helpers/posts_helper.rb

@@ -0,0 +1,2 @@
+module PostsHelper
+end

data/spec/dummy/app/models/post.rb

@@ -0,0 +1,3 @@
+class Post < ActiveRecord::Base
+  belongs_to :author, class: G5Authenticatable::User
+end

data/spec/dummy/app/policies/application_policy.rb

@@ -0,0 +1,4 @@
+class ApplicationPolicy < G5Authenticatable::BasePolicy
+  class Scope < BaseScope
+  end
+end

data/spec/dummy/app/policies/post_policy.rb

@@ -0,0 +1,4 @@
+class PostPolicy < ApplicationPolicy
+  class Scope < Scope
+  end
+end

data/spec/dummy/app/views/home/index.html.erb

@@ -1 +1,41 @@
 <p>Welcome to the dummy application!</p>
+
+<% if current_user %>
+  <div id="email" class="row">
+    <h4>Email:</h4>
+    <%= current_user.email %>
+  </div>
+  <div id="first_name" class="row">
+    <h4>First Name:</h4>
+    <%= current_user.first_name %>
+  </div>
+  <div id="last_name" class="row">
+    <h4>Last Name:</h4>
+    <%= current_user.last_name %>
+  </div>
+  <div id="phone_number" class="row">
+    <h4>Phone Number:</h4>
+    <%= current_user.phone_number %>
+  </div>
+  <div id="g5_access_token" class="row">
+    <h4>Access Token:</h4>
+    <%= current_user.g5_access_token %>
+  </div>
+  <div id="title" class="row">
+    <h4>Title:</h4>
+    <%= current_user.title %>
+  </div>
+  <div id="organization_name" class="row">
+    <h4>Organization Name:</h4>
+    <%= current_user.organization_name %>
+  </div>
+  <div id="roles" class="row">
+    <h4>Roles:</h4>
+    <% current_user.roles.each do |role| %>
+      <div>
+        <h5>Role Name:<h5>
+        <%= role.name %>
+      </div>
+    <% end %>
+  </div>
+<% end %>

data/spec/dummy/app/views/posts/_form.html.erb

@@ -0,0 +1,21 @@
+<%= form_for(@post) do |f| %>
+  <% if @post.errors.any? %>
+    <div id="error_explanation">
+      <h2><%= pluralize(@post.errors.count, "error") %> prohibited this post from being saved:</h2>
+
+      <ul>
+      <% @post.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+      </ul>
+    </div>
+  <% end %>
+
+  <%= f.label :content %>:
+  <%= f.text_field :content %>
+  <input name="post[author_id]" type="hidden" value="<%= current_user.id %>">
+
+  <div class="actions">
+    <%= f.submit %>
+  </div>
+<% end %>

data/spec/dummy/app/views/posts/edit.html.erb

@@ -0,0 +1,6 @@
+<h1>Editing Post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Show', @post %> |
+<%= link_to 'Back', posts_path %>

data/spec/dummy/app/views/posts/index.html.erb

@@ -0,0 +1,30 @@
+<p id="notice"><%= notice %></p>
+
+<h1>Listing Posts</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>Content</th>
+      <th>Author</th>
+      <th colspan="3">Actions</th>
+    </tr>
+  </thead>
+
+  <tbody>
+
+    <% @posts.each do |post| %>
+      <tr>
+        <td><%= post.content %></td>
+        <td><%= post.author.first_name %> <%= post.author.last_name %></td>
+        <td><%= link_to 'Show', post %></td>
+        <td><%= link_to 'Edit', edit_post_path(post) %></td>
+        <td><%= link_to 'Destroy', post, method: :delete, data: { confirm: 'Are you sure?' } %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<br>
+
+<%= link_to 'New Post', new_post_path %>

data/spec/dummy/app/views/posts/new.html.erb

@@ -0,0 +1,5 @@
+<h1>New Post</h1>
+
+<%= render 'form' %>
+
+<%= link_to 'Back', posts_path %>

data/spec/dummy/app/views/posts/show.html.erb

@@ -0,0 +1,17 @@
+<p id="notice"><%= notice %></p>
+
+<div>
+  <h1>Content</h1>
+  <p><%= @post.content %></p>
+</div>
+<div>
+  <h1>Author</h1>
+  <p><%= @post.author.first_name %> <%= @post.author.last_name %></p>
+</div>
+<div>
+  <h1>Created At</h1>
+  <p><%= @post.created_at %><p>
+</div>
+
+<%= link_to 'Edit', edit_post_path(@post) %> |
+<%= link_to 'Back', posts_path %>

data/spec/dummy/config/database.yml.ci

@@ -2,5 +2,4 @@ test:
   adapter: postgresql
   encoding: unicode
   database: g5_authenticatable_test
-  pool: 5
-  username: ubuntu
+  username: postgres

data/spec/dummy/config/initializers/g5_authenticatable.rb

@@ -0,0 +1,8 @@
+# Enable strict token validation to guarantee that an authenticated
+# user's access token is still valid on the global auth server, at the
+# cost of performance. When disabled, the user's access token will
+# not be repeatedly validated, but this means that the local
+# session may persist long after the access token is revoked on the
+# auth server. Disabled by default.
+#
+# G5Authenticatable.strict_token_validation = true

data/spec/dummy/config/routes.rb

@@ -1,4 +1,6 @@
 Rails.application.routes.draw do
+  resources :posts
+
   resource :home, only: [:index, :show]
 
   get '/protected_page', to: 'home#show', as: :protected_page

data/spec/dummy/db/migrate/20150428182339_add_g5_authenticatable_users_contact_info.rb

@@ -0,0 +1,11 @@
+class AddG5AuthenticatableUsersContactInfo < ActiveRecord::Migration
+  def change
+    change_table(:g5_authenticatable_users) do |t|
+      t.string :first_name
+      t.string :last_name
+      t.string :phone_number
+      t.string :title
+      t.string :organization_name
+    end
+  end
+end

data/spec/dummy/db/migrate/20150429212919_create_g5_authenticatable_roles.rb

@@ -0,0 +1,20 @@
+class CreateG5AuthenticatableRoles < ActiveRecord::Migration
+  def change
+    create_table(:g5_authenticatable_roles) do |t|
+      t.string :name
+      t.references :resource, :polymorphic => true
+
+      t.timestamps
+    end
+
+    create_table(:g5_authenticatable_users_roles, :id => false) do |t|
+      t.references :user
+      t.references :role
+    end
+
+    add_index(:g5_authenticatable_roles, :name)
+    add_index(:g5_authenticatable_roles, [ :name, :resource_type, :resource_id ],
+              name: 'index_g5_authenticatable_roles_on_name_and_resource')
+    add_index(:g5_authenticatable_users_roles, [ :user_id, :role_id ])
+  end
+end

data/spec/dummy/db/migrate/20150509061150_create_posts.rb

@@ -0,0 +1,9 @@
+class CreatePosts < ActiveRecord::Migration
+  def change
+    create_table :posts do |t|
+      t.integer :author_id
+      t.string :content
+      t.timestamps null: false
+    end
+  end
+end

data/spec/dummy/db/schema.rb

@@ -11,9 +11,23 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20140206070137) do
+ActiveRecord::Schema.define(version: 20150509061150) do
 
-  create_table "g5_authenticatable_users", force: true do |t|
+  # These are extensions that must be enabled in order to support this database
+  enable_extension "plpgsql"
+
+  create_table "g5_authenticatable_roles", force: :cascade do |t|
+    t.string   "name"
+    t.integer  "resource_id"
+    t.string   "resource_type"
+    t.datetime "created_at"
+    t.datetime "updated_at"
+  end
+
+  add_index "g5_authenticatable_roles", ["name", "resource_type", "resource_id"], name: "index_g5_authenticatable_roles_on_name_and_resource", using: :btree
+  add_index "g5_authenticatable_roles", ["name"], name: "index_g5_authenticatable_roles_on_name", using: :btree
+
+  create_table "g5_authenticatable_users", force: :cascade do |t|
     t.string   "email",              default: "",   null: false
     t.string   "provider",           default: "g5", null: false
     t.string   "uid",                               null: false
@@ -25,9 +39,28 @@ ActiveRecord::Schema.define(version: 20140206070137) do
     t.string   "last_sign_in_ip"
     t.datetime "created_at"
     t.datetime "updated_at"
+    t.string   "first_name"
+    t.string   "last_name"
+    t.string   "phone_number"
+    t.string   "title"
+    t.string   "organization_name"
   end
 
-  add_index "g5_authenticatable_users", ["email"], name: "index_g5_authenticatable_users_on_email", unique: true
-  add_index "g5_authenticatable_users", ["provider", "uid"], name: "index_g5_authenticatable_users_on_provider_and_uid", unique: true
+  add_index "g5_authenticatable_users", ["email"], name: "index_g5_authenticatable_users_on_email", unique: true, using: :btree
+  add_index "g5_authenticatable_users", ["provider", "uid"], name: "index_g5_authenticatable_users_on_provider_and_uid", unique: true, using: :btree
+
+  create_table "g5_authenticatable_users_roles", id: false, force: :cascade do |t|
+    t.integer "user_id"
+    t.integer "role_id"
+  end
+
+  add_index "g5_authenticatable_users_roles", ["user_id", "role_id"], name: "index_g5_authenticatable_users_roles_on_user_id_and_role_id", using: :btree
+
+  create_table "posts", force: :cascade do |t|
+    t.integer  "author_id"
+    t.string   "content"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
 
 end

data/spec/dummy/public/403.html

@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>Access forbidden (403)</title>
+  <style type="text/css">
+    body { background-color: #fff; color: #666; text-align: center; font-family: arial, sans-serif; }
+    div.dialog {
+      width: 25em;
+      padding: 0 4em;
+      margin: 4em auto 0 auto;
+      border: 1px solid #ccc;
+      border-right-color: #999;
+      border-bottom-color: #999;
+    }
+    h1 { font-size: 100%; color: #f00; line-height: 1.5em; }
+  </style>
+</head>
+
+<body>
+  <!-- This file lives in public/403.html -->
+  <div class="dialog">
+    <h1>Access forbidden</h1>
+    <p>You do not have permission to access this page.</p>
+  </div>
+</body>
+</html>

data/spec/factories/post.rb

@@ -0,0 +1,6 @@
+FactoryGirl.define do
+  factory :post do
+    sequence(:content) { |n| "This is my post #{n}" }
+    association :author, factory: :g5_authenticatable_user
+  end
+end