g5_authenticatable 0.7.3 → 0.7.4.beta.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: f56baf7ccaaf8080ddb8287e138495c535a7b5c0
-  data.tar.gz: feecc8d4ec69a2985e6ee769a0b0bb20614e30a4
+  metadata.gz: 33d905c7e18808b53851712ddc45868931d5d535
+  data.tar.gz: e44568c0480ef175f21a8c72bbd80906af680a37
 SHA512:
-  metadata.gz: 5e14a0afcdb5e18630e445914817541d0df7cadc7f55cb0e877b489f129b865aa3130e202d04bc349044aa84e4ad78b61653fc6ff36b5f6d178caae85073d7ec
-  data.tar.gz: f2cffe7568ac42aae42e3f71f8942224109ef6c8855717e96658bb8f487c08aa76c12ad8c7f8937672024b859a12bf72ca74647b2cbcb9227ce8f78255a63911
+  metadata.gz: 4ab02a3e351aab389dec36767a86eb52d7a079c0331be53902b8fd09c06bf2b23583f1cdd80903d7fc9041ca017ecaab8cd755d4682e891aa3ba2d495cb243d9
+  data.tar.gz: c8343d576b235a766eccd483a366f4574076fc3d41f949b2f065c1b6dc84b3daa8b59861f6f0c8f8b5f255f0eb09808c28547d89cd2fc08c3a74d3ec9a1cffea

data/CHANGELOG.md

@@ -1,7 +1,21 @@
+## v0.7.4.beta.1 (2015-12-07)
+
+* Adds Impersonate (Assume) Devise Strategy and Concern to handle access to session stored values
+* Handles the ability and rules to impersonate a user providing his unique ID
+* Adds the UID from the session and request to be used by the Auth Workflow when present
+
 ## v0.7.3 (2015-11-30)
 * Upgrade to devise_g5_authenticatable to fix regression bug https://github.com/G5/devise_g5_authenticatable/pull/23
 * Upgrade to omniauth_g5 to fix regression bug https://github.com/G5/omniauth-g5/pull/10
 
+## v0.7.2 (2015-06-23)
+
+* Removed pinned g5_updatalbe version from 0.6.0 to > 0.6.0
+
+## v0.7.1 (2015-06-08)
+
+* Fixed bug when listing clients
+
 ## v0.7.0 (2015-06-04)
 
 * Add convenience methods to `G5Authenticatable::User`, as well as a

data/app/models/g5_authenticatable/user.rb

@@ -15,13 +15,11 @@ module G5Authenticatable
         user.assign_attributes(extended_auth_attributes(auth_data))
         user.update_roles_from_auth(auth_data)
       end
-
       user
     end
 
     def self.find_and_update_for_g5_oauth(auth_data)
       user = super(auth_data)
-
       if user
         user.update_attributes(extended_auth_attributes(auth_data))
         user.update_roles_from_auth(auth_data)
@@ -33,17 +31,7 @@ module G5Authenticatable
     def update_roles_from_auth(auth_data)
       roles.clear
       auth_data.extra.roles.each do |role|
-        if(role.type == 'GLOBAL')
-          add_role(role.name)
-        else
-          begin
-            the_class = Object.const_get(role.type)
-            resource = the_class.where(urn: role.urn).first
-            add_role(role.name, resource)
-          rescue => e
-            Rails.logger.error(e)
-          end
-        end
+        role.type == 'GLOBAL' ? add_role(role.name) : add_scoped_role(role)
       end
     end
 
@@ -52,17 +40,24 @@ module G5Authenticatable
     end
 
     private
+
     def self.extended_auth_attributes(auth_data)
-      {
+      h = {
         first_name: auth_data.info.first_name,
         last_name: auth_data.info.last_name,
         phone_number: auth_data.info.phone,
         title: auth_data.extra.title,
         organization_name: auth_data.extra.organization_name
       }
+      auth_data.uid.present? ? h.merge!(uid: auth_data.uid) : h
     end
 
-
-
+    def add_scoped_role(role)
+      the_class = Object.const_get(role.type)
+      resource = the_class.where(urn: role.urn).first
+      add_role(role.name, resource)
+    rescue => e
+      Rails.logger.error(e)
+    end
   end
 end

data/app/services/g5_authenticatable/impersonate_sessionable.rb

@@ -0,0 +1,83 @@
+module G5Authenticatable
+  module ImpersonateSessionable
+    extend ActiveSupport::Concern
+
+    def impersonation_user?
+      impersonation_user.present?
+    end
+
+    def impersonation_user
+      user_by_uid(impersonate_admin_uid)
+    end
+
+    def user_to_impersonate
+      user_by_uid(impersonating_user_uid)
+    end
+
+    def clear_impersonation_keys
+      impersonate_admin_uid = nil
+      impersonating_user_uid = nil
+      impersonating_user_callback_url = nil
+    end
+
+    # Checks if the user by param is able to impersonate the second user by param
+    def check_impersonation_access?(user_impersonating, resource)
+      able_to_impersonate?(user_impersonating, resource)
+    end
+
+    private
+
+    def able_to_impersonate?(user_impersonating, resource)
+      return false unless user_impersonating.present? && resource.present?
+      if user_impersonating.has_role?(:super_admin) ||
+         (user_impersonating.has_role?(:admin) && !resource.has_role?(:super_admin))
+        true
+      else
+        false
+      end
+    end
+
+    def user_by_uid(uid)
+      G5Authenticatable::User.find_by_uid(uid)
+    rescue ActiveRecord::RecordNotFound
+      nil
+    end
+
+    # Let's just keep this key secret. you know.. for security reasons.
+    IMPERSONATE_SESSION_KEY = 'devise.g5_authenticatable.Xf1eP3hCjC'
+    IMPERSONATING_USER_SESSION_KEY = 'devise.g5_authenticatable.Zk35J5adER'
+    IMPERSONATING_USER_SESSION_CALLBACK_URL = 'devise.g5_authenticatable.callcbak_url'
+
+    def impersonate_admin_uid
+      request.env['rack.session'][IMPERSONATE_SESSION_KEY]
+    end
+
+    def impersonate_admin_uid=(uid)
+      request.env['rack.session'][IMPERSONATE_SESSION_KEY] = uid
+    end
+
+    def impersonate_admin_uid?
+      request.env['rack.session'] && request.env['rack.session'][IMPERSONATE_SESSION_KEY].present?
+    end
+
+    def impersonating_user_uid
+      request.env['rack.session'][IMPERSONATING_USER_SESSION_KEY]
+    end
+
+    def impersonating_user_uid=(uid)
+      request.env['rack.session'][IMPERSONATING_USER_SESSION_KEY] = uid
+    end
+
+    def impersonating_user_uid?
+      request.env['rack.session'] && request.env['rack.session'][IMPERSONATING_USER_SESSION_KEY].present?
+    end
+
+    def impersonating_user_callback_url
+      request.env['rack.session'][IMPERSONATING_USER_SESSION_CALLBACK_URL] || ''
+    end
+
+    def impersonating_user_callback_url=(callback_url)
+      request.env['rack.session'][IMPERSONATING_USER_SESSION_CALLBACK_URL] = callback_url
+    end
+  end
+end

data/config/initializers/devise.rb

@@ -237,6 +237,8 @@ Devise.setup do |config|
   #
   config.warden do |manager|
     # Add custom warden configuration here
+    manager.strategies.add(:impersonate_strategy, Devise::Strategies::ImpersonateStrategy)
+    manager.default_strategies(:scope => :user).unshift :impersonate_strategy
   end
 
 

data/config/initializers/impersonate_strategy.rb

@@ -0,0 +1,31 @@
+require 'devise/strategies/authenticatable'
+require 'devise/strategies/base'
+
+module Devise
+  module Strategies
+    class ImpersonateStrategy < Authenticatable
+      include ::G5Authenticatable::ImpersonateSessionable
+
+      # Prevents unauthorized users to impersonate another user when visiting the correct URL
+      def valid?
+        allowed = user_to_impersonate.present? &&
+                    able_to_impersonate?(impersonation_user, user_to_impersonate)
+        return allowed if allowed
+        clear_impersonation_keys
+        true
+      rescue # Safety net
+        clear_impersonation_keys
+        false
+      end
+
+      def authenticate!
+        if user_to_impersonate.present?
+          success!(user_to_impersonate)
+        else
+          clear_impersonation_keys
+          fail('You do not have sufficient access to this account')
+        end
+      end
+    end
+  end
+end

data/g5_authenticatable.gemspec

@@ -20,7 +20,7 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_dependency 'devise_g5_authenticatable', '~> 0.2.3'
+  spec.add_dependency 'devise_g5_authenticatable', '~> 0.2.4.beta'
   spec.add_dependency 'omniauth-g5', '~> 0.3.1'
   spec.add_dependency 'g5_authenticatable_api', '~> 0.4.1'
   spec.add_dependency 'rolify', '~> 4.0'

data/lib/g5_authenticatable/test/controller_helpers.rb

@@ -1,7 +1,6 @@
 module G5Authenticatable
   module Test
     module ControllerHelpers
-
       def login_user(user)
         @request.env["devise.mapping"] = Devise.mappings[:user]
         sign_in user
@@ -10,14 +9,35 @@ module G5Authenticatable
       def logout_user(user)
         sign_out(user)
       end
-
     end
   end
 end
 
 shared_context 'auth controller', auth_controller: true do
-  include G5Authenticatable::Test::ControllerHelpers
   let(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+  include_context 'authorization controller'
+end
+
+shared_context 'super admin auth controller' do
+  let(:user) do
+    user = FactoryGirl.create(:g5_authenticatable_user)
+    user.add_role(:super_admin)
+    user
+  end
+  include_context 'authorization controller'
+end
+
+shared_context 'admin auth controller' do
+  let(:user) do
+    user = FactoryGirl.create(:g5_authenticatable_user)
+    user.add_role(:admin)
+    user
+  end
+  include_context 'authorization controller'
+end
+
+shared_context 'authorization controller' do
+  include G5Authenticatable::Test::ControllerHelpers
 
   before do
     stub_valid_access_token(user.g5_access_token)
@@ -28,9 +48,7 @@ shared_context 'auth controller', auth_controller: true do
 end
 
 shared_examples 'a secure controller' do
-
   controller do
-
     before_filter :authenticate_user!
 
     def index
@@ -38,26 +56,22 @@ shared_examples 'a secure controller' do
     end
   end
 
-  context "without an authenticated user" do
-
-    it "should be redirected" do
+  context 'without an authenticated user' do
+    it 'should be redirected' do
       get :index
       expect(response).to redirect_to('/g5_auth/users/sign_in')
     end
-
   end
 
   context 'with an authenticated user', :auth_controller do
-
     it 'should be successful' do
       get :index
       expect(response.body).to eq('content')
     end
-
   end
 end
 
 RSpec.configure do |config|
-  config.include Devise::TestHelpers, :type => :controller
+  config.include Devise::TestHelpers, type: :controller
   config.include G5Authenticatable::Test::ControllerHelpers, type: :controller
 end

data/lib/g5_authenticatable/version.rb

@@ -1,3 +1,3 @@
 module G5Authenticatable
-  VERSION = '0.7.3'
+  VERSION = '0.7.4.beta.1'
 end

data/spec/models/g5_authenticatable/user_spec.rb

@@ -67,7 +67,6 @@ describe G5Authenticatable::User do
       OmniAuth::AuthHash.new(
         {
           'provider' => new_user_attributes[:provider],
-          'uid' => new_user_attributes[:uid],
           'info' => {
             'email' => new_user_attributes[:email],
             'name' => "#{new_user_attributes[:first_name]} #{new_user_attributes[:last_name]}",
@@ -84,7 +83,7 @@ describe G5Authenticatable::User do
             'title' => new_user_attributes[:title],
             'organization_name' => new_user_attributes[:organization_name],
             'roles' => [
-              {'name' => new_role_attributes[:name], 'type' => 'GLOBAL', 'urn' => nil}
+              { 'name' => new_role_attributes[:name], 'type' => 'GLOBAL', 'urn' => nil }
             ],
             'raw_info' => {}
           }
@@ -95,7 +94,24 @@ describe G5Authenticatable::User do
     let(:new_role_attributes) { FactoryGirl.attributes_for(:g5_authenticatable_role) }
 
     context 'when there is auth data in the session' do
-      let(:session) { {'omniauth.auth' => auth_data} }
+      let(:session) do
+        { 'omniauth.auth' => auth_data }
+      end
+
+      context 'with UID' do
+        before do
+          auth_data['uid'] = new_user_attributes[:uid]
+        end
+        it 'should set the uid from the session data' do
+          expect(new_user.uid).to eq(new_user_attributes[:uid])
+        end
+      end
+
+      context 'without UID' do
+        it "won't set the uid from the session data" do
+          expect(new_user.uid).to be_nil
+        end
+      end
 
       it 'should initialize a new user' do
         expect(new_user).to be_a_new_record
@@ -109,10 +125,6 @@ describe G5Authenticatable::User do
         expect(new_user.provider).to eq(new_user_attributes[:provider])
       end
 
-      it 'should set the uid from the session data' do
-        expect(new_user.uid).to eq(new_user_attributes[:uid])
-      end
-
       it 'should set the email from the session data' do
         expect(new_user.email).to eq(new_user_attributes[:email])
       end
@@ -210,7 +222,7 @@ describe G5Authenticatable::User do
             'title' => updated_attributes[:title],
             'organization_name' => updated_attributes[:organization_name],
             'roles' => [
-              {name: updated_role_name, type: 'GLOBAL', urn: nil}
+              { name: updated_role_name, type: 'GLOBAL', urn: nil }
             ],
             'raw_info' => {}
           }
@@ -477,5 +489,4 @@ describe G5Authenticatable::User do
       end
     end
   end
-  
 end

data/spec/services/g5_authenticatable/impersonate_sessionable_spec.rb

@@ -0,0 +1,112 @@
+require 'spec_helper'
+
+describe G5Authenticatable::ImpersonateSessionable do
+  let!(:user) { FactoryGirl.create(:g5_authenticatable_user) }
+
+  class MyImpersponateSessionableTest
+    include G5Authenticatable::ImpersonateSessionable
+  end
+
+  let(:service_instance) { MyImpersponateSessionableTest.new }
+
+  describe '#impersonation_user?' do
+    subject(:impersonation_user) { service_instance.send(:impersonation_user?) }
+
+    before do
+      expect(service_instance).to receive(:impersonation_user).and_return(user)
+    end
+
+    it { expect(impersonation_user).to be_truthy }
+  end
+
+  describe '#impersonation_user' do
+    subject(:impersonation_user) { service_instance.send(:impersonation_user) }
+
+    before do
+      expect(service_instance).to receive(:impersonate_admin_uid).and_return(user.uid)
+    end
+
+    it { expect(impersonation_user).to eq(user) }
+  end
+
+  describe '#user_to_impersonate' do
+    subject(:user_to_impersonate) { service_instance.send(:user_to_impersonate) }
+
+    before do
+      expect(service_instance).to receive(:impersonating_user_uid).and_return(user.uid)
+    end
+
+    it { expect(user_to_impersonate).to eq(user) }
+  end
+
+  describe '#able_to_impersonate?' do
+    subject(:able_to_impersonate) { service_instance.send(:able_to_impersonate?, user, user2) }
+
+    context 'having a super admin and any other user' do
+      let!(:user) do
+        user = FactoryGirl.create(:g5_authenticatable_user)
+        user.add_role(:super_admin)
+        user
+      end
+      let!(:user2) { FactoryGirl.create(:g5_authenticatable_user) }
+
+      it { expect(able_to_impersonate).to eq(true) }
+    end
+
+    context 'having an admin' do
+      let!(:user) do
+        user = FactoryGirl.create(:g5_authenticatable_user)
+        user.add_role(:admin)
+        user
+      end
+
+      context 'assuming a super admin' do
+        let!(:user2) do
+          user = FactoryGirl.create(:g5_authenticatable_user)
+          user.add_role(:super_admin)
+          user
+        end
+
+        it { expect(able_to_impersonate).to eq(false) }
+      end
+
+      context 'assuming another admin' do
+        let!(:user2) do
+          user = FactoryGirl.create(:g5_authenticatable_user)
+          user.add_role(:admin)
+          user
+        end
+
+        it { expect(able_to_impersonate).to eq(true) }
+      end
+
+      context 'assuming a regular user' do
+        let!(:user2) { FactoryGirl.create(:g5_authenticatable_user) }
+
+        it { expect(able_to_impersonate).to eq(true) }
+      end
+    end
+
+    context 'providing no user' do
+      it { expect(service_instance.send(:able_to_impersonate?, user, nil)).to eq(false) }
+
+      it { expect(service_instance.send(:able_to_impersonate?, nil, user)).to eq(false) }
+
+      it { expect(service_instance.send(:able_to_impersonate?, nil, nil)).to eq(false) }
+    end
+  end
+
+  describe '#user_by_uid' do
+    subject(:user_by_uid) { service_instance.send(:user_by_uid, uid) }
+
+    context 'having an existing uid' do
+      let(:uid) { user.uid }
+      it { expect(user_by_uid).to eq(user) }
+    end
+
+    context 'having a no existing uid' do
+      let(:uid) { 'some-random-text' }
+      it { expect(user_by_uid).to be_nil }
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: g5_authenticatable
 version: !ruby/object:Gem::Version
-  version: 0.7.3
+  version: 0.7.4.beta.1
 platform: ruby
 authors:
 - maeve
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-30 00:00:00.000000000 Z
+date: 2015-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: devise_g5_authenticatable
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.3
+        version: 0.2.4.beta
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.2.3
+        version: 0.2.4.beta
 - !ruby/object:Gem::Dependency
   name: omniauth-g5
   requirement: !ruby/object:Gem::Requirement
@@ -126,9 +126,11 @@ files:
 - app/models/g5_authenticatable/user.rb
 - app/policies/g5_authenticatable/base_policy.rb
 - app/policies/g5_updatable/client_policy.rb
+- app/services/g5_authenticatable/impersonate_sessionable.rb
 - app/views/g5_authenticatable/error/auth_error.html.erb
 - app/views/layouts/g5_authenticatable/application.html.erb
 - config/initializers/devise.rb
+- config/initializers/impersonate_strategy.rb
 - config/initializers/rolify.rb
 - config/locales/devise.en.yml
 - config/routes.rb
@@ -242,6 +244,7 @@ files:
 - spec/requests/token_validation_spec.rb
 - spec/routing/auth_error_routing_spec.rb
 - spec/routing/sign_out_routing_spec.rb
+- spec/services/g5_authenticatable/impersonate_sessionable_spec.rb
 - spec/spec_helper.rb
 - spec/support/devise.rb
 - spec/support/shared_contexts/rake.rb
@@ -263,9 +266,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
 rubygems_version: 2.2.2
@@ -362,10 +365,10 @@ test_files:
 - spec/requests/token_validation_spec.rb
 - spec/routing/auth_error_routing_spec.rb
 - spec/routing/sign_out_routing_spec.rb
+- spec/services/g5_authenticatable/impersonate_sessionable_spec.rb
 - spec/spec_helper.rb
 - spec/support/devise.rb
 - spec/support/shared_contexts/rake.rb
 - spec/support/shared_examples/super_admin_authorizer.rb
 - spec/support/token_validation.rb
 - spec/tasks/purge_users_spec.rb
-has_rdoc: