gatekeeper 0.1.0

data/.document

@@ -0,0 +1,5 @@
+README.rdoc
+lib/**/*.rb
+bin/*
+features/**/*.feature
+LICENSE

data/.gitignore

@@ -0,0 +1,21 @@
+## MAC OS
+.DS_Store
+
+## TEXTMATE
+*.tmproj
+tmtags
+
+## EMACS
+*~
+\#*
+.\#*
+
+## VIM
+*.swp
+
+## PROJECT::GENERAL
+coverage
+rdoc
+pkg
+
+## PROJECT::SPECIFIC

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Chris Dinn
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,20 @@
+= Gatekeeper
+
+Gatekeeper can connect any Rack-compatible application to a Hot Ink SSO server. It allows you to easily verify the identity of a user against Hot Ink's
+user information database. It makes some basic information about the user available to you application.
+
+Gatekeeper is largely a rewrite of Hancock-Client (http://github.com/atmos/hancock-client). The functionality is different but the spirit is the same.
+
+== Note on Patches/Pull Requests
+ 
+* Fork the project.
+* Make your feature addition or bug fix.
+* Add specs for it. This is important so I don't break it in a
+  future version unintentionally.
+* Commit, do not mess with rakefile, version, or history.
+  (if you want to have your own version, that is fine but bump version in a commit by itself I can ignore when I pull)
+* Send me a pull request. Bonus points for topic branches.
+
+== Copyright
+
+Copyright (c) 2010 Chris Dinn. See LICENSE for details.

data/Rakefile

@@ -0,0 +1,45 @@
+require 'rubygems'
+require 'rake'
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gem|
+    gem.name = "gatekeeper"
+    gem.summary = "Connects any Rack-compatible app to a Hot Ink single sign on server."
+    gem.description = "Connects any Rack-compatible app to a Hot Ink single sign on server."
+    gem.email = "chrisgdinn@gmail.com"
+    gem.homepage = "http://github.com/chrisdinn/gatekeeper"
+    gem.authors = ["Chris Dinn"]
+    gem.add_development_dependency "rspec", ">= 1.2.9"
+    # gem is a Gem::Specification... see http://www.rubygems.org/read/chapter/20 for additional settings
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
+end
+
+require 'spec/rake/spectask'
+Spec::Rake::SpecTask.new(:spec) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.spec_files = FileList['spec/**/*_spec.rb']
+end
+
+Spec::Rake::SpecTask.new(:rcov) do |spec|
+  spec.libs << 'lib' << 'spec'
+  spec.pattern = 'spec/**/*_spec.rb'
+  spec.rcov = true
+end
+
+task :spec => :check_dependencies
+
+task :default => :spec
+
+require 'rake/rdoctask'
+Rake::RDocTask.new do |rdoc|
+  version = File.exist?('VERSION') ? File.read('VERSION') : ""
+
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "gatekeeper #{version}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/gatekeeper.gemspec

@@ -0,0 +1,58 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{gatekeeper}
+  s.version = "0.1.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["Chris Dinn"]
+  s.date = %q{2010-01-12}
+  s.description = %q{Connects any Rack-compatible app to a Hot Ink single sign on server.}
+  s.email = %q{chrisgdinn@gmail.com}
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.rdoc"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     "LICENSE",
+     "README.rdoc",
+     "Rakefile",
+     "VERSION",
+     "gatekeeper.gemspec",
+     "lib/gatekeeper.rb",
+     "lib/gatekeeper/helpers/rack.rb",
+     "lib/gatekeeper/middleware.rb",
+     "lib/gatekeeper/sso.rb",
+     "spec/gatekeeper_spec.rb",
+     "spec/spec.opts",
+     "spec/spec_helper.rb"
+  ]
+  s.homepage = %q{http://github.com/chrisdinn/gatekeeper}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{Connects any Rack-compatible app to a Hot Ink single sign on server.}
+  s.test_files = [
+    "spec/gatekeeper_spec.rb",
+     "spec/spec_helper.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<rspec>, [">= 1.2.9"])
+    else
+      s.add_dependency(%q<rspec>, [">= 1.2.9"])
+    end
+  else
+    s.add_dependency(%q<rspec>, [">= 1.2.9"])
+  end
+end
+

data/lib/gatekeeper.rb

@@ -0,0 +1,15 @@
+gem 'sinatra', '~>0.9.2'
+require 'sinatra/base'
+
+gem 'ruby-openid', '>=2.1.6'
+require 'openid'
+require 'openid/store/filesystem'
+
+gem 'rack-openid', '>=0.2'
+require 'rack/openid'
+
+require 'tmpdir'
+
+require File.dirname(__FILE__)+'/gatekeeper/helpers/rack'
+require File.dirname(__FILE__)+'/gatekeeper/sso'
+require File.dirname(__FILE__)+'/gatekeeper/middleware'

data/lib/gatekeeper/helpers/rack.rb

@@ -0,0 +1,43 @@
+module Gatekeeper
+  module Client
+    module Helpers
+      module Rack
+        def sso_logged_in?
+          session[:sso] && sso_user_id
+        end
+
+        def sso_login_as(user_id, sreg_params)
+          session.delete(:last_oidreq)
+          session.delete('OpenID::Consumer::last_requested_endpoint')
+          session.delete('OpenID::Consumer::DiscoveredServices::OpenID::Consumer::')
+
+          session[:sso] ||= { }
+          session[:sso][:user_id] = user_id
+          sreg_params.each { |key, value| session[:sso][key.to_sym] = value.to_s }
+        end
+
+        def sso_user_id
+          session[:sso][:user_id]
+        end
+
+        def sso_user_email
+          session[:sso][:email]
+        end
+
+        def absolute_url(suffix = nil)
+          port_part = case request.scheme
+                      when "http"
+                        request.port == 80 ? "" : ":#{request.port}"
+                      when "https"
+                        request.port == 443 ? "" : ":#{request.port}"
+                      end
+          "#{request.scheme}://#{request.host}#{port_part}#{suffix}"
+        end
+
+        def excluded_path?
+          options.exclude_paths && options.exclude_paths.include?(request.path_info)
+        end
+      end
+    end
+  end
+end

data/lib/gatekeeper/middleware.rb

@@ -0,0 +1,17 @@
+module Gatekeeper
+  module Client
+    class Middleware < Sinatra::Base
+      enable :raise_errors
+      disable :show_exceptions
+
+      set :sso_url, nil
+      set :exclude_paths, nil
+
+      def sso_url=(url)
+        options.sso_url = url
+      end
+      
+      register ::Gatekeeper::Client::SSO
+    end
+  end
+end

data/lib/gatekeeper/sso.rb

@@ -0,0 +1,63 @@
+module Gatekeeper
+  module Client
+    module SSO
+      def self.registered(app)
+        app.use(Rack::OpenID, OpenID::Store::Filesystem.new("#{Dir.tmpdir}/openid"))
+        app.helpers Gatekeeper::Client::Helpers::Rack
+
+        app.get '/sso/login' do
+          if contact_id = params['id']
+            response['WWW-Authenticate'] = Rack::OpenID.build_header(
+              :identifier => "#{options.sso_url}/users/#{contact_id}",
+              :trust_root => absolute_url('/sso/login')
+            )
+            throw :halt, [401, 'got openid?']
+          elsif openid = request.env["rack.openid.response"]
+            if openid.status == :success
+              if contact_id = openid.display_identifier.split("/").last
+                sreg_params = openid.message.get_args("http://openid.net/extensions/sreg/1.1")
+                sso_login_as(contact_id, sreg_params)
+                
+                if session['sso_return_to']
+                  begin
+                    return_url = URI.parse(session['sso_return_to'])
+                    
+                    unless return_url.host==request.host
+                      user_token = UserToken.create!(:user_id => sso_user_id)
+                      if return_url.query==nil
+                        return_url.query = "user_token=#{user_token.token}"
+                      else
+                        return_url.query = "user_token=#{user_token.token}&#{return_url.query}"
+                      end
+                    end
+                    
+                    redirect return_url.to_s   
+                  rescue
+                    redirect '/'
+                  ensure
+                    session['sso_return_to'] = nil
+                  end
+                else
+                  redirect '/'
+                end
+              
+              else
+                raise "No contact could be found for #{openid.display_identifier}"
+              end
+            else
+              throw :halt, [503, "Error: #{openid.status}"]
+            end
+          else
+            session['sso_return_to'] = params[:return_to] if params[:return_to]
+            redirect "#{options.sso_url}/login?return_to=#{absolute_url('/sso/login')}"
+          end
+        end
+
+        app.get '/sso/logout' do
+          session[:sso] = nil
+          redirect "#{options.sso_url}/logout"
+        end
+      end
+    end
+  end
+end

data/spec/gatekeeper_spec.rb

@@ -0,0 +1,61 @@
+require File.expand_path(File.dirname(__FILE__) + '/spec_helper')
+
+SSO_URL = "http://ssourl.local/sso"
+
+class TestApp < Sinatra::Base
+  enable :sessions
+  
+  use Gatekeeper::Client::Middleware do |sso|
+    sso.sso_url = SSO_URL
+  end
+  
+  get "/test" do
+    "success"
+  end
+end
+  
+describe "Gatekeeper" do
+  include Rack::Test::Methods    
+  
+  def app
+    TestApp
+  end
+
+  describe "sso login" do
+    it "should defer to SSO server for authentication" do
+      get '/sso/login'
+      
+      last_response.should be_redirect
+      last_response.headers['Location'].should == "#{SSO_URL}/login?return_to=http://example.org/sso/login"
+    end
+    
+    it "should build OpenID header, when appropriate" do
+      get '/sso/login', :id => 1
+      
+      last_response.status.should == 401
+      last_response.body.should == 'got openid?'
+      last_response.headers['WWW-Authenticate'].should == Rack::OpenID.build_header(
+        :identifier => "#{SSO_URL}/users/1",
+        :trust_root => "http://example.org/sso/login"
+      )
+    end
+    
+    it "should log in a user if OpenID authentication succeeds" do
+      checkid_response = mock('OpenID response')
+      message = mock('OpenID message')
+      
+      checkid_response.stub!(:status).and_return(:success)
+      checkid_response.stub!(:display_identifier).and_return("#{SSO_URL}/users/1")
+
+      message.stub!(:get_args).with("http://openid.net/extensions/sreg/1.1").and_return({'is_admin?' => false})
+      checkid_response.stub!(:message).and_return(message)
+    
+      get '/sso/login', {}, 'rack.openid.response' => checkid_response
+      
+      last_response.should be_redirect
+      last_response.headers['Location'].should == "/"
+    end
+    
+  end
+  
+end

data/spec/spec.opts

@@ -0,0 +1 @@
+--color

data/spec/spec_helper.rb

@@ -0,0 +1,10 @@
+$LOAD_PATH.unshift(File.dirname(__FILE__))
+$LOAD_PATH.unshift(File.join(File.dirname(__FILE__), '..', 'lib'))
+require 'gatekeeper'
+require 'spec'
+require 'spec/autorun'
+require 'rack/test'
+
+Spec::Runner.configure do |config|
+  
+end

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification 
+name: gatekeeper
+version: !ruby/object:Gem::Version 
+  version: 0.1.0
+platform: ruby
+authors: 
+- Chris Dinn
+autorequire: 
+bindir: bin
+cert_chain: []
+
+date: 2010-01-12 00:00:00 -05:00
+default_executable: 
+dependencies: 
+- !ruby/object:Gem::Dependency 
+  name: rspec
+  type: :development
+  version_requirement: 
+  version_requirements: !ruby/object:Gem::Requirement 
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        version: 1.2.9
+    version: 
+description: Connects any Rack-compatible app to a Hot Ink single sign on server.
+email: chrisgdinn@gmail.com
+executables: []
+
+extensions: []
+
+extra_rdoc_files: 
+- LICENSE
+- README.rdoc
+files: 
+- .document
+- .gitignore
+- LICENSE
+- README.rdoc
+- Rakefile
+- VERSION
+- gatekeeper.gemspec
+- lib/gatekeeper.rb
+- lib/gatekeeper/helpers/rack.rb
+- lib/gatekeeper/middleware.rb
+- lib/gatekeeper/sso.rb
+- spec/gatekeeper_spec.rb
+- spec/spec.opts
+- spec/spec_helper.rb
+has_rdoc: true
+homepage: http://github.com/chrisdinn/gatekeeper
+licenses: []
+
+post_install_message: 
+rdoc_options: 
+- --charset=UTF-8
+require_paths: 
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+required_rubygems_version: !ruby/object:Gem::Requirement 
+  requirements: 
+  - - ">="
+    - !ruby/object:Gem::Version 
+      version: "0"
+  version: 
+requirements: []
+
+rubyforge_project: 
+rubygems_version: 1.3.5
+signing_key: 
+specification_version: 3
+summary: Connects any Rack-compatible app to a Hot Ink single sign on server.
+test_files: 
+- spec/gatekeeper_spec.rb
+- spec/spec_helper.rb