hancock 0.0.2

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2009 Corey Donohoe <atmos@atmos.org>, Tim Carey-Smith <tim@spork.in>
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,134 @@
+hancock
+=======
+
+It's like your [John Hancock][johnhancock] for all of your company's apps.  
+
+A lot of this is extracted from our internal single sign on server at [Engine
+Yard][ey].  We use a different [datamapper][datamapper] backend but it should
+be a great start for most people.
+
+Features
+========
+An [OpenID][openid] based [Single Sign On][sso] server that provides:
+
+* a single authoritative source for user authentication
+* a [whitelist][whitelist] for consumer applications
+* integration with the big ruby frameworks via [rack][hancock_examples].
+* configurable [sreg][sreg] parameters to consumers
+
+How it Works
+============
+![SSO Handshake](http://img.skitch.com/20090305-be6wwmbc4gfsi9euy3w7np31mm.jpg)
+
+This handshake seems kind of complex but it only happens when you need to
+validate a user session on the consumer.
+
+Your Rackup File
+================
+    #  thin start -p PORT -R config.ru
+    require 'rubygems'
+    gem 'sinatra', '~>0.9.1.1'
+    require 'hancock'
+    require 'sinatra/ditties'
+
+    DataMapper.setup(:default, "sqlite3:///#{Dir.pwd}/development.db")
+
+    Sinatra::Mailer.config = {
+      :host   => 'smtp.example.com',
+      :port   => '25',
+      :user   => 'sso',
+      :pass   => 'lolerskates',
+      :auth   => :plain # :plain, :login, :cram_md5, the default is no auth
+      :domain => "example.com" # the HELO domain provided by the client to the server
+    }
+
+    if ENV['MIGRATE_ME']
+        DataMapper.auto_migrate!
+        Hancock::Consumer.create(:url => 'http://localhost:3000/sso/login', :label => 'Local Dev', :internal => false)
+        Hancock::Consumer.create(:url => 'http://localhost:4000/sso/login', :label => 'Local Dev', :internal => false)
+        Hancock::Consumer.create(:url => 'http://localhost:5000/sso/login', :label => 'Local Dev', :internal => false)
+    end
+
+    class Dragon < Hancock::App
+      set :views,  'views'
+      set :public, 'public'
+      set :environment, :production
+
+      set :provider_name, 'Example SSO Provider'
+      set :do_not_reply, 'sso@atmos.org'
+
+      get '/' do
+        redirect '/sso/login' unless session[:user_id]
+        erb "<h2>Hello <%= session[:first_name] %><!-- <%= session.inspect %>"
+      end
+    end
+    run Dragon
+
+Installation
+============
+    % gem sources
+    *** CURRENT SOURCES ***
+
+    http://gems.rubyforge.org/
+    http://gems.engineyard.com
+    http://gems.github.com
+
+You need a few gems to function
+
+    % sudo gem install dm-core do_sqlite3
+    % sudo gem install sinatra guid rspec ruby-openid webrat
+
+Deployment Setup
+================
+You can deploy hancock on any rack compatible setup.  You need a database that
+datamapper can connect to.  Generate an example rackup file for yourself based
+on the example above.
+
+    % irb
+    >> require 'rubygems'
+    => false
+    >> require 'hancock'
+    => true
+    >> DataMapper.setup(:default, "sqlite3:///#{Dir.pwd}/development.db")
+    => #<DataMapper::Adapters::Sqlite3Adapter:0x1ae639c ...>
+    >> DataMapper.auto_migrate!
+    => [Hancock::User, Hancock::Consumer]
+
+Consult the datamapper documentation if you need to connect to something other
+than sqlite.  This runs the initial user migration to bootstrap your db.
+
+    >> Hancock::Consumer.create(:url => 'http://hr.example.com/sso/login', :label => 'Human Resources', :internal => true)
+    => #<Hancock::Consumer id=1 url="http://hr.example.com/sso/login" label="Human Resources" internal=true>
+
+This portion setup a consumer application that will be allowed access to the SSO
+server.  You need to explicitly add each application you wish to grant access to.
+
+On the horizon
+==============
+* signup with email based validation
+
+Possibilities
+=============
+* single sign off
+* some kinda awesome [oauth][oauth] hooks
+
+Sponsored By
+============
+* [Engine Yard][ey]
+
+[johnhancock]: http://www.urbandictionary.com/define.php?term=john+hancock
+[ey]: http://www.engineyard.com/
+[sr]: http://github.com/sr
+[atmos]: http://github.com/atmos
+[halorgium]: http://github.com/halorgium
+[adelcambre]: http://github.com/adelcambre
+[srfork]: http://github.com/sr/webrat/tree/sinatra
+[webrat]: http://github.com/brynary/webrat
+[hancock_examples]: http://github.com/atmos/hancock-client/tree/98aae96077a8fbfa0097f33ec3ecd628fc549c54/examples/dragon
+[datamapper]: http://datamapper.org
+[openid]: http://openid.net/
+[sso]: http://en.wikipedia.org/wiki/Single_sign-on
+[whitelist]: http://en.wikipedia.org/wiki/Whitelist
+[oauth]: http://oauth.net/
+[sreg]: http://openid.net/specs/openid-simple-registration-extension-1_0.html#response_format
+[simpledb]: http://aws.amazon.com/simpledb/

data/Rakefile

@@ -0,0 +1,72 @@
+require 'rubygems'
+require 'rake/gempackagetask'
+require 'rubygems/specification'
+require 'date'
+require 'spec/rake/spectask'
+require 'cucumber/rake/task'
+
+GEM = "hancock"
+GEM_VERSION = "0.0.2"
+AUTHOR = ["Corey Donohoe", "Tim Carey-Smith"]
+EMAIL = [ "atmos@atmos.org", "tim@spork.in" ]
+HOMEPAGE = "http://github.com/atmos/hancock"
+SUMMARY = "A gem that provides a Single Sign On server"
+
+spec = Gem::Specification.new do |s|
+  s.name = GEM
+  s.version = GEM_VERSION
+  s.platform = Gem::Platform::RUBY
+  s.has_rdoc = true
+  s.extra_rdoc_files = ["README.md", "LICENSE"]
+  s.summary = SUMMARY
+  s.description = s.summary
+  s.authors = AUTHOR
+  s.email = EMAIL
+  s.homepage = HOMEPAGE
+
+  # Uncomment this to add a dependency
+  s.add_dependency "dm-core", "~>0.9.10"
+  s.add_dependency "ruby-openid", "~>2.1.2"
+  s.add_dependency "sinatra", "~>0.9.1.1"
+  s.add_dependency "guid", "~>0.1.1"
+
+  s.require_path = 'lib'
+  s.autorequire = GEM
+  s.files = %w(LICENSE README.md Rakefile) + Dir.glob("{lib,spec}/**/*")
+end
+
+task :default => [:spec, :features]
+
+desc "Run specs"
+Spec::Rake::SpecTask.new do |t|
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.spec_opts = %w(-fp --color)
+
+  t.rcov = true
+  t.rcov_opts << '--text-summary'
+  t.rcov_opts << '--sort' << 'coverage' << '--sort-reverse'
+  t.rcov_opts << '--exclude' << '.gem/,spec,examples'
+  #t.rcov_opts << '--only-uncovered'
+end
+
+Rake::GemPackageTask.new(spec) do |pkg|
+  pkg.gem_spec = spec
+end
+
+desc "create a gemspec file"
+task :make_spec do
+  File.open("#{GEM}.gemspec", "w") do |file|
+    file.puts spec.to_ruby
+  end
+end
+
+Cucumber::Rake::Task.new(:features) do |t|
+  t.libs << 'lib'
+  t.cucumber_opts = "--format pretty"
+  t.step_list    = 'spec/features/**/*.rb'
+  t.feature_list = 'spec/features/**/*.feature'
+  t.rcov = true
+  t.rcov_opts << '--text-summary'
+  t.rcov_opts << '--sort' << 'coverage' << '--sort-reverse'
+  t.rcov_opts << '--exclude' << '.gem/,spec,examples'
+end

data/lib/hancock.rb

@@ -0,0 +1,47 @@
+require 'rubygems'
+
+gem 'dm-core', '~>0.9.10'
+require 'dm-core'
+require 'dm-validations'
+require 'dm-timestamps'
+
+gem 'ruby-openid', '~>2.1.2'
+require 'openid'
+require 'openid/store/filesystem'
+require 'openid/extensions/sreg'
+
+gem 'sinatra', '~>0.9.1.1'
+require 'sinatra/base'
+
+gem 'sinatra-ditties', '~>0.0.3'
+require 'sinatra/ditties'
+
+gem 'guid', '~>0.1.1'
+require 'guid'
+
+module Hancock; end
+
+require File.expand_path(File.dirname(__FILE__)+'/models/user')
+require File.expand_path(File.dirname(__FILE__)+'/models/consumer')
+require File.expand_path(File.dirname(__FILE__)+'/sinatra/hancock/defaults')
+require File.expand_path(File.dirname(__FILE__)+'/sinatra/hancock/sessions')
+require File.expand_path(File.dirname(__FILE__)+'/sinatra/hancock/users')
+require File.expand_path(File.dirname(__FILE__)+'/sinatra/hancock/openid_server')
+
+module Hancock
+  class ConfigurationError < StandardError; end
+
+  class App < Sinatra::Default
+    enable :sessions
+
+    set :sreg_params, [:email, :first_name, :last_name, :internal]
+    set :provider_name, 'Hancock SSO Provider!'
+    set :do_not_reply, nil
+
+    register Sinatra::Hancock::Defaults
+    register Sinatra::Hancock::Sessions
+    register Sinatra::Hancock::Users
+    register Sinatra::Hancock::OpenIDServer
+  end
+end
+

data/lib/models/consumer.rb

@@ -0,0 +1,24 @@
+class Hancock::Consumer
+  include DataMapper::Resource
+
+  property :id,           Serial
+  property :url,          String,  :nullable => false, :unique => true, :unique_index => true, :length => 1024
+  property :label,        String,  :nullable => true,  :default => nil
+  property :internal,     Boolean, :nullable => false, :defalut  => false
+
+  def self.allowed?(host)
+    !first(:url => host).nil?
+  end
+
+  def self.visible
+    all(:internal => false).select do |c|
+      c.label
+    end
+  end
+
+  def self.internal
+    all(:internal => true).select do |c|
+      c.label
+    end
+  end
+end

data/lib/models/user.rb

@@ -0,0 +1,63 @@
+class Hancock::User
+  include DataMapper::Resource
+
+  property :id,               Serial
+  property :first_name,       String
+  property :last_name,        String
+  property :email,            String, :unique => true, :unique_index => true
+  property :internal,         Boolean, :default => false
+
+  property :salt,             String
+  property :crypted_password, String
+
+  property :enabled,          Boolean, :default => false
+  property :access_token,     String
+
+  attr_accessor :password, :password_confirmation
+
+  def reset_access_token
+    @access_token = Digest::SHA1.hexdigest(Guid.new.to_s)
+  end
+
+  def authenticated?(password)
+    crypted_password == encrypt(password)
+  end
+
+  def encrypt(password)
+    self.class.encrypt(password, salt)
+  end
+
+  def password_required?
+    crypted_password.blank? || !password.blank?
+  end
+
+  def encrypt_password
+    return if password.blank?
+    @salt = Digest::SHA1.hexdigest("--#{Guid.new.to_s}}--email--") if new_record?
+    @crypted_password = encrypt(password)
+  end
+
+  validates_present        :password, :if => proc{|m| m.password_required?}
+  validates_is_confirmed   :password, :if => proc{|m| m.password_required?}
+
+  before :save,   :encrypt_password
+  before :save,   :reset_access_token
+
+  def self.encrypt(password, salt)
+    Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+  end
+
+  def self.signup(params)
+    seed = Guid.new.to_s
+    new(:email                 => params['email'],
+        :first_name            => params['first_name'],
+        :last_name             => params['last_name'],
+        :password              => Digest::SHA1.hexdigest(seed),
+        :password_confirmation => Digest::SHA1.hexdigest(seed))
+  end
+
+  def self.authenticate(email, password)
+    u = first(:email => email)
+    u && u.authenticated?(password) && u.enabled ? u : nil
+  end
+end

data/lib/sinatra/hancock/defaults.rb

@@ -0,0 +1,25 @@
+module Sinatra
+  module Hancock
+    module Defaults
+      module Helpers
+        def forbidden!
+          throw :halt, [403, 'Forbidden']
+        end
+
+        def absolute_url(suffix = nil)
+          port_part = case request.scheme
+                      when "http"
+                        request.port == 80 ? "" : ":#{request.port}"
+                      when "https"
+                        request.port == 443 ? "" : ":#{request.port}"
+                      end
+          "#{request.scheme}://#{request.host}#{port_part}#{suffix}"
+        end
+      end
+      def self.registered(app)
+        app.helpers Helpers
+      end
+    end
+  end
+  register Hancock::Defaults
+end

data/lib/sinatra/hancock/openid_server.rb

@@ -0,0 +1,96 @@
+module Sinatra
+  module Hancock
+    module OpenIDServer
+      def self.openid_server_template(file, suffix = 'erb')
+        template = File.expand_path(File.dirname(__FILE__)+'/views/openid_server')
+        File.read("#{template}/#{file}.#{suffix}")
+      end
+      module Helpers
+        def server
+          if @server.nil?
+            server_url = absolute_url('/sso')
+            dir = File.join(Dir.tmpdir, 'openid-store')
+            store = OpenID::Store::Filesystem.new(dir)
+            @server = OpenID::Server::Server.new(store, server_url)
+          end
+          return @server
+        end
+
+        def url_for_user
+          absolute_url("/sso/users/#{session_user.id}")
+        end
+
+        def render_response(oidresp)
+          if oidresp.needs_signing
+            signed_response = server.signatory.sign(oidresp)
+          end
+          web_response = server.encode_response(oidresp)
+
+          case web_response.code
+          when 302
+            session.delete(:return_to)
+            redirect web_response.headers['location']
+          else
+            web_response.body
+          end
+        end
+      end
+
+      def self.registered(app)
+        app.send(:include, Sinatra::Hancock::OpenIDServer::Helpers)
+
+        app.template(:yadis) { openid_server_template('yadis') }
+
+        app.get '/sso/xrds' do
+          response.headers['Content-Type'] = 'application/xrds+xml'
+          @types = [ OpenID::OPENID_IDP_2_0_TYPE ]
+          erb :yadis, :layout => false
+        end
+
+        app.get '/sso/users/:id' do
+          @types = [ OpenID::OPENID_2_0_TYPE, OpenID::SREG_URI ]
+          response.headers['Content-Type'] = 'application/xrds+xml'
+          response.headers['X-XRDS-Location'] = absolute_url("/sso/users/#{params['id']}")
+
+          erb :yadis, :layout => false
+        end
+
+        [:get, :post].each do |meth|
+          app.send(meth, '/sso') do
+            begin
+              oidreq = server.decode_request(params)
+            rescue OpenID::Server::ProtocolError => e
+              oidreq = session[:last_oidreq]
+            end
+            throw(:halt, [400, 'Bad Request']) unless oidreq
+
+            oidresp = nil
+            if oidreq.kind_of?(OpenID::Server::CheckIDRequest)
+              session[:last_oidreq] = oidreq
+              session[:return_to] = absolute_url('/sso')
+
+              ensure_authenticated
+              unless oidreq.identity == url_for_user
+                forbidden!
+              end
+              forbidden! unless ::Hancock::Consumer.allowed?(oidreq.trust_root) 
+
+              oidresp = oidreq.answer(true, nil, oidreq.identity)
+              sreg_data = {
+                'last_name'  => session_user.last_name,
+                'first_name' => session_user.first_name,
+                'email'      => session_user.email
+              }
+              sregresp = OpenID::SReg::Response.new(sreg_data)
+              oidresp.add_extension(sregresp)
+            else
+              oidresp = server.handle_request(oidreq) #associate and more?
+            end
+            render_response(oidresp)
+          end
+        end
+      end
+    end
+  end
+  register Hancock::OpenIDServer
+end

data/lib/sinatra/hancock/sessions.rb

@@ -0,0 +1,53 @@
+module Sinatra
+  module Hancock
+    module Sessions
+      def self.sessions_template(file)
+        template = File.expand_path(File.dirname(__FILE__)+'/views/sessions')
+        File.read("#{template}/#{file}.haml")
+      end
+
+      module Helpers
+        def session_user
+          session['user_id'].nil? ? nil : ::Hancock::User.get(session['user_id'])
+        end
+
+        def ensure_authenticated
+          if trust_root = session['return_to'] || params['return_to']
+            if ::Hancock::Consumer.allowed?(trust_root)
+              if session_user
+                redirect "#{trust_root}?id=#{session_user.id}"
+              else
+                session['return_to'] = trust_root
+              end
+            else
+              throw(:halt, [403, 'Forbidden'])
+            end
+          end
+          throw(:halt, [401, haml(:unauthenticated)]) unless session_user
+        end
+      end
+
+      def self.registered(app)
+        app.send(:include, Sinatra::Hancock::Sessions::Helpers)
+        app.template(:unauthenticated) { sessions_template('unauthenticated') }
+        app.get '/sso/login' do
+          ensure_authenticated
+        end
+        app.post '/sso/login' do
+          @user = ::Hancock::User.authenticate(params['email'], params['password'])
+          if @user
+            session['user_id'] = @user.id
+          end
+          ensure_authenticated
+          redirect session['return_to'] || '/'
+        end
+
+        app.get '/sso/logout' do
+          session.clear
+          redirect '/'
+        end
+      end
+    end
+  end
+  register Hancock::Sessions
+end

data/lib/sinatra/hancock/users.rb

@@ -0,0 +1,79 @@
+module Sinatra
+  module Hancock
+    module Users
+      def self.users_template(file)
+        template = File.expand_path(File.dirname(__FILE__)+'/views/users')
+        File.read("#{template}/#{file}.haml")
+      end
+
+      module Helpers
+        def user_by_token(token)
+          user = ::Hancock::User.first(:access_token => token)
+          throw(:halt, [400, 'BadRequest']) unless user
+          session['user_id'] = user.id
+          user
+        end
+
+        def signup_email
+          <<-HAML
+Hello #{@user.first_name},
+
+Thanks for signing up for #{::Hancock::App.provider_name}!  In order to 
+complete your registration you will need to click on the following link.
+
+#{@registration_url}
+
+Thanks,
+The #{::Hancock::App.provider_name} team
+#{absolute_url('/')}
+HAML
+        end
+      end
+
+      def self.registered(app)
+        app.helpers Helpers
+        app.helpers Sinatra::Mailer
+
+        app.template(:signup_confirmation) { users_template('signup_confirmation') }
+        app.template(:signup_form) { users_template('signup_form') }
+        app.template(:register_form) { users_template('register_form') }
+
+        app.get '/sso/register/:token' do
+          user_by_token(params['token'])
+          haml :register_form
+        end
+
+        app.post '/sso/register/:token' do
+          user = user_by_token(params['token'])
+          user.update_attributes(:enabled => true,
+                                 :access_token => nil,
+                                 :password => params['password'],
+                                 :password_confirmation => params['password_confirmation'])
+          destination = session.delete('return_to') || '/'
+          session.reject! { |key,value| key != 'user_id' }
+          redirect destination
+        end
+
+        app.get '/sso/signup' do
+          haml :signup_form
+        end
+
+        app.post '/sso/signup' do
+          @user = ::Hancock::User.signup(params)
+          from = options.do_not_reply
+
+          if @user.save
+            raise ::Hancock::ConfigurationError.new("You need to define options.do_not_reply") unless from
+            @registration_url = absolute_url("/sso/register/#{@user.access_token}")
+            email :to      => @user.email,
+                  :from    => from,
+                  :subject => "Welcome to #{::Hancock::App.provider_name}!",
+                  :body    => haml(signup_email)
+          end
+          haml :signup_confirmation
+        end
+      end
+    end
+  end
+  register Hancock::Users
+end

data/lib/sinatra/hancock/views/openid_server/yadis.erb

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<xrds:XRDS
+    xmlns:xrds="xri://$xrds"
+    xmlns="xri://$xrd*($v*2.0)">
+  <XRD>
+    <Service priority="0">
+      <% @types.each do |typ| %>
+        <Type><%= typ %></Type>
+      <% end %>
+      <URI><%= absolute_url('/sso') %></URI>
+    </Service>
+  </XRD>
+</xrds:XRDS>

data/lib/sinatra/hancock/views/sessions/unauthenticated.haml

@@ -0,0 +1,14 @@
+%fieldset
+  %legend You need to log in, buddy.
+  %form{:action => '/sso/login', :method => 'POST'}
+    %label{:for => 'email'} 
+      Email:
+      %input{:type => 'text', :name => 'email'}
+      %br
+    %label{:for => 'password'} 
+      Password:
+      %input{:type => 'password', :name => 'password'}
+      %br
+    %input{:type => 'submit', :value => 'Login'}
+    or
+    %a{:href => '/sso/signup'} Signup

data/lib/sinatra/hancock/views/users/register_form.haml

@@ -0,0 +1,12 @@
+%fieldset
+  %legend Enter your new password
+  %form{:action => "/sso/register/#{params['token']}", :method => 'POST'}
+    %label{:for => 'password'} 
+      Password:
+      %input{:type => 'password', :name => 'password'}
+      %br
+    %label{:for => 'password_confirmation'} 
+      Password(Again):
+      %input{:type => 'password', :name => 'password_confirmation'}
+      %br
+    %input{:type => 'submit', :value => 'Am I Done Yet?'}

data/lib/sinatra/hancock/views/users/signup_confirmation.haml

@@ -0,0 +1,13 @@
+- if @user.valid?
+  %h3 Success!
+  %p Check your email and you'll see a registration link!
+  - if Hancock::App.environment == :development
+    /
+      %a{:href => absolute_url("/sso/register/#{@user.access_token}")} Clicky Clicky
+- else
+  %h3 Signup Failed
+  #errors
+    - @user.errors.each do |message|
+      %p= message
+  %p
+    %a{:href => '/sso/signup'} Try Again?