has_global_session 0.8.1 → 0.8.2

data/has_global_session.gemspec

@@ -7,17 +7,18 @@ spec = Gem::Specification.new do |s|
   s.required_ruby_version = Gem::Requirement.new(">= 1.8.7")
 
   s.name    = 'has_global_session'
-  s.version = '0.8.1'
-  s.date    = '2010-06-01'
+  s.version = '0.8.2'
+  s.date    = '2010-06-09'
 
   s.authors = ['Tony Spataro']
   s.email   = 'code@tracker.xeger.net'
   s.homepage= 'http://github.com/xeger/has_global_session'
   
   s.summary = %q{Secure single-domain session sharing plugin for Rails.}
-  s.description = %q{This Rails plugin allows several Rails web apps that share the same back-end user database to share session state in a cryptographically secure way, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.}
+  s.description = %q{This plugin for Rails allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.}
 
   s.add_runtime_dependency('uuidtools', [">= 1.0.7"])
+  s.add_runtime_dependency('json', [">= 1.1.7"])
 
   basedir = File.dirname(__FILE__)
   candidates = ['has_global_session.gemspec', 'init.rb', 'MIT-LICENSE', 'README.rdoc'] +

data/init.rb

@@ -1,4 +1,4 @@
-# Stub to invoke real init.rb when HasGlobalSession is installed as a Rails
-# plugin.
+# Stub to invoke real init.rb when HasGlobalSession is installed as a vendored
+# Rails plugin.
 basedir = File.dirname(__FILE__)
 require File.join(basedir, 'rails', 'init')

data/lib/has_global_session/directory.rb

@@ -23,6 +23,12 @@ module HasGlobalSession
       end
     end
 
+    def trusted_authority?(authority)
+      Configuration['trust'].blank? ||
+      authority == my_authority_name ||
+      Configuration['trust'].include?(authority)      
+    end
+
     def invalidated_session?(uuid)
       false
     end

data/lib/has_global_session/global_session.rb

@@ -18,7 +18,7 @@ module HasGlobalSession
         #User presented us with a cookie; let's decrypt and verify it
         zbin = Base64.decode64(cookie)
         json = Zlib::Inflate.inflate(zbin)
-        hash = ActiveSupport::JSON.decode(json)
+        hash = JSON.load(json)
         @id         = hash['id']
         @created_at = Time.at(hash['tc'].to_i)
         @expires_at = Time.at(hash['te'].to_i)
@@ -31,14 +31,13 @@ module HasGlobalSession
         expected = digest(hash)
         signer   = @directory.authorities[@authority]
         raise SecurityError, "Unknown signing authority #{@authority}" unless signer
+
         got      = signer.public_decrypt(Base64.decode64(@signature))
         unless (got == expected)
           raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
         end
 
-        unless Configuration['trust'].blank? ||
-               @authority = @directory.my_authority_name ||
-               Configuration['trust'].include?(@authority)
+        unless @directory.trusted_authority?(@authority)
           raise SecurityError, "Global sessions created by #{@authority} are not trusted"
         end
 
@@ -49,7 +48,15 @@ module HasGlobalSession
       else
         @signed          = {}
         @insecure        = {}
-        @id              = UUID.timestamp_create.to_s
+
+        if defined?(::UUIDTools) # UUIDTools v2
+          @id = ::UUIDTools::UUID.timestamp_create.to_s
+        elsif defined?(::UUID)   # UUIDTools v1
+          @id = ::UUID.timestamp_create.to_s
+        else
+          raise TypeError, "Neither UUIDTools nor UUID defined; unsupported UUIDTools version?"
+        end
+
         @created_at      = Time.now.utc
         @authority       = @directory.my_authority_name
         renew!
@@ -88,7 +95,7 @@ module HasGlobalSession
 
       hash['s'] = signature
       hash['a'] = authority
-      json = hash.to_json #ActiveSupport::JSON.encode(hash) -- why does this expect Data sometimes?!
+      json = hash.to_json
       zbin = Zlib::Deflate.deflate(json, Zlib::BEST_COMPRESSION)
       return Base64.encode64(zbin)
     end
@@ -143,21 +150,21 @@ module HasGlobalSession
     private
 
     def digest(input)
-      canonical = ActiveSupport::JSON.encode(canonicalize(input))
+      canonical = canonicalize(input).to_json
       return Digest::SHA1.new().update(canonical).hexdigest
     end
 
     def canonicalize(input)
       case input
         when Hash
-          output = ActiveSupport::OrderedHash.new
+          output = Array.new
           ordered_keys = input.keys.sort
           ordered_keys.each do |key|
-            output[canonicalize(key)] = canonicalize(input[key])
+            output << [ canonicalize(key), canonicalize(input[key]) ]
           end
         when Array
           output = input.collect { |x| canonicalize(x) }
-        when Numeric, String, ActiveSupport::OrderedHash
+        when Numeric, String
           output = input
         else
           raise TypeError, "Objects of type #{input.class.name} cannot be serialized in the global session"
@@ -166,4 +173,4 @@ module HasGlobalSession
       return output
     end
   end  
-end
+end

data/rails/action_controller_instance_methods.rb

@@ -3,28 +3,25 @@ module HasGlobalSession
     def global_session
       return @global_session if @global_session
 
-      begin
-        if (klass = Configuration['directory'])
-          klass = klass.constantize
-        else
-          klass = Directory
-        end
+      if (klass = Configuration['directory'])
+        klass = klass.constantize
+      else
+        klass = Directory
+      end
 
-        directory = klass.new(File.join(RAILS_ROOT, 'config', 'authorities'))
-        cookie = cookies[Configuration['cookie']['name']]
+      directory = klass.new(File.join(RAILS_ROOT, 'config', 'authorities'))
+      cookie_name = Configuration['cookie']['name'] 
+      cookie      = cookies[cookie_name]
 
-        begin
-          #unserialize the global session from the cookie, or
-          #initialize a new global session if cookie == nil
-          @global_session = GlobalSession.new(directory, cookie)
-        rescue SessionExpired
-          #if the cookie is present but expired, silently
-          #initialize a new global session
-          @global_session = GlobalSession.new(directory)
-        end
+      begin
+        #unserialize the global session from the cookie, or
+        #initialize a new global session if cookie == nil
+        @global_session = GlobalSession.new(directory, cookie)
       rescue Exception => e
-        cookies.delete Configuration['cookie']['name']
-        raise e
+        #silently recover from any error by initializing a new global session;
+        #the new session will be unauthenticated.
+        #TODO log the error
+        @global_session = GlobalSession.new(directory)
       end
     end
 
@@ -36,18 +33,16 @@ module HasGlobalSession
     end
 
     def global_session_update_cookie
-      if @global_session
-        if @global_session.expired?
-          options = {:value   => nil,
-                     :domain  => Configuration['cookie']['domain'],
-                     :expires => Time.at(0)}
-        else
-          options = {:value   => @global_session.to_s,
-                     :domain  => Configuration['cookie']['domain'],
-                     :expires => @global_session.expires_at}
-        end
+      return unless @global_session
 
-        cookies[Configuration['cookie']['name']] = options
+      cookie_name = Configuration['cookie']['name']
+      if @global_session.expired?
+        cookies.delete cookie_name
+      else
+        options = {:value   => @global_session.to_s,
+                   :domain  => Configuration['cookie']['domain'],
+                   :expires => @global_session.expires_at}
+        cookies[cookie_name] = options
       end
     end
 

data/rails/init.rb

@@ -18,4 +18,4 @@ if File.exist?(config_file)
       after_filter  :global_session_update_cookie
     end
   end
-end
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: has_global_session
 version: !ruby/object:Gem::Version 
-  hash: 61
+  hash: 59
   prerelease: false
   segments: 
   - 0
   - 8
-  - 1
-  version: 0.8.1
+  - 2
+  version: 0.8.2
 platform: ruby
 authors: 
 - Tony Spataro
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-06-01 00:00:00 -07:00
+date: 2010-06-09 00:00:00 -07:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -34,7 +34,23 @@ dependencies:
         version: 1.0.7
   type: :runtime
   version_requirements: *id001
-description: This Rails plugin allows several Rails web apps that share the same back-end user database to share session state in a cryptographically secure way, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.
+- !ruby/object:Gem::Dependency 
+  name: json
+  prerelease: false
+  requirement: &id002 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ">="
+      - !ruby/object:Gem::Version 
+        hash: 29
+        segments: 
+        - 1
+        - 1
+        - 7
+        version: 1.1.7
+  type: :runtime
+  version_requirements: *id002
+description: This plugin for Rails allows several web apps in an authentication domain to share session state, facilitating single sign-on in a distributed web app. It only provides session sharing and does not concern itself with authentication or replication of the user database.
 email: code@tracker.xeger.net
 executables: []
 
@@ -47,10 +63,6 @@ files:
 - README.rdoc
 - has_global_session.gemspec
 - init.rb
-- lib/generators/global_session_authority/global_session_authority_generator.rb
-- lib/generators/global_session_config/USAGE
-- lib/generators/global_session_config/global_session_config_generator.rb
-- lib/generators/global_session_config/templates/global_session.yml.erb
 - lib/has_global_session.rb
 - lib/has_global_session/configuration.rb
 - lib/has_global_session/directory.rb

data/lib/generators/global_session_authority/global_session_authority_generator.rb

@@ -1,32 +0,0 @@
-class GlobalSessionAuthorityGenerator < Rails::Generator::Base
-  def initialize(runtime_args, runtime_options = {})
-    super
-
-    @app_name  = File.basename(RAILS_ROOT)
-    @auth_name = args.shift
-    raise ArgumentError, "Must specify name for global session authority, e.g. 'mycoolapp'" unless @auth_name
-  end
-
-  def manifest
-    record do |m|
-      new_key     = OpenSSL::PKey::RSA.generate( 1024 )
-      new_public  = new_key.public_key.to_pem
-      new_private = new_key.to_pem
-
-      dest_dir = File.join(RAILS_ROOT, 'config', 'authorities')
-      FileUtils.mkdir_p(dest_dir)
-
-      File.open(File.join(dest_dir, @auth_name + ".pub"), 'w') do |f|
-        f.puts new_public
-      end
-
-      File.open(File.join(dest_dir, @auth_name + ".key"), 'w') do |f|
-        f.puts new_private
-      end
-
-      puts "***"
-      puts "*** Don't forget to delete config/authorities/#{@auth_name}.key"
-      puts "***"
-    end
-  end
-end

data/lib/generators/global_session_config/USAGE

@@ -1,2 +0,0 @@
-./script/generate global_session config <DNS domain for cookie>
-./script/generate global_session authority <name of authority>

data/lib/generators/global_session_config/global_session_config_generator.rb

@@ -1,19 +0,0 @@
-class GlobalSessionConfigGenerator < Rails::Generator::Base
-  def initialize(runtime_args, runtime_options = {})
-    super
-
-    @app_name   = File.basename(RAILS_ROOT)
-    @app_domain = args.shift
-    raise ArgumentError, "Must specify DNS domain for global session cookie, e.g. 'example.com'" unless @app_domain
-  end
-
-  def manifest
-    record do |m|
-      
-      m.template 'global_session.yml.erb',
-                 'config/global_session.yml',
-                 :assigns=>{:app_name=>@app_name,
-                            :app_domain=>@app_domain}
-    end
-  end
-end

data/lib/generators/global_session_config/templates/global_session.yml.erb

@@ -1,42 +0,0 @@
-# Common settings of the global session (that apply to all Rails environments)
-# are listed here. These may be overidden in the environment-specific section.
-common:
-  attributes:
-    # Signed attributes of the global session
-    signed:
-    - user
-    # Untrusted attributes of the global session
-    insecure:
-    - account
-  # Enable local session integration in order to use the ActionController
-  # method #session to access both local AND global session state, with
-  # global attributes always taking precedence over local attributes.
-  integrated: true
-
-# Test/spec runs
-test:
-  timeout: 900
-  cookie:
-    name: __<%= app_name %>_test
-    domain: localhost
-  trust:
-  - test
-
-# Development mode
-development:
-  timeout: 3600
-  cookie:
-    name: __<%= app_name %>_development
-    domain: localhost
-  trust:
-  - development
-  - production
-
-# Production mode
-production:
-  timeout: 3600
-  cookie:
-    name: __<%= app_name %>_global
-    domain: <%= app_domain %>
-  trust:
-  - production