hone-lockdown 1.2.1

data/lib/lockdown/frameworks/rails.rb

@@ -0,0 +1,105 @@
+require File.join(File.dirname(__FILE__), "rails", "controller")
+require File.join(File.dirname(__FILE__), "rails", "view")
+
+module Lockdown
+  module Frameworks
+    module Rails
+      class << self
+        def use_me?
+          Object.const_defined?("ActionController") && ActionController.const_defined?("Base")
+        end
+
+        def included(mod)
+          mod.extend Lockdown::Frameworks::Rails::Environment
+          mixin
+        end
+        
+        def mixin
+          mixin_controller
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown::System.class_eval do 
+            extend Lockdown::Frameworks::Rails::System
+          end
+        end
+
+        def mixin_controller(klass = Lockdown.controller_parent)
+          klass.class_eval do
+            include Lockdown::Session
+            include Lockdown::Frameworks::Rails::Controller::Lock
+          end
+
+          klass.helper_method :authorized?
+
+          klass.hide_action(:set_current_user, :configure_lockdown, :check_request_authorization)
+
+          klass.before_filter do |c|
+            c.set_current_user
+            c.configure_lockdown
+            c.check_request_authorization
+            c.check_model_authorization
+          end
+
+          klass.filter_parameter_logging :password, :password_confirmation
+      
+          klass.rescue_from SecurityError, :with => proc{|e| access_denied(e)}
+        end
+      end # class block
+
+      module Environment
+
+        def project_root
+          ::RAILS_ROOT
+        end
+
+        def init_file
+          "#{project_root}/lib/lockdown/init.rb"
+        end
+
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        # cache_classes is true in production and testing, need to
+        # modify the ApplicationController 
+        def controller_parent
+          if ::Rails.configuration.cache_classes
+            ApplicationController
+          else
+            ActionController::Base
+          end
+        end
+
+        # cache_classes is true in production and testing, need to
+        # do an instance eval instead
+        def add_controller_method(code)
+          Lockdown.controller_parent.class_eval code, __FILE__,__LINE__ +1
+        end
+
+        def controller_class_name(str)
+          str = "#{str}Controller"
+          if str.include?("__")
+            str.split("__").collect{|p| Lockdown.camelize(p)}.join("::")
+          else
+            Lockdown.camelize(str)
+          end
+        end
+
+        def fetch_controller_class(str)
+          eval("::#{controller_class_name(str)}")
+        end
+      end
+
+      module System
+        include Lockdown::Frameworks::Rails::Controller
+
+        def skip_sync?
+          Lockdown::System.fetch(:skip_db_sync_in).include?(ENV['RAILS_ENV'])
+        end
+      end # System
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/frameworks/rails/controller.rb

@@ -0,0 +1,163 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module Controller
+        
+        def available_actions(klass)
+          klass.action_methods
+        end
+
+        def controller_name(klass)
+          klass.controller_name
+        end
+
+        # Locking methods
+        module Lock
+
+          def configure_lockdown
+            check_session_expiry
+            store_location
+          end
+
+          # Basic auth functionality needs to be reworked as 
+          # Lockdown doesn't provide authentication functionality.
+          def set_current_user
+            #login_from_basic_auth? unless logged_in?
+            if logged_in?
+              Thread.current[:who_did_it] = Lockdown::System.
+                call(self, :who_did_it)
+            end
+          end
+
+          def check_request_authorization
+            unless authorized?(path_from_hash(params))
+              raise SecurityError, "Authorization failed! \nparams: #{params.inspect}\nsession: #{session.inspect}"
+            end
+          end
+
+          protected 
+  
+          def path_allowed?(url)
+            session[:access_rights] ||= Lockdown::System.public_access
+#
+# If it isn't in the list of non-nested url's,
+# try matching the allowed path with /controller_name/nnn/ tacked onto the front
+#
+            if ret = session[:access_rights].include?(url)
+              return ret
+            else
+             return !session[:access_rights].detect { |v| url =~ /\/\w+\/\d+\/#{v}/ }.nil?
+            end
+          end
+    
+          def check_session_expiry
+            if session[:expiry_time] && session[:expiry_time] < Time.now
+              nil_lockdown_values
+              Lockdown::System.call(self, :session_timeout_method)
+            end
+            session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
+          end
+          
+          def store_location
+            if (request.method == :get) && (session[:thispage] != sent_from_uri)
+              session[:prevpage] = session[:thispage] || ''
+              session[:thispage] = sent_from_uri
+            end
+          end
+
+          def sent_from_uri
+            request.request_uri
+          end
+      
+          def authorized?(url, method = nil)
+            return false unless url
+
+            return true if current_user_is_admin?
+
+            method ||= (params[:method] || request.method)
+
+            url_parts = URI::split(url.strip)
+
+            path = url_parts[5]
+
+            return true if path_allowed?(path)
+
+            begin
+              hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
+              return path_allowed?(path_from_hash(hash)) if hash
+            rescue Exception => e
+              # continue on
+            end
+
+            # Mailto link
+            return true if url =~ /^mailto:/
+
+            # Public file
+            file = File.join(RAILS_ROOT, 'public', url)
+            return true if File.exists?(file)
+
+            # Passing in different domain
+            return remote_url?(url_parts[2])
+          end
+    
+          def access_denied(e)
+
+            RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
+
+            if Lockdown::System.fetch(:logout_on_access_violation)
+              reset_session
+            end
+            respond_to do |format|
+              format.html do
+                store_location
+                redirect_to Lockdown::System.fetch(:access_denied_path)
+                return
+              end
+              format.xml do
+                headers["Status"] = "Unauthorized"
+                headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+                render :text => e.message, :status => "401 Unauthorized"
+                return
+              end
+            end
+          end
+
+          def path_from_hash(hash)
+            hash[:controller].to_s + "/" + hash[:action].to_s
+          end
+
+          def remote_url?(domain = nil)
+            return false if domain.nil? || domain.strip.length == 0
+            request.host.downcase != domain.downcase
+          end
+
+          def redirect_back_or_default(default)
+            if session[:prevpage].nil? || session[:prevpage].blank?
+              redirect_to(default) 
+            else
+              redirect_to(session[:prevpage])
+            end
+          end
+  
+          # Called from current_user.  Now, attempt to login by
+          # basic authentication information.
+          def login_from_basic_auth?
+            username, passwd = get_auth_data
+            if username && passwd
+              set_session_user ::User.authenticate(username, passwd)
+            end
+          end
+
+          @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+          # gets BASIC auth info
+          def get_auth_data
+            auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+            auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+            return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
+          end
+        end # Lock
+      end # Controller
+    end # Rails
+  end # Frameworks
+end # Lockdown
+

data/lib/lockdown/frameworks/rails/view.rb

@@ -0,0 +1,50 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module View
+        def self.included(base)
+          base.class_eval do
+            alias_method :link_to_open, :link_to
+            alias_method :link_to, :link_to_secured
+
+            alias_method :button_to_open, :button_to
+            alias_method :button_to, :button_to_secured
+          end
+        end
+    
+        def link_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return link_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def button_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return button_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def link_to_or_show(name, options = {}, html_options = nil)
+          lnk = link_to(name, options, html_options)
+          lnk.length == 0 ? name : lnk
+        end
+
+        def links(*lis)
+          rvalue = []
+          lis.each{|link| rvalue << link if link.length > 0 }
+          rvalue.join( Lockdown::System.fetch(:link_separator) )
+        end
+      end # View
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/helper.rb

@@ -0,0 +1,101 @@
+module Lockdown
+  module Helper
+    def class_name_from_file(str)
+      str.split(".")[0].split("/").collect{|s| camelize(s) }.join("::")
+    end
+
+    # If str_sym is a Symbol (:users), return "Users"
+    # If str_sym is a String ("Users"), return :users
+    def convert_reference_name(str_sym)
+      if str_sym.is_a?(Symbol)
+        titleize(str_sym)
+      else
+        underscore(str_sym).tr(' ','_').to_sym
+      end
+    end
+
+    def user_group_class
+      eval(Lockdown::System.fetch(:user_group_model))
+    end
+
+    def user_groups_hbtm_reference
+      underscore(Lockdown::System.fetch(:user_group_model)).pluralize.to_sym
+    end
+
+    def user_group_id_reference
+      underscore(Lockdown::System.fetch(:user_group_model)) + "_id"
+    end
+
+    def user_class
+      eval(Lockdown::System.fetch(:user_model))
+    end
+
+    def users_hbtm_reference
+      underscore(Lockdown::System.fetch(:user_model)).pluralize.to_sym
+    end
+
+    def user_id_reference
+      underscore(Lockdown::System.fetch(:user_model)) + "_id"
+    end
+
+    def get_string(value)
+      if value.respond_to?(:name)
+        string_name(value.name)
+      else
+        string_name(value)
+      end
+    end
+
+    def get_symbol(value)
+      if value.respond_to?(:name)
+        symbol_name(value.name)
+      elsif value.is_a?(String)
+        symbol_name(value)
+      else
+        value
+      end
+    end
+
+    def camelize(str)
+      str.to_s.gsub(/\/(.?)/) { "::" + $1.upcase }.gsub(/(^|_)(.)/) { $2.upcase }
+    end
+
+    def random_string(len = 10)
+      chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      Array.new(len){||chars[rand(chars.size)]}.join
+    end
+
+    def administrator_group_string
+      string_name(administrator_group_symbol)
+    end
+
+    def administrator_group_symbol
+      :administrators
+    end
+
+    private
+
+    def string_name(str_sym)
+      str_sym.is_a?(Symbol) ? convert_reference_name(str_sym) : str_sym
+    end
+
+    def symbol_name(str_sym)
+      str_sym.is_a?(String) ? convert_reference_name(str_sym) : str_sym
+    end
+
+    def titleize(str)
+      humanize(underscore(str)).gsub(/\b([a-z])/) { $1.capitalize }
+    end
+    
+    def humanize(str)
+      str.to_s.gsub(/_id$/, "").gsub(/_/, " ").capitalize
+    end
+
+    def underscore(str)
+      str.to_s.gsub(/::/, '/').
+        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+        gsub(/([a-z\d])([A-Z])/,'\1_\2').
+        tr("-", "_").downcase
+    end
+  end
+end

data/lib/lockdown/orms/active_record.rb

@@ -0,0 +1,68 @@
+module Lockdown
+  module Orms
+    module ActiveRecord
+      class << self
+        def use_me?
+          Object.const_defined?("ActiveRecord") && ::ActiveRecord.const_defined?("Base")
+        end
+
+        def included(mod)
+          mod.extend Lockdown::Orms::ActiveRecord::Helper
+          mixin
+        end
+
+        def mixin
+          Lockdown.orm_parent.class_eval do
+            include Lockdown::Orms::ActiveRecord::Stamps
+          end
+        end
+      end # class block
+
+      module Helper
+        def orm_parent
+          ::ActiveRecord::Base
+        end
+
+        def database_execute(query)
+          orm_parent.connection.execute(query)
+        end
+
+        def database_query(query)
+          orm_parent.connection.execute(query)
+        end
+
+        def database_table_exists?(klass)
+          klass.table_exists?
+        end
+      end
+
+      module Stamps
+        def self.included(base)
+          base.class_eval do
+            alias_method :create_without_stamps,  :create
+            alias_method :create,  :create_with_stamps
+            alias_method :update_without_stamps,  :update
+            alias_method :update,  :update_with_stamps
+          end
+        end
+
+        def current_who_did_it
+          Thread.current[:who_did_it]
+        end
+
+        def create_with_stamps
+          pid = current_who_did_it || Lockdown::System.fetch(:default_who_did_it)
+          self[:created_by] = pid if self.respond_to?(:created_by) 
+          self[:updated_by] = pid if self.respond_to?(:updated_by) 
+          create_without_stamps
+        end
+                  
+        def update_with_stamps
+          pid = current_who_did_it || Lockdown::System.fetch(:default_who_did_it)
+          self[:updated_by] = pid if self.respond_to?(:updated_by)
+          update_without_stamps
+        end
+      end
+    end
+  end
+end