incline 0.1.5

data/lib/incline/recaptcha.rb

@@ -0,0 +1,346 @@
+require 'cgi/util'
+require 'net/http'
+require 'action_view'
+
+module Incline
+  ##
+  # A helper class for reCAPTCHA.
+  #
+  # To use reCAPTCHA, you will need to define +recaptcha_public+ and +recaptcha_private+ in your 'config/secrets.yml'.
+  # If you need to use a proxy server, you will need to configure the proxy settings as well.
+  #
+  #   # config/secrets.yml
+  #   default: &default
+  #     recaptcha_public: SomeBase64StringFromGoogle
+  #     recaptcha_private: AnotherBase64StringFromGoogle
+  #     recaptcha_proxy:
+  #       host: 10.10.10.10
+  #       port: 1000
+  #       user: username
+  #       password: top_secret
+  #
+  class Recaptcha
+
+    ##
+    # Defines a reCAPTCHA tag that can be used to supply a field in a model with a hash of values.
+    #
+    # Basically we define two fields for the model attribute, one for :remote_ip and one for :response.
+    # The :remote_ip field is set automatically and shouldn't be changed.
+    # The :response field is set when the user completes the challenge.
+    #
+    #   Incline::Recaptcha::Tag.new(my_model, :is_robot).render
+    #
+    #   <input type="hidden" name="my_model[is_robot][remote_ip]" id="my_model_is_robot_remote_ip" value="10.11.12.13">
+    #   <input type="hidden" name="my_model[is_robot][response]" id="my_model_is_robot_response" value="">
+    #
+    #   Incline::Recaptcha::verify model: my_model, attribute: :is_robot
+    class Tag < ActionView::Helpers::Tags::Base
+
+      ##
+      # Generates the reCAPTCHA data.
+      def render
+        remote_ip =
+            if @template_object&.respond_to?(:request) && @template_object.send(:request)&.respond_to?(:remote_ip)
+              @template_object.request.remote_ip
+            else
+              ENV['REMOTE_ADDR']
+            end
+
+        if Incline::Recaptcha::disabled?
+          # very simple, if recaptcha is disabled, send the IP and 'disabled' to the form.
+          # for validation, recaptcha must still be disabled or it will fail.
+          return tag('input', type: 'hidden', id: tag_id, name: tag_name, value: "#{remote_ip}|disabled")
+        end
+
+        # reCAPTCHA is not disabled, so put everything we need into the form.
+        ret =   tag('input', type: 'hidden', id: tag_id, name: tag_name, value: remote_ip)
+        ret +=  "\n"
+
+        div_id = tag_id + '_div'
+
+        ret +=  tag('div', { class: 'form-group' }, true)
+        ret +=  tag('div', { id: div_id }, true)
+        ret +=  "</div></div>\n".html_safe
+
+        sitekey = CGI::escape_html(Incline::Recaptcha::public_key)
+        onload = 'onload_' + tag_id
+        callback = 'update_' + tag_id
+        tabindex = @options[:tab_index].to_s.to_i
+        theme = make_valid(@options[:theme], VALID_THEMES, :light).to_s
+        type = make_valid(@options[:type], VALID_TYPES, :image).to_s
+        size = make_valid(@options[:size], VALID_SIZES, :normal).to_s
+
+
+        ret += <<-EOS.html_safe
+<script type="text/javascript">
+// <![CDATA[
+function #{onload}() {
+  grecaptcha.render(#{div_id.inspect}, {
+    "sitekey"     : #{sitekey.inspect},
+    "callback"    : #{callback.inspect},
+    "tabindex"    : #{tabindex},
+    "theme"       : #{theme.inspect},
+    "type"        : #{type.inspect},
+    "size"        : #{size.inspect}
+  });
+}
+function #{callback}(response) {
+  var fld = $('##{tag_id}');
+  var val = fld.val();
+  if (val) { val = val.split('|'); val = val[0]; } else { val = ''; }
+  fld.val(val + '|' + response);
+}
+// ]]>
+</script>
+        EOS
+
+        Incline::Recaptcha::onload_callbacks << onload
+
+        ret.html_safe
+      end
+
+      private
+
+      def make_valid(value, valid, default)
+        return default if value.blank?
+        value = value.to_sym
+        return default unless valid.include?(value)
+        value
+      end
+
+    end
+
+    ##
+    # Gets the valid themes for the reCAPTCHA field.
+    VALID_THEMES = [ :dark, :light ]
+
+    ##
+    # Gets the valid types for the reCAPTCHA field.
+    VALID_TYPES = [ :audio, :image ]
+
+    ##
+    # Gets the valid sizes for the reCAPTCHA field.
+    VALID_SIZES = [ :compact, :normal ]
+
+    ##
+    # A string that will validated when reCAPTCHA is disabled.
+    DISABLED = '0.0.0.0|disabled'
+
+    ##
+    # Determines if recaptcha is disabled either due to a test environment or because :recaptcha_public or :recaptcha_private is not defined in +secrets.yml+.
+    def self.disabled?
+      temp_lock || public_key.blank? || private_key.blank? || (Rails.env.test? && !enabled_for_testing?)
+    end
+
+    ##
+    # Gets the public key.
+    def self.public_key
+      @public_key ||= Rails.application.secrets[:recaptcha_public].to_s.strip
+    end
+
+    ##
+    # Gets the private key.
+    def self.private_key
+      @private_key ||= Rails.application.secrets[:recaptcha_private].to_s.strip
+    end
+
+    ##
+    # Gets the proxy configuration (if any).
+    def self.proxy
+      @proxy ||= (Rails.application.secrets[:recaptcha_proxy] || {}).symbolize_keys
+    end
+
+
+    ##
+    # Generates the bare minimum code needed to include a reCAPTCHA challenge in a form.
+    def self.add
+      unless disabled?
+        "<div class=\"g-recaptcha\" data-sitekey=\"#{CGI::escape_html(public_key)}\"></div>\n<script src=\"https://www.google.com/recaptcha/api.js\"></script><br>".html_safe
+      end
+    end
+
+    ##
+    # Verifies the response from a reCAPTCHA challenge.
+    #
+    # Valid options:
+    # model::
+    #     Sets the model that this challenge is verifying.
+    # attribute::
+    #     If a model is provided, you can supply an attribute to retrieve the response data from.
+    #     This attribute should return a hash with :response and :remote_ip keys.
+    #     If this is provided, then the remaining options are ignored.
+    # response::
+    #     If specified, defines the response from the reCAPTCHA challenge that we want to verify.
+    #     If not specified, then the request parameters (if any) are searched for the "g-recaptcha-response" value.
+    # remote_ip::
+    #     If specified, defines the remote IP of the user that was challenged.
+    #     If not specified, then the remote IP from the request (if any) is used.
+    # request::
+    #     Specifies the request to use for information.
+    #     This must be provided unless :response and :remote_ip are both specified.
+    #     This is the default option if an object other than a Hash is provided to #verify.
+    #
+    # Returns true on success, or false on failure.
+    #
+    def self.verify(options = {})
+      return true if temp_lock
+      
+      options = { request: options } unless options.is_a?(::Hash)
+      
+      model = options[:model]
+
+      response =
+          if model && options[:attribute] && model.respond_to?(options[:attribute])
+            model.send(options[:attribute])
+          else
+            nil
+          end
+
+      remote_ip = nil
+
+      if response.is_a?(::Hash)
+        remote_ip = response[:remote_ip]
+        response = response[:response]
+      end
+
+      # model must respond to the 'errors' message and the result of that must respond to 'add'
+      if !model || !model.respond_to?('errors') || !model.send('errors').respond_to?('add')
+        model = nil
+      end
+
+      response ||= options[:response]
+      remote_ip ||= options[:remote_ip]
+
+      if response.blank? || remote_ip.blank?
+        request = options[:request]
+        raise ArgumentError, 'Either :request must be specified or both :response and :remote_ip must be specified.' unless request
+        response = request.params['g-recaptcha-response']
+        remote_ip = request.respond_to?(:remote_ip) ? request.send(:remote_ip) : ENV['REMOTE_ADDR']
+      end
+
+      if disabled?
+        # In tests or environments where reCAPTCHA is disabled,
+        # the response should be 'disabled' to verify successfully.
+        return response == 'disabled'
+      else
+        begin
+          if proxy.blank?
+            http = Net::HTTP
+          else
+            http = Net::HTTP::Proxy(proxy.host, proxy.port, proxy.user, proxy.password)
+          end
+
+          verify_hash = {
+              secret: private_key,
+              remoteip: remote_ip,
+              response: response
+          }
+          recaptcha = nil
+          Timeout::timeout(5) do
+            uri = URI.parse('https://www.google.com/recaptcha/api/siteverify')
+            http_instance = http.new(uri.host, uri.port)
+            if uri.port == 443
+              http_instance.use_ssl = true
+            end
+            request = Net::HTTP::Post.new(uri.request_uri)
+            request.set_form_data(verify_hash)
+            recaptcha = http_instance.request(request)
+          end
+          answer = JSON.parse(recaptcha.body)
+
+          unless answer['success'].to_s.downcase == 'true'
+            if model
+              model.errors.add(options[:attribute] || :base, 'Recaptcha verification failed.')
+            end
+            return false
+          end
+
+          return true
+        rescue Timeout::Error
+          if model
+            model.errors.add(:base, 'Recaptcha unreachable.')
+          end
+        end
+      end
+
+      false
+    end
+
+
+
+    ##
+    # Contains a collection of onload callbacks for explicit reCAPTCHA fields.
+    #
+    # Used by the Incline::Recaptcha::Tag helper.
+    def self.onload_callbacks
+      # FIXME: Should probably move this to the session.
+      @onload_callbacks ||= []
+    end
+
+    ##
+    # Generates a script block to load reCAPTCHA and activate any reCAPTCHA fields.
+    def self.script_block
+      if onload_callbacks.any?
+        ret = "<script type=\"text/javascript\">\n// <![CDATA[\nfunction recaptcha_onload() { "
+        onload_callbacks.each { |onload| ret += CGI::escape_html(onload) + '(); ' }
+        ret += "}\n// ]]>\n</script>\n<script type=\"text/javascript\" src=\"https://www.google.com/recaptcha/api.js?onload=recaptcha_onload&amp;render=explicit\" async defer></script>"
+
+        # clear the cache.
+        onload_callbacks.clear
+
+        ret.html_safe
+      end
+    end
+
+    ##
+    # Pauses reCAPTCHA validation for the specified block of code.
+    def self.pause_for(&block)
+      # already paused, so just call the block.
+      return block.call if paused?
+
+      # otherwise pause and then call the block.
+      self.temp_lock = true
+      begin
+        return block.call
+      ensure
+        self.temp_lock = false
+      end
+    end
+
+    ##
+    # Determines if reCAPTCHA validation is currently paused.
+    def self.paused?
+      temp_lock
+    end
+    
+    private
+    
+    def self.enable_for_testing(pub_key = nil, priv_key = nil)
+      raise 'This method is only valid when testing.' unless Rails.env.test?
+      
+      @enabled_for_testing = true
+      @public_key = pub_key
+      @private_key = priv_key
+      begin
+        yield if block_given?
+      ensure
+        @private_key = nil
+        @public_key = nil
+        @enabled_for_testing = false
+      end
+    end
+    
+    def self.enabled_for_testing?
+      @enabled_for_testing ||= false
+    end
+    
+    def self.temp_lock
+      @temp_lock ||= false
+    end
+
+    def self.temp_lock=(bool)
+      @temp_lock = bool
+    end
+
+  end
+end

data/lib/incline/user_manager.rb

@@ -0,0 +1,212 @@
+
+module Incline
+  ##
+  # Handles the user management tasks between an authentication system and the database.
+  #
+  # The default authentication system is the database, but other systems are supported.
+  # Out of the box we support LDAP, but the class can be extended to add other functionality.
+  #
+  class UserManager < AuthEngineBase
+
+    ##
+    # Creates a new user manager.
+    #
+    # The user manager itself takes no options, however options will be passed to
+    # any registered authentication engines when they are instantiated.
+    #
+    # The options can be used to pre-register engines and provide configuration for them.
+    # The engines will have specific configurations, but the UserManager class recognizes
+    # the 'engines' key.
+    #
+    #     {
+    #       :engines => {
+    #         'example.com' => {
+    #           :engine => MySuperAuthEngine.new(...)
+    #         },
+    #         'example.org' => {
+    #           :engine => 'incline_ldap/auth_engine',
+    #           :config => {
+    #             :host => 'ldap.example.org',
+    #             :port => 636,
+    #             :base_dn => 'DC=ldap,DC=example,DC=org'
+    #           }
+    #         }
+    #       }
+    #     }
+    #
+    # When an 'engines' key is processed, the configuration options for the engines are pulled
+    # from the subkeys.  Once the processing of the 'engines' key is complete, it will be removed
+    # from the options hash so any engines registered in the future will not receive the extra options.
+    def initialize(options = {})
+      @options = (options || {}).deep_symbolize_keys
+      Incline::User.ensure_admin_exists!
+
+      if @options[:engines].is_a?(::Hash)
+        @options[:engines].each do |domain_name, domain_config|
+          if domain_config[:engine].blank?
+            ::Incline::Log::info "Domain #{domain_name} is missing an engine definition and will not be registered."
+          elsif domain_config[:engine].is_a?(::Incline::AuthEngineBase)
+            ::Incline::Log::info "Using supplied auth engine for #{domain_name}."
+            register_auth_engine domain_config[:engine], domain_name
+          else
+            engine =
+                begin
+                  domain_config[:engine].to_s.classify.constantize
+                rescue NameError
+                  nil
+                end
+
+            if engine
+              engine = engine.new(domain_config[:config] || {})
+              if engine.is_a?(::Incline::AuthEngineBase)
+                ::Incline::Log::info "Using newly created auth engine for #{domain_name}."
+                register_auth_engine engine, domain_name
+              else
+                ::Incline::Log::warn "Object created for #{domain_name} does not inherit from Incline::AuthEngineBase."
+              end
+            else
+              ::Incline::Log::warn "Failed to create auth engine for #{domain_name}."
+            end
+          end
+        end
+      end
+
+      @options.delete(:engines)
+
+    end
+
+    ##
+    # Attempts to authenticate the user and returns the model on success.
+    def authenticate(email, password, client_ip)
+      return nil unless Incline::EmailValidator.valid?(email)
+      email = email.downcase
+
+      # If an engine is registered for the email domain, then use it.
+      engine = get_auth_engine(email)
+      if engine
+        return engine.authenticate(email, password, client_ip)
+      end
+
+      # Otherwise we will be using the database.
+      user = User.find_by(email: email)
+      if user
+        # user must be enabled and the password must match.
+        unless user.enabled?
+          add_failure_to user, '(DB) account disabled', client_ip
+          return nil
+        end
+        if user.authenticate(password)
+          add_success_to user, '(DB)', client_ip
+          return user
+        else
+          add_failure_to user, '(DB) invalid password', client_ip
+          return nil
+        end
+      end
+      add_failure_to email, 'invalid email', client_ip
+      nil
+    end
+
+    ##
+    # Attempts to authenticate the user and returns the model on success.
+    def self.authenticate(email, password, client_ip)
+      default.authenticate email, password, client_ip
+    end
+
+    ##
+    # Registers an authentication engine for one or more domains.
+    #
+    # The +engine+ passed in should take an options hash as the only argument to +initialize+
+    # and should provide an +authenticate+ method that takes the +email+, +password+, and
+    # +client_ip+.
+    #
+    # The +authenticate+ method of the engine should return an Incline::User object on success or nil on failure.
+    #
+    #   class MyAuthEngine
+    #     def initialize(options = {})
+    #       ...
+    #     end
+    #
+    #     def authenticate(email, password, client_ip)
+    #       ...
+    #     end
+    #   end
+    #
+    #   Incline::UserManager.register_auth_engine(MyAuthEngine, 'example.com', 'example.net', 'example.org')
+    #
+    def register_auth_engine(engine, *domains)
+      unless engine.nil?
+        unless engine.is_a?(::Incline::AuthEngineBase)
+          raise ArgumentError, "The 'engine' parameter must be an instance of an auth engine or a class defining an auth engine." unless engine.is_a?(::Class)
+          engine = engine.new(@options)
+          raise ArgumentError, "The 'engine' parameter must be an instance of an auth engine or a class defining an auth engine." unless engine.is_a?(::Incline::AuthEngineBase)
+        end
+      end
+      domains.map do |dom|
+        dom.to_s.downcase.strip
+        raise ArgumentError, "The domain #{dom.inspect} does not appear to be a valid domain." unless dom =~ /\A[a-z0-9]+(?:[-.][a-z0-9]+)*\.[a-z]+\Z/
+        dom
+      end.each do |dom|
+        auth_engines[dom] = engine
+      end
+    end
+
+    ##
+    # Registers an authentication engine for one or more domains.
+    #
+    # The +engine+ passed in should take an options hash as the only argument to +initialize+
+    # and should provide an +authenticate+ method that takes the +email+, +password+, and
+    # +client_ip+.
+    #
+    # The +authenticate+ method of the engine should return an Incline::User object on success or nil on failure.
+    def self.register_auth_engine(engine, *domains)
+      default.register_auth_engine(engine, *domains)
+    end
+    
+    ##
+    # Clears any registered authentication engine for one or more domains.
+    def clear_auth_engine(*domains)
+      register_auth_engine(nil, *domains)
+    end
+    
+    ##
+    # Clears any registered authentication engine for one or more domains.
+    def self.clear_auth_engine(*domains)
+      default.clear_auth_engine(*domains)
+    end
+
+    private
+
+    def auth_engines
+      @auth_engines ||= { }
+    end
+
+    def get_auth_engine(email)
+      dom = email.partition('@')[2].downcase
+      auth_engines[dom]
+    end
+
+    def self.auth_config
+      @auth_config ||=
+          begin
+            cfg = Rails.root.join('config','auth.yml')
+            if File.exist?(cfg)
+              cfg = YAML.load_file(cfg)
+              if cfg.is_a?(::Hash)
+                cfg = cfg[Rails.env]
+                (cfg || {}).symbolize_keys
+              else
+                {}
+              end
+            else
+              {}
+            end
+          end
+    end
+
+    def self.default
+      @default ||= UserManager.new(auth_config)
+    end
+
+  end
+end

data/lib/incline/validators/email_validator.rb

@@ -0,0 +1,45 @@
+
+module Incline
+  ##
+  # Validates a string to ensure it contains a valid email address.
+  #
+  #   validates :email_address, 'incline/email' => true
+  #
+  class EmailValidator < ActiveModel::EachValidator
+
+    INTERNAL_DOM_REGEX = '[a-z\d]+(?:-+[a-z\d]+)*(?:\.[a-z\d]+(?:-+[a-z\d]+)*)*\.[a-z]+'
+    private_constant :INTERNAL_DOM_REGEX
+
+    ##
+    # This regular expression should validate 99.9% of common email addresses.
+    #
+    # There are some weird rules that it doesn't account for, but they should be rare.
+    #
+    VALID_EMAIL_REGEX = /\A[\w+\-.]+@#{INTERNAL_DOM_REGEX}\z/i
+
+    ##
+    # This regular expression should validate any domain.
+    VALID_DOMAIN_REGEX = /\A#{INTERNAL_DOM_REGEX}\z/i
+
+
+    ##
+    # Validates attributes to determine if they contain valid email addresses.
+    #
+    # Does not perform an in depth check, but does verify that the format is valid.
+    def validate_each(record, attribute, value)
+      unless value.blank?
+        record.errors[attribute] << (options[:message] || 'is not a valid email address') unless value =~ VALID_EMAIL_REGEX
+      end
+    end
+
+    ##
+    # Validates that an email address is valid based on format.
+    def self.valid?(email)
+      return false if email.blank?
+      !!(email =~ VALID_EMAIL_REGEX)
+    end
+
+  end
+end
+
+

data/lib/incline/validators/ip_address_validator.rb

@@ -0,0 +1,32 @@
+require 'ipaddr'
+
+module Incline
+  ##
+  # Validates a string contains a valid IP address.
+  class IpAddressValidator < ActiveModel::EachValidator
+
+    ##
+    # Validates attributes to determine if the values contain valid IP addresses.
+    #
+    # Set the :no_mask option to restrict the IP address to singular addresses only.
+    def validate_each(record, attribute, value)
+      begin
+        unless value.blank?
+          IPAddr.new(value)
+          if options[:no_mask]
+            if value =~ /\//
+              record.errors[attribute] << (options[:message] || 'must not contain a mask')
+            end
+          elsif options[:require_mask]
+            unless value =~ /\//
+              record.errors[attribute] << (options[:message] || 'must contain a mask')
+            end
+          end
+        end
+      rescue IPAddr::InvalidAddressError
+        record.errors[attribute] << (options[:message] || 'is not a valid IP address')
+      end
+    end
+  end
+
+end

data/lib/incline/validators/recaptcha_validator.rb

@@ -0,0 +1,37 @@
+
+module Incline
+  ##
+  # Validates a reCAPTCHA attribute.
+  class RecaptchaValidator < ActiveModel::EachValidator
+
+    ##
+    # Validates a reCAPTCHA attribute.
+    #
+    # The value of the attribute should be a hash with two keys: :response, :remote_ip
+    def validate_each(record, attribute, value)
+      # Do NOT raise an error if nil.
+      return if value.blank?
+
+      # Make sure the response only gets processed once.
+      return if value == :verified
+
+      # Automatically skip validation if paused.
+      return if Incline::Recaptcha::paused?
+
+      # If the user form includes the recaptcha field, then something will come in
+      # and then we want to check it.
+      remote_ip, _, response = value.partition('|')
+      if remote_ip.blank? || response.blank?
+        record.errors[:base] << (options[:message] || 'Requires reCAPTCHA challenge to be completed')
+      else
+        if Incline::Recaptcha::verify(response: response, remote_ip: remote_ip)
+          record.send "#{attribute}=", :verified
+        else
+          record.errors[:base] << (options[:message] || 'Invalid response from reCAPTCHA challenge')
+        end
+      end
+
+    end
+
+  end
+end

data/lib/incline/validators/safe_name_validator.rb

@@ -0,0 +1,31 @@
+
+module Incline
+  ##
+  # Validates a string value to ensure it is a safe name.
+  #
+  # A safe name is one that only contains letters, numbers, and underscore.
+  # It must also start with a letter and cannot end with an underscore.
+  class SafeNameValidator < ActiveModel::EachValidator
+
+    ##
+    # Validates a string to ensure it is a safe name.
+    VALID_MASK = /\A[a-z](?:_*[a-z0-9]+)*\z/i
+
+    ##
+    # Validates attributes to determine if the values match the requirements of a safe name.
+    def validate_each(record, attribute, value)
+      unless value.blank?
+        unless value =~ VALID_MASK
+          if value =~ /\A[^a-z]/i
+            record.errors[attribute] << (options[:message] || 'must start with a letter')
+          elsif value =~ /_\z/
+            record.errors[attribute] << (options[:message] || 'must not end with an underscore')
+          else
+            record.errors[attribute] << (options[:message] || 'must contain only letters, numbers, and underscore')
+          end
+        end
+      end
+    end
+
+  end
+end