ioquatix-account_engine 0.1.0

data/lib/account_engine/password.rb

@@ -0,0 +1,432 @@
+# $Id: password.rb,v 1.24 2006/03/02 19:42:33 ianmacd Exp $
+# 
+# Version : 0.5.3
+# Author  : Ian Macdonald <ian@caliban.org>
+#
+# Copyright (C) 2002-2006 Ian Macdonald
+#
+#   This program is free software; you can redistribute it and/or modify
+#   it under the terms of the GNU General Public License as published by
+#   the Free Software Foundation; either version 2, or (at your option)
+#   any later version.
+#
+#   This program is distributed in the hope that it will be useful,
+#   but WITHOUT ANY WARRANTY; without even the implied warranty of
+#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+#   GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public License
+#   along with this program; if not, write to the Free Software Foundation,
+#   Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
+
+
+#require 'crack'
+#require 'termios'
+
+
+# Ruby/Password is a collection of password handling routines for Ruby,
+# including an interface to CrackLib for the purposes of testing password
+# strength.
+# 
+#  require 'password'
+#
+#  # Define and check a password in code
+#  pw = Password.new( "bigblackcat" )
+#  pw.check
+#
+#  # Get and check a password from the keyboard
+#  begin
+#    password = Password.get( "New password: " )
+#    password.check
+#  rescue Password::WeakPassword => reason
+#    puts reason
+#    retry
+#  end
+#
+#  # Automatically generate and encrypt a password
+#  password = Password.phonemic( 12, Password:ONE_CASE | Password::ONE_DIGIT )
+#  crypted = password.crypt
+#
+#
+class Password < String
+
+  # This exception class is raised if an error occurs during password
+  # encryption when calling Password#crypt.
+  #
+  class CryptError < StandardError; end
+
+  # This exception class is raised if a bad dictionary path is detected by
+  # Password#check.
+  #
+  class DictionaryError < StandardError; end
+
+  # This exception class is raised if a weak password is detected by
+  # Password#check.
+  #
+  class WeakPassword < StandardError; end
+
+  VERSION = '0.5.3'
+
+  # DES algorithm
+  # 
+  DES = true
+
+  # MD5 algorithm (see <em>crypt(3)</em> for more information)
+  #
+  MD5 = false
+ 
+  # This flag is used in conjunction with Password.phonemic and states that a
+  # password must include a digit.
+  #
+  ONE_DIGIT  =	1
+
+  # This flag is used in conjunction with Password.phonemic and states that a
+  # password must include a capital letter.
+  #
+  ONE_CASE    = 1 << 1
+
+  # Characters that may appear in generated passwords. Password.urandom may
+  # also use the characters + and /.
+  #
+  PASSWD_CHARS = '0123456789' +
+		 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
+		 'abcdefghijklmnopqrstuvwxyz'
+
+  # Valid salt characters for use by Password#crypt.
+  #
+  SALT_CHARS   = '0123456789' +
+		 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' +
+		 'abcdefghijklmnopqrstuvwxyz' +
+		 './'
+
+  # :stopdoc:
+
+  # phoneme flags
+  #
+  CONSONANT = 1
+  VOWEL	    = 1 << 1
+  DIPHTHONG = 1 << 2
+  NOT_FIRST = 1 << 3  # indicates that a given phoneme may not occur first
+
+  PHONEMES = {
+    :a	=> VOWEL,
+    :ae	=> VOWEL      | DIPHTHONG,
+    :ah => VOWEL      | DIPHTHONG,
+    :ai => VOWEL      | DIPHTHONG,
+    :b	=> CONSONANT,
+    :c	=> CONSONANT,
+    :ch	=> CONSONANT  | DIPHTHONG,
+    :d	=> CONSONANT,
+    :e	=> VOWEL,
+    :ee	=> VOWEL      | DIPHTHONG,
+    :ei	=> VOWEL      | DIPHTHONG,
+    :f	=> CONSONANT,
+    :g	=> CONSONANT,
+    :gh	=> CONSONANT  | DIPHTHONG | NOT_FIRST,
+    :h	=> CONSONANT,
+    :i	=> VOWEL,
+    :ie	=> VOWEL      | DIPHTHONG,
+    :j	=> CONSONANT,
+    :k	=> CONSONANT,
+    :l	=> CONSONANT,
+    :m	=> CONSONANT,
+    :n	=> CONSONANT,
+    :ng	=> CONSONANT  | DIPHTHONG | NOT_FIRST,
+    :o	=> VOWEL,
+    :oh	=> VOWEL      | DIPHTHONG,
+    :oo	=> VOWEL      | DIPHTHONG,
+    :p	=> CONSONANT,
+    :ph	=> CONSONANT  | DIPHTHONG,
+    :qu	=> CONSONANT  | DIPHTHONG,
+    :r	=> CONSONANT,
+    :s	=> CONSONANT,
+    :sh	=> CONSONANT  | DIPHTHONG,
+    :t	=> CONSONANT,
+    :th	=> CONSONANT  | DIPHTHONG,
+    :u	=> VOWEL,
+    :v	=> CONSONANT,
+    :w	=> CONSONANT,
+    :x	=> CONSONANT,
+    :y	=> CONSONANT,
+    :z	=> CONSONANT
+  }
+
+  # :startdoc:
+
+
+  # Turn local terminal echo on or off. This method is used for securing the
+  # display, so that a soon to be entered password will not be echoed to the
+  # screen. It is also used for restoring the display afterwards.
+  #
+  # If _masked_ is +true+, the keyboard is put into unbuffered mode, allowing
+  # the retrieval of characters one at a time. _masked_ has no effect when
+  # _on_ is +false+. You are unlikely to need this method in the course of
+  # normal operations.
+  #
+  def Password.echo(on=true, masked=false)
+    term = Termios::getattr( $stdin )
+
+    if on
+      term.c_lflag |= ( Termios::ECHO | Termios::ICANON )
+    else # off
+      term.c_lflag &= ~Termios::ECHO
+      term.c_lflag &= ~Termios::ICANON if masked
+    end
+
+    Termios::setattr( $stdin, Termios::TCSANOW, term )
+  end
+
+
+  # Get a password from _STDIN_, using buffered line input and displaying
+  # _message_ as the prompt. No output will appear while the password is being
+  # typed. Hitting <b>[Enter]</b> completes password entry. If _STDIN_ is not
+  # connected to a tty, no prompt will be displayed.
+  #
+  def Password.get(message="Password: ")
+    begin
+      if $stdin.tty?
+	Password.echo false
+	print message if message
+      end
+
+      pw = Password.new( $stdin.gets || "" )
+      pw.chomp!
+
+    ensure
+      if $stdin.tty?
+	Password.echo true
+	print "\n"
+      end
+    end
+  end
+
+
+  # Get a password from _STDIN_ in unbuffered mode, i.e. one key at a time.
+  # _message_ will be displayed as the prompt and each key press with echo
+  # _mask_ to the terminal. There is no need to hit <b>[Enter]</b> at the end.
+  #
+  def Password.getc(message="Password: ", mask='*')
+    # Save current buffering mode
+    buffering = $stdout.sync
+
+    # Turn off buffering
+    $stdout.sync = true
+
+    begin
+      Password.echo(false, true)
+      print message if message
+      pw = ""
+
+      while ( char = $stdin.getc ) != 10 # break after [Enter]
+	putc mask
+	pw << char
+      end
+
+    ensure
+      Password.echo true
+      print "\n"
+    end
+
+    # Restore original buffering mode
+    $stdout.sync = buffering
+
+    Password.new( pw )
+  end
+
+
+  # :stopdoc:
+  
+  # Determine whether next character should be a vowel or consonant.
+  #
+  def Password.get_vowel_or_consonant
+    rand( 2 ) == 1 ? VOWEL : CONSONANT
+  end
+
+  # :startdoc:
+
+
+  # Generate a memorable password of _length_ characters, using phonemes that
+  # a human-being can easily remember. _flags_ is one or more of
+  # <em>Password::ONE_DIGIT</em> and <em>Password::ONE_CASE</em>, logically
+  # OR'ed together. For example:
+  #
+  #  pw = Password.phonemic( 8, Password::ONE_DIGIT | Password::ONE_CASE )
+  #
+  # This would generate an eight character password, containing a digit and an
+  # upper-case letter, such as <b>Ug2shoth</b>.
+  #
+  # This method was inspired by the
+  # pwgen[http://sourceforge.net/projects/pwgen/] tool, written by Theodore
+  # Ts'o.
+  #
+  # Generated passwords may contain any of the characters in
+  # <em>Password::PASSWD_CHARS</em>.
+  #
+  def Password.phonemic(length=8, flags=nil)
+
+    pw = nil
+    ph_flags = flags
+
+    loop do
+
+      pw = ""
+
+      # Separate the flags integer into an array of individual flags
+      feature_flags = [ flags & ONE_DIGIT, flags & ONE_CASE ]
+
+      prev = []
+      first = true
+      desired = Password.get_vowel_or_consonant
+
+      # Get an Array of all of the phonemes
+      phonemes = PHONEMES.keys.map { |ph| ph.to_s }
+      nr_phonemes = phonemes.size
+
+      while pw.length < length do
+
+	# Get a random phoneme and its length
+	phoneme = phonemes[ rand( nr_phonemes ) ]
+	ph_len = phoneme.length
+
+	# Get its flags as an Array
+	ph_flags = PHONEMES[ phoneme.to_sym ]
+	ph_flags = [ ph_flags & CONSONANT, ph_flags & VOWEL,
+		     ph_flags & DIPHTHONG, ph_flags & NOT_FIRST ]
+
+	# Filter on the basic type of the next phoneme
+	next if ph_flags.include? desired
+
+	# Handle the NOT_FIRST flag
+	next if first and ph_flags.include? NOT_FIRST
+
+	# Don't allow a VOWEL followed a vowel/diphthong pair
+	next if prev.include? VOWEL and ph_flags.include? VOWEL and
+		ph_flags.include? DIPHTHONG
+
+	# Don't allow us to go longer than the desired length
+	next if ph_len > length - pw.length
+
+	# We've found a phoneme that meets our criteria
+	pw << phoneme
+
+	# Handle ONE_CASE
+	if feature_flags.include? ONE_CASE
+
+	  if (first or ph_flags.include? CONSONANT) and rand( 10 ) < 3
+	    pw[-ph_len, 1] = pw[-ph_len, 1].upcase
+	    feature_flags.delete ONE_CASE
+	  end
+
+	end
+
+	# Is password already long enough?
+	break if pw.length >= length
+
+	# Handle ONE_DIGIT
+	if feature_flags.include? ONE_DIGIT
+
+	  if ! first and rand( 10 ) < 3
+	    pw << ( rand( 10 ) + ?0 ).chr
+	    feature_flags.delete ONE_DIGIT
+
+	    first = true
+	    prev = []
+	    desired = Password.get_vowel_or_consonant
+	    next
+	  end
+
+	end
+
+	if desired == CONSONANT
+	  desired = VOWEL
+	elsif prev.include? VOWEL or ph_flags.include? DIPHTHONG or
+	      rand(10) > 3
+	  desired = CONSONANT
+	else
+	  desired = VOWEL
+	end
+
+	prev = ph_flags
+	first = false
+      end
+
+      # Try again
+      break unless feature_flags.include? ONE_CASE or
+		   feature_flags.include? ONE_DIGIT
+
+    end
+
+    Password.new( pw )
+
+  end
+
+
+  # Generate a random password of _length_ characters. Unlike the
+  # Password.phonemic method, no attempt will be made to generate a memorable
+  # password. Generated passwords may contain any of the characters in
+  # <em>Password::PASSWD_CHARS</em>.
+  #
+  #
+  def Password.random(length=8)
+    pw = ""
+    nr_chars = PASSWD_CHARS.size
+
+    length.times { pw << PASSWD_CHARS[ rand( nr_chars ) ] }
+
+    Password.new( pw )
+  end
+
+
+  # An alternative to Password.random. It uses the <tt>/dev/urandom</tt>
+  # device to generate passwords, returning +nil+ on systems that do not
+  # implement the device. The passwords it generates may contain any of the
+  # characters in <em>Password::PASSWD_CHARS</em>, plus the additional
+  # characters + and /.
+  #
+  def Password.urandom(length=8)
+    return nil unless File.chardev? '/dev/urandom'
+
+    rand_data = nil
+    File.open( "/dev/urandom" ) { |f| rand_data = f.read( length ) }
+
+    # Base64 encode it
+    Password.new( [ rand_data ].pack( 'm' )[ 0 .. length - 1 ] )
+  end
+
+
+  # Encrypt a password using _type_ encryption. _salt_, if supplied, will be
+  # used to perturb the encryption algorithm and should be chosen from the
+  # <em>Password::SALT_CHARS</em>. If no salt is given, a randomly generated
+  # salt will be used.
+  #
+  def crypt(type=DES, salt='')
+
+    unless ( salt.split( // ) - SALT_CHARS.split( // ) ).empty?
+      raise CryptError, 'bad salt'
+    end
+
+    salt = Password.random( type ? 2 : 8 ) if salt.empty?
+
+    # (Linux glibc2 interprets a salt prefix of '$1$' as a call to use MD5
+    # instead of DES when calling crypt(3))
+    salt = '$1$' + salt if type == MD5
+
+    # Pass to crypt in class String (our parent class)
+    crypt = super( salt )
+
+    # Raise an exception if MD5 was wanted, but result is not recognisable
+    if type == MD5 && crypt !~ /^\$1\$/
+      raise CryptError, 'MD5 not implemented'
+    end
+
+    crypt
+  end
+
+end
+
+
+# Display a phonemic password, if run directly.
+#
+if $0 == __FILE__
+  puts Password.phonemic
+end

data/lib/account_engine/support.rb

@@ -0,0 +1,12 @@
+module AccountEngine::Support
+  # Returns the current user from the session, if any exists
+  def current_user
+    session[:user]
+  end
+  
+  def user?
+    true if current_user
+  end
+  
+  alias logged_in? user?
+end

data/lib/account_engine/user_account/class_methods.rb

@@ -0,0 +1,63 @@
+module AccountEngine
+  module UserAccount
+    # This module defines methods to be attached to the User class itself.
+    module ClassMethods
+
+      # Check if the requested controller/action is available for guest users
+      # i.e. anyone who isn't logged in.
+      # The 'Guest' user is actually a Role object held my no user. The name of this
+      # Role object is defined in AccountEngine.guest_role_name, and defaults
+      # to "Guest". To control which actions are available to site users who are 
+      # *not* logged in, you should modify the permissions for this role.
+      def guest_user_authorized?(controller, action="index")
+        query = <<-EOS
+SELECT DISTINCT #{AccountEngine.permissions_table}.* 
+FROM #{AccountEngine.permissions_table}, #{AccountEngine.roles_table}, 
+     #{AccountEngine.permissions_roles_table}
+WHERE #{AccountEngine.roles_table}.name = :role
+AND #{AccountEngine.roles_table}.id = #{AccountEngine.permissions_roles_table}.role_id
+AND #{AccountEngine.permissions_roles_table}.permission_id = #{AccountEngine.permissions_table}.id
+AND #{AccountEngine.permissions_table}.controller = :controller
+AND #{AccountEngine.permissions_table}.action = :action
+EOS
+
+        result = Permission.find_by_sql([query, {:role => AccountEngine.guest_role_name, 
+                                                 :controller => controller.to_s, :action => action.to_s}])    
+
+        return (result != nil) && (!result.empty?)
+      end
+      
+      # Basic method for user authentication.
+      def authenticate(login, pass)
+        # Find the user with this login name
+        user = find(:first, :conditions => ["login = ? AND deleted = 0", login])
+
+        if user.nil?
+          logger.info "Invalid username #{login}/#{pass}"
+          return nil
+        end
+
+        # Check to see if the 
+        sp = UserAccount.salted_password(user.salt, UserAccount.hashed(pass))
+
+        logger.info "User not verified #{login}/#{pass}" unless (user.verified or not AccountEngine.confirm_account)
+        logger.info "User password incorrect #{login}/#{pass}" unless user.salted_password == sp
+
+        if (user.verified or not AccountEngine.confirm_account) and user.salted_password == sp
+          return user
+        else
+          return nil
+        end
+      end
+
+      def authenticate_by_token(id, token)
+        # Allow logins for deleted accounts, but only via this method (and
+        # not the regular authenticate call)
+        u = find(:first, :conditions => ["id = ? AND security_token = ?", id, token])
+        return nil if u.nil? or u.token_expired?
+        return nil if false == u.update_expiry
+        u
+      end
+    end
+  end
+end

data/lib/account_engine/user_account.rb

@@ -0,0 +1,184 @@
+require 'digest/sha1'
+require 'account_engine/configuration'
+require 'account_engine/user_account/class_methods'
+require 'account_engine/password'
+
+# this model expects a certain database layout and its based on the name/login pattern. 
+
+module AccountEngine
+  module UserAccount
+    def self.included(base)
+      base.extend(ClassMethods)
+      
+      base.class_eval do
+        
+        # use the table name given
+        set_table_name AccountEngine.users_table
+        
+        validates_presence_of :login
+        validates_length_of :login, :within => 2..60
+        validates_uniqueness_of :login
+        
+        validates_uniqueness_of :email, :if => :validate_email?
+        validates_format_of :email, :with => /^[^@]+@.+$/, :if => :validate_email?
+        
+        validates_presence_of :password, :if => :validate_password?
+        validates_confirmation_of :password, :if => :validate_password?
+        validates_length_of :password, { :minimum => 4, :if => :validate_password? }
+        validates_length_of :password, { :maximum => 40, :if => :validate_password? }
+        
+        after_validation :crypt_password
+        
+        has_and_belongs_to_many :roles, :join_table => AccountEngine.users_roles_table
+        
+        # ensure that all users recieve the 'user' role
+        before_create :add_user_role
+      end
+    end
+    
+    # Returns true if this user is has the 'admin' role
+    def admin?()
+      roles.each { |r| return true if r.omnipotent? }
+      false
+    end
+    
+    # override this method to return the full name of this user
+    def fullname
+      return self.login
+    end
+    
+    def token_expired?
+      self.security_token and self.token_expiry and (Time.now > self.token_expiry)
+    end
+
+    def update_expiry
+      write_attribute('token_expiry', [self.token_expiry, Time.at(Time.now.to_i + 600 * 1000)].min)
+      write_attribute("verified", 1)
+      update_without_callbacks
+    end
+    
+    def generate_security_token(hours = nil)
+      if not hours.nil? or self.security_token.nil? or self.token_expiry.nil? or 
+          (Time.now.to_i + UserAccount.token_lifetime / 2) >= self.token_expiry.to_i
+        return new_security_token(hours)
+      else
+        return self.security_token
+      end
+    end
+    
+    def password=(pass)
+      change_password pass
+    end
+    
+    def password
+      @password
+    end
+    
+    def password?
+      !(password || salted_password).nil?
+    end
+    
+    def generate_password(n=6)
+      change_password Password.phonemic(n, Password::ONE_CASE | Password::ONE_DIGIT )
+    end
+    
+    protected
+    def self.hashed(str)
+      # check if a salt has been set...
+      if AccountEngine.salt == nil
+        raise "You must define a :salt value in the configuration for the AccountEngine module."
+      end
+
+      return Digest::SHA1.hexdigest("#{AccountEngine.salt}-#{str}}")[0..39]
+    end
+  
+    def self.salted_password(salt, hashed_password)
+      hashed(salt + hashed_password)
+    end
+    
+    def self.token_lifetime(hours = nil)
+      if hours.nil?
+        AccountEngine.security_token_life_hours * 60 * 60
+      else
+        hours * 60 * 60
+      end
+    end
+    
+    def change_password(pass)
+      logger.info "Setting password to #{pass}"
+      @password = pass
+    end
+    
+    def validate_password?
+      @password != nil
+    end
+    
+    def validate_email?
+      AccountEngine.validate_email and !self[:email].nil?
+    end
+
+    def crypt_password
+      logger.info "crypt_password..."
+      
+      if @password == ""
+        logger.info "New password is blank"
+        write_attribute("salt", "")
+        write_attribute("salted_password", "")
+      elsif @password != nil
+        logger.info "New password is #{@password}"
+        write_attribute("salt", UserAccount.hashed("salt-#{Time.now}"))
+        write_attribute("salted_password", UserAccount.salted_password(salt, UserAccount.hashed(@password)))
+      end
+      
+      @password = nil
+    end
+    
+    def new_security_token(hours = nil)
+      write_attribute('security_token', UserAccount.hashed(self.salted_password + Time.now.to_i.to_s + rand.to_s))
+      write_attribute('token_expiry', Time.at(Time.now.to_i + UserAccount.token_lifetime(hours)))
+      update_without_callbacks
+      return self.security_token
+    end
+    
+    private
+    # This method is called before a User object is saved to ensure that *all* users are
+    # given the default 'user' role. The name of this role is defined in 
+    # AccountEngine.user_role_name.
+    def add_user_role
+      user_role = Role.find_by_name(AccountEngine.user_role_name)
+      if user_role
+        self.roles << user_role
+      else
+        raise "Cannot find user-level role '#{AccountEngine.user_role_name}'!"
+      end
+    end
+    
+    public
+    # Returns true if this user is authorised to perform the given action. A
+    # user is authorized if one or more of the Roles which this user holds is
+    # associated with a Permission object which matches the current controller and
+    # action.
+    def authorized?(controller, action="index")
+      return true if self.admin?
+      
+      query = <<-EOS
+SELECT DISTINCT #{AccountEngine.permissions_table}.* 
+FROM #{AccountEngine.permissions_table}, #{AccountEngine.roles_table}, 
+     #{AccountEngine.permissions_roles_table}, #{AccountEngine.users_roles_table},
+     #{AccountEngine.users_table}
+WHERE #{AccountEngine.users_table}.id = :person
+AND #{AccountEngine.users_table}.id = #{AccountEngine.users_roles_table}.user_id
+AND #{AccountEngine.users_roles_table}.role_id = #{AccountEngine.roles_table}.id
+AND #{AccountEngine.roles_table}.id = #{AccountEngine.permissions_roles_table}.role_id
+AND #{AccountEngine.permissions_roles_table}.permission_id = #{AccountEngine.permissions_table}.id
+AND #{AccountEngine.permissions_table}.controller = :controller
+AND #{AccountEngine.permissions_table}.action = :action
+EOS
+
+      result = Permission.find_by_sql([query, {:person => self.id, :controller => controller.to_s, :action => action.to_s}])
+      return (result != nil) && (!result.empty?)   
+    end
+        
+  end
+end
+