isaca-rails 0.2.0

data/lib/generators/isaca/rails/install/templates/add_isaca_to_existing_users.rb.erb

@@ -0,0 +1,17 @@
+class AddIsaca<%= name.pluralize.camelize %> < ActiveRecord::Migration<%= migration_version %>
+  def change
+    <%= "add_column #{model_symbol_string(name)}, :imis_id, :string" unless model_has_column? name, :imis_id %>
+    <%= "add_index #{model_symbol_string(name)}, :imis_id, unique: true" unless model_has_column? name, :imis_id %>
+    <%= "add_column #{model_symbol_string(name)}, :imis_expiration_date, :datetime" unless model_has_column? name, :imis_expiration_date %>
+    <%= "add_column #{model_symbol_string(name)}, :imis_member_type, :string" unless model_has_column? name, :imis_member_type %>
+    <%= "add_column #{model_symbol_string(name)}, :imis_enterprise_id, :string" unless model_has_column? name, :imis_enterprise_id %>
+    <%= "add_column #{model_symbol_string(name)}, :imis_active_member, :boolean" unless model_has_column? name, :imis_active_member %>
+    <%= "add_column #{model_symbol_string(name)}, :email, :string" unless model_has_column? name, :email %>
+    <%= "add_column #{model_symbol_string(name)}, :first_name, :string" unless model_has_column? name, :first_name %>
+    <%= "add_column #{model_symbol_string(name)}, :last_name, :string" unless model_has_column? name, :last_name %>
+    <%= "add_column #{model_symbol_string(name)}, :username, :string" unless model_has_column? name, :username %>
+    <%= "add_column #{model_symbol_string(name)}, :country, :string" unless model_has_column? name, :country %>
+    <%= "add_column #{model_symbol_string(name)}, :admin, :boolean, default: false, null: false" unless model_has_column? name, :admin %>
+    <%= "add_column #{model_symbol_string(name)}, :last_sign_in_at, :datetime" unless model_has_column? name, :last_sign_in_at %>
+  end
+end

data/lib/generators/isaca/rails/install/templates/add_isaca_users.rb.erb

@@ -0,0 +1,21 @@
+class AddIsaca<%= name.pluralize.camelize %> < ActiveRecord::Migration<%= migration_version %>
+  def change
+    create_table <%= model_symbol_string(name) %> do |t|
+      t.timestamps null: false
+      t.string :imis_id, null: false
+      t.datetime :imis_expiration_date
+      t.boolean :imis_active_member
+      t.string :imis_member_type
+      t.string :imis_enterprise_id
+      t.string :email
+      t.string :first_name
+      t.string :last_name
+      t.string :username
+      t.string :country
+      t.boolean :admin, default: false, null: false
+      t.datetime :last_sign_in_at
+    end
+
+    add_index <%= model_symbol_string(name) %>, :imis_id, unique: true
+  end
+end

data/lib/generators/isaca/rails/install/templates/claim.rb.erb

@@ -0,0 +1,13 @@
+class Claim < ApplicationRecord
+  enum privilege: {
+    read_administrators: 100,
+    write_administrators: 101,
+    read_claims: 102,
+    write_claims: 103
+  }
+
+  belongs_to :<%= name.downcase.singularize.to_sym %>
+  validates :<%= name.downcase.singularize.to_sym %>, presence: true
+  validates :privilege, presence: true
+  validates_uniqueness_of :privilege, scope: :<%= name.downcase.singularize.to_sym %>, message: '<%= name.singularize.humanize %> already has privilege'
+end

data/lib/generators/isaca/rails/install/templates/isaca-rails.rb

@@ -0,0 +1,4 @@
+Isaca::Rails.configure do |config|
+  # config.user_model = ::User
+  # config.redirect_for_consent = true
+end

data/lib/generators/isaca/rails/install/templates/isaca.rb

@@ -0,0 +1,5 @@
+Isaca.configure do |config|
+  config.url = 'http://isaca-dev-stage-sp-2420.centralus.cloudapp.azure.com:7777/isacaservices/Service1.svc'
+  config.secret_pass = ENV["ISACA_SECRET_PASS"]
+  config.user_agent = 'my_application'
+end

data/lib/generators/isaca/rails/install/templates/user.rb.erb

@@ -0,0 +1,3 @@
+class <%= name.singularize.classify %> < ApplicationRecord
+  include Isaca::Rails::User
+end

data/lib/isaca/rails/authentication.rb

@@ -0,0 +1,166 @@
+module Isaca
+  module Rails
+    module Authentication
+      extend ActiveSupport::Concern
+
+      included do
+        helper_method :current_isaca_user
+        helper_method :user_signed_in?
+        helper_method :isaca_requires_consent?
+        helper_method :redirect_for_consent?
+      end
+
+      # Checks to see if there is a current_isaca_user, if not it redirects to the new_session_path. This method is intended
+      # to be used with before_action.
+      #
+      # @return nil
+      def authenticate_isaca_user
+        if user_signed_in?
+          if request.path != user_consent_path && redirect_for_consent?
+            session[:after_sign_in_path] = request.fullpath if request.get?
+            flash.alert = t('isaca.rails.user_consent.consent_required')
+            redirect_to user_consent_path
+          end
+        else
+          session[:after_sign_in_path] = request.fullpath if request.get?
+          flash.alert = t('isaca.rails.sessions.sign_in_required')
+          redirect_to sign_in_path
+        end
+      end
+
+      # A helper method for referencing the user who is currently logged in.
+      #
+      # @return [ActiveModel::Model|nil]
+      def current_isaca_user
+        return @current_isaca_user if @current_isaca_user
+
+        begin
+          set_current_isaca_user if token_cookie_exists?
+        rescue Isaca::ServiceError => e
+          Rails.logger.warn("Error occurred while setting the current isaca user: #{e.message}")
+        end
+      end
+
+      # Method used to to login a user and set the token
+      #
+      # @param username [String] The user's username
+      # @param password [String] The user's password
+      #
+      # @return [Boolean] Whether or not the user's record was updated with the last_sign_in_at datetime
+      def authenticate(username, password)
+        session = Isaca::Request::AuthenticateUser.get(username, password)
+        raise Isaca::SessionError.new(session.value) unless session.is_valid?
+        isaca_sign_in(session.value)
+        current_isaca_user.update_attribute(:last_sign_in_at, DateTime.current)
+      end
+
+      # Destroys the user token and sets the current_isaca_user attribute to nil
+      #
+      # @param [Hash] params Optional
+      # @option params [String] token The session token to be deleted.
+      #
+      # @return nil
+      def isaca_sign_out(**params)
+        token = nil
+        params && params[:token] ? (token = params[:token]) : (token = cookies['Token'] if token_cookie_exists?)
+
+        if token && Isaca::Request::LogOut.get(token)
+          cookies.delete('Token', domain: :all) if token_cookie_exists?
+          @current_isaca_user = nil
+          reset_session
+        end
+      end
+
+      # Helper method to check and see if the current_isaca_user attribute exists
+      #
+      # @return [Boolean] The truthiness of the current_isaca_user attribute
+      def user_signed_in?
+        !current_isaca_user.nil?
+      end
+
+      def isaca_requires_consent?
+        user_signed_in? && !current_isaca_user.privacy
+      end
+
+      # Helper method to redirect to a saved path or fallback
+      #
+      # @param fallback [String] Path to visit if session[:after_sign_in_path] does not exist
+      def redirect_after_sign_in_or(fallback)
+        redirect_to(session[:after_sign_in_path] || fallback)
+        session.delete(:after_sign_in_path)
+      end
+
+      # Helper method used to check the conditions for redirecting for consent
+      #
+      # @return [Boolean] Whether or not a redirect is required
+      def redirect_for_consent?
+        isaca_requires_consent? && Isaca::Rails.configuration.redirect_for_consent
+      end
+
+      private
+
+      # Creates a 'Token' cookie
+      #
+      # @param token [String] - The user's session token
+      #
+      # @return [String] - Returns the provided token
+      def isaca_sign_in(token)
+        opts = ::Rails.env.production? ? {secure: true} : {secure: false}
+        cookies['Token'] = {value: token, domain: :all, httponly: true}.merge(opts)
+      end
+
+      # Method used to create or find a user model based on an existing 'Token' cookie
+      #
+      # @return [ActiveModel::Model]
+      #
+      # @raise [Isaca::ServiceError] An error can be raised by {Isaca::Request::GetUserDetailsByToken#get} or {Isaca::Request::GetUserByID#get}
+      def set_current_isaca_user
+        # Using the Token cookie we can fetch our users details from isaca
+        isaca_user = Isaca::Request::GetUserDetailsByToken.get(cookies['Token'])
+
+        # The GetUserDetailsByToken endpoint does not return everything we need, we need to supplement our attributes
+        # by fetching the GetUserByID endpoint as well.
+        membership = Isaca::Request::GetUserByID.get(isaca_user.imis_id)
+
+        # Set all the aggregated user data to a hash for user record creation or user record updating
+        attributes = {
+            imis_enterprise_id: isaca_user.enterprise_id,
+            first_name: isaca_user.first_name,
+            last_name: isaca_user.last_name,
+            email: isaca_user.email,
+            username: isaca_user.username,
+            country: isaca_user.country,
+            imis_member_type: membership.member_type,
+            imis_expiration_date: membership.expiration_date
+        }
+
+        # Since isaca-rails allows configurable user models, we need to pull the model type from the configuration.
+        klass = Isaca::Rails.configuration.user_model
+
+        # Fetch the first record with a matching imis id or initialize a new record with the given user data.
+        @current_isaca_user = klass.create_with(attributes).find_or_initialize_by(imis_id: isaca_user.imis_id)
+
+        # Update the old user record or save a new user record
+        if @current_isaca_user.new_record?
+          @current_isaca_user.save
+        else
+          @current_isaca_user.update_attributes(attributes)
+        end
+
+        # Temporal data so we do not need dedicated columns for this but we do need to associate it with the user
+        @current_isaca_user.privacy = isaca_user.privacy
+        @current_isaca_user.marketing = isaca_user.marketing
+
+        # Return the current isaca user
+        @current_isaca_user
+      end
+
+      # Checks to see if a 'Token' cookie exists
+      #
+      # @return [Boolean] Whether or not the `Token` cookie exists
+      def token_cookie_exists?
+        cookies && cookies.key?('Token')
+      end
+    end
+  end
+end

data/lib/isaca/rails/authorization.rb

@@ -0,0 +1,51 @@
+module Isaca
+  module Rails
+    module Authorization
+      extend ActiveSupport::Concern
+
+      included do
+        helper_method :user_has_privilege?
+      end
+
+      def authorize_isaca_user
+        if current_isaca_user.admin?
+          if %w(index new show create update destroy).include?(action_name)
+            if %w(index show).include?(action_name)
+              behavior = 'read'
+            else
+              behavior = 'write'
+            end
+          else
+            if %w(GET).include?(request.method)
+              behavior = 'read'
+            else
+              behavior = 'write'
+            end
+          end
+
+          privilege = "#{behavior}_#{controller_name.underscore}".to_sym
+          unless user_has_privilege?(current_isaca_user, privilege)
+            redirect_to root_path, alert: "#{t('isaca.rails.claims.admin_required')} Missing claim: #{privilege}."
+          end
+        else
+          redirect_to root_path, alert: t('isaca.rails.claims.admin_required')
+        end
+      end
+
+      def user_has_privilege?(user, privilege)
+        user.claims.select {|c| c.privilege.to_sym == privilege}.any?
+      end
+
+      def claim_symbols(claim_params, state)
+        case state
+        when :destroyable
+          claim_params.select {|k,v| v == '0'}.keys.map(&:to_sym)
+        when :creatable
+          claim_params.select {|k,v| v == '1'}.keys.map(&:to_sym)
+        else
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/isaca/rails/controller.rb

@@ -0,0 +1,14 @@
+require 'isaca/rails/authentication'
+require 'isaca/rails/authorization'
+
+# This class is meant to be included in Rails controllers where you want authentication/authorization
+module Isaca
+  module Rails
+    module Controller
+      extend ActiveSupport::Concern
+
+      include Isaca::Rails::Authentication
+      include Isaca::Rails::Authorization
+    end
+  end
+end

data/lib/isaca/rails/engine.rb

@@ -0,0 +1,7 @@
+module Isaca
+  module Rails
+    class Engine < ::Rails::Engine
+      config.assets.precompile += %w(isaca/rails/isaca-logo.png)
+    end
+  end
+end

data/lib/isaca/rails/user.rb

@@ -0,0 +1,16 @@
+module Isaca
+  module Rails
+    module User
+      extend ActiveSupport::Concern
+
+      included do
+        attr_accessor :privacy, :marketing, :country
+
+        has_many :claims
+
+        validates :imis_id, presence: true, uniqueness: true
+        validates :imis_member_type, presence: true, inclusion: %w(student member non_member)
+      end
+    end
+  end
+end

data/lib/isaca/rails/version.rb

@@ -0,0 +1,5 @@
+module Isaca
+  module Rails
+    VERSION = '0.2.0'
+  end
+end

data/lib/isaca/rails.rb

@@ -0,0 +1,83 @@
+require "isaca"
+require "isaca/rails/engine"
+require "isaca/rails/controller"
+require "isaca/rails/user"
+
+module Isaca
+  module Rails
+    class << self
+      attr_accessor :configuration
+      # @!attribute configuration
+      #   @return [Isaca::Rails::Configuration] Object used to configure the engine
+    end
+
+
+    # Configuration block used to configure the engine.
+    #
+    # @yield [Isaca::Rails::Configuration]
+    #
+    # @example An example configuration
+    #     Isaca::Rails.configure do |config|
+    #       config.user_model = ::Person
+    #     end
+    def self.configure
+      yield configuration
+      self.configuration
+    end
+
+    # Method used to fetch the configuration object
+    #
+    # @return [Isaca::Rails::Configuration]
+    def self.configuration
+      @configuration ||= Configuration.new
+    end
+
+    # Method used to reset configuration. Primarily required during testing.
+    #
+    # @return [Isaca::Rails::Configuration]
+    def self.reset
+      @configuration = Configuration.new
+    end
+
+    # Method used during testing to temporarily set configurations and then immediately reset the configuration
+    #
+    # @example An example configuration
+    #     Isaca::Rails.test_configure do |config|
+    #       config.user_model = ::Person
+    #
+    #       assert_equal ::Person, Isaca::Rails.configuration.user_model
+    #     end
+    #
+    # @return [Isaca::Rails::Configuration]
+    def self.test_configure
+      yield configuration
+      self.reset
+    end
+
+    class Configuration
+      # ActiveRecord class that represents the users of your application. Should return an ActiveRecord class.
+      #
+      # You can set the user_model in the configuration for this engine.
+      #
+      # Isaca::Rails.configure {|config| config.user_model = ::Person}
+      #
+      # Default `::User`
+      attr_accessor :user_model
+
+      # Whether or not users should be redirected and required to provide consent if they have not already
+      #
+      # Isaca::Rails.configure {|config| config.redirect_for_consent = ::Person}
+      #
+      # Default true
+      attr_accessor :redirect_for_consent
+
+      def initialize
+        @redirect_for_consent = true
+      end
+
+      def user_model
+        @user_model ||= ::User
+      end
+    end
+  end
+end

data/lib/tasks/isaca/rails_tasks.rake

@@ -0,0 +1,4 @@
+# desc "Explaining what the task does"
+# task :isaca_rails do
+#   # Task goes here
+# end