kennedy 0.0.1

data/doc/top-level-namespace.html

@@ -0,0 +1,80 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <meta name="Content-Type" content="text/html; charset=UTF-8" />
+<title>Top Level Namespace</title>
+<link rel="stylesheet" href="css/style.css" type="text/css" media="screen" charset="utf-8" />
+<link rel="stylesheet" href="css/common.css" type="text/css" media="screen" charset="utf-8" />
+
+<script type="text/javascript" charset="utf-8">
+  relpath = '';
+  if (relpath != '') relpath += '/';
+</script>
+<script type="text/javascript" charset="utf-8" src="js/jquery.js"></script>
+<script type="text/javascript" charset="utf-8" src="js/app.js"></script>
+
+  </head>
+  <body>
+    <div id="header">
+      <div id="menu">
+  
+    <a href="_index.html">Index</a> &raquo; 
+    
+    
+    <span class="title">Top Level Namespace</span>
+  
+</div>
+
+      <div id="search">
+  <a id="class_list_link" href="#">Namespace List</a>
+  <a id="method_list_link" href="#">Method List</a>
+  <a id ="file_list_link" href="#">File List</a>
+</div>
+
+      <div class="clear"></div>
+    </div>
+    
+    <iframe id="search_frame"></iframe>
+    
+    <div id="content"><h1>Top Level Namespace 
+  
+  
+</h1>
+
+<dl class="box">
+  
+  
+    
+  
+    
+  
+  
+</dl>
+<div class="clear"></div>
+
+<h2>Defined Under Namespace</h2>
+<p class="children">
+   
+    
+      <strong class="modules">Modules:</strong> <a title="Kennedy" href="Kennedy.html">Kennedy</a>
+    
+   
+    
+  
+</p>
+
+
+
+
+
+</div>
+    
+    <div id="footer">
+  Generated on Tue Dec  8 16:39:39 2009 by 
+  <a href="http://yardoc.org" title="Yay! A Ruby Documentation Tool">yard</a>
+  0.4.0 (ruby-1.8.7).
+</div>
+
+  </body>
+</html>

data/kennedy.gemspec

@@ -0,0 +1,114 @@
+# Generated by jeweler
+# DO NOT EDIT THIS FILE DIRECTLY
+# Instead, edit Jeweler::Tasks in Rakefile, and run the gemspec command
+# -*- encoding: utf-8 -*-
+
+Gem::Specification.new do |s|
+  s.name = %q{kennedy}
+  s.version = "0.0.1"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.authors = ["gabrielg"]
+  s.date = %q{2009-12-09}
+  s.description = %q{Kennedy is out for Castronaut. A simple single-sign-on client and server library.}
+  s.email = %q{gabriel.gironda@gmail.com}
+  s.executables = ["kennedy-gen", "kennedy-gen"]
+  s.extra_rdoc_files = [
+    "LICENSE",
+     "README.markdown"
+  ]
+  s.files = [
+    ".document",
+     ".gitignore",
+     ".yardoc",
+     "LICENSE",
+     "MAIN.rdoc",
+     "README.markdown",
+     "Rakefile",
+     "VERSION",
+     "bin/kennedy-gen",
+     "doc/Kennedy.html",
+     "doc/Kennedy/Backends.html",
+     "doc/Kennedy/Backends/LDAP.html",
+     "doc/Kennedy/BadTicketException.html",
+     "doc/Kennedy/Granter.html",
+     "doc/Kennedy/Server.html",
+     "doc/Kennedy/Ticket.html",
+     "doc/_index.html",
+     "doc/class_list.html",
+     "doc/css/common.css",
+     "doc/css/full_list.css",
+     "doc/css/style.css",
+     "doc/file.README.html",
+     "doc/file_list.html",
+     "doc/index.html",
+     "doc/js/app.js",
+     "doc/js/full_list.js",
+     "doc/js/jquery.js",
+     "doc/method_list.html",
+     "doc/top-level-namespace.html",
+     "kennedy.gemspec",
+     "lib/kennedy.rb",
+     "lib/kennedy/backends/ldap.rb",
+     "lib/kennedy/generator.rb",
+     "lib/kennedy/granter.rb",
+     "lib/kennedy/instance_configuration.rb",
+     "lib/kennedy/server.rb",
+     "lib/kennedy/ticket.rb",
+     "logo.png",
+     "template/config.ru.erb",
+     "template/config/api_keys.yml.erb",
+     "template/config/backend.rb",
+     "template/config/encryption.yml.erb",
+     "template/config/sessions.yml.erb",
+     "test/granter_test.rb",
+     "test/ldap_backend_test.rb",
+     "test/server_test.rb",
+     "test/teststrap.rb",
+     "test/ticket_test.rb"
+  ]
+  s.homepage = %q{http://github.com/gabrielg/kennedy}
+  s.rdoc_options = ["--charset=UTF-8"]
+  s.require_paths = ["lib"]
+  s.rubygems_version = %q{1.3.5}
+  s.summary = %q{A simple single-sign-on client and server library.}
+  s.test_files = [
+    "test/granter_test.rb",
+     "test/ldap_backend_test.rb",
+     "test/server_test.rb",
+     "test/teststrap.rb",
+     "test/ticket_test.rb"
+  ]
+
+  if s.respond_to? :specification_version then
+    current_version = Gem::Specification::CURRENT_SPECIFICATION_VERSION
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::RubyGemsVersion) >= Gem::Version.new('1.2.0') then
+      s.add_development_dependency(%q<riot>, [">= 0"])
+      s.add_development_dependency(%q<maruku>, [">= 0"])
+      s.add_development_dependency(%q<yard>, [">= 0"])
+      s.add_runtime_dependency(%q<ruby-net-ldap>, [">= 0"])
+      s.add_runtime_dependency(%q<json>, [">= 0"])
+      s.add_runtime_dependency(%q<sinatra>, [">= 0"])
+      s.add_runtime_dependency(%q<rack>, [">= 0"])
+    else
+      s.add_dependency(%q<riot>, [">= 0"])
+      s.add_dependency(%q<maruku>, [">= 0"])
+      s.add_dependency(%q<yard>, [">= 0"])
+      s.add_dependency(%q<ruby-net-ldap>, [">= 0"])
+      s.add_dependency(%q<json>, [">= 0"])
+      s.add_dependency(%q<sinatra>, [">= 0"])
+      s.add_dependency(%q<rack>, [">= 0"])
+    end
+  else
+    s.add_dependency(%q<riot>, [">= 0"])
+    s.add_dependency(%q<maruku>, [">= 0"])
+    s.add_dependency(%q<yard>, [">= 0"])
+    s.add_dependency(%q<ruby-net-ldap>, [">= 0"])
+    s.add_dependency(%q<json>, [">= 0"])
+    s.add_dependency(%q<sinatra>, [">= 0"])
+    s.add_dependency(%q<rack>, [">= 0"])
+  end
+end
+

data/lib/kennedy.rb

@@ -0,0 +1,2 @@
+require 'kennedy/granter'
+require 'kennedy/backends/ldap'

data/lib/kennedy/backends/ldap.rb

@@ -0,0 +1,35 @@
+module Kennedy
+  module Backends
+    class LDAP
+      attr_writer :filter
+
+      # Creates a new LDAP auth backend with the given arguments
+      # @param [Hash] args The arguments to construct the backend with
+      # @option args [String] :host The LDAP server host to connect to
+      # @option args [Hash]   :auth The auth method ruby-net-ldap should use
+      # @option args [String] :base The treebase to check against
+      def initialize(args = {})
+        @host = args[:host] || raise(ArgumentError, "Host must be given as :host")
+        @auth = args[:auth] || raise(ArgumentError, "Auth must be given as :auth")
+        @base = args[:base] || raise(ArgumentError, "Base must be given as :base")
+        @filter = lambda { raise(ArgumentError, "Set a filter block on this object using the 'filter' writer") }
+      end
+      
+      # Authenticates the given credentials against LDAP
+      # @param [String] identifier The identifier to filter on
+      # @param [String] password The password to use
+      # @return [true, false] A boolean indicating authentication success
+      def authenticate(identifier, password)
+        filter_string = @filter.call(identifier)
+        !!ldap_conn.bind_as(:filter => filter_string, :password => password)
+      end
+    
+    private
+
+      def ldap_conn
+        @ldap_conn ||= Net::LDAP.new(:host => @host, :auth => @auth, :base => @base)
+      end
+
+    end # LDAP
+  end   # Backends
+end     # Kennedy

data/lib/kennedy/generator.rb

@@ -0,0 +1,69 @@
+require 'pathname'
+require 'erb'
+require 'fileutils'
+require 'digest/sha1'
+
+module Kennedy
+  class Generator
+    TemplateDir = (Pathname(__FILE__).parent.parent.parent + "template").expand_path
+    TemplateType = ".erb"
+
+    def run(arguments)
+      @app_name = arguments.first
+      raise ArgumentError, "An app name must be given" if @app_name.nil? || @app_name.empty?
+      create_destination_directory
+      copy_files
+    end
+  
+  private
+    
+    def create_destination_directory
+      @dest = Pathname(@app_name)
+      log_create(@dest)
+      @dest.mkpath
+    end
+
+    def copy_files
+      Pathname.glob("#{template_dir}/**/*").each do |pn|
+        next if pn.directory?
+        relative = pn.relative_path_from(TemplateDir)
+        dest_path = @dest + relative
+        unless dest_path.dirname.exist?
+          log_create(dest_path.dirname)
+          dest_path.dirname.mkpath
+        end
+        is_template?(pn) ? evaluate_and_write_template(pn, dest_path) : copy_file(pn, dest_path)
+      end
+    end
+    
+    def is_template?(path)
+      Pathname(path).extname == template_type
+    end
+    
+    def evaluate_and_write_template(path, dest)
+      dest = dest.sub(/#{Regexp.escape(dest.extname)}$/, "")
+      log_create(dest)
+      dest.open('w') do |f|
+        f << ERB.new(path.read).result(binding)
+      end
+    end
+    
+    def copy_file(path, dest)
+      log_create(dest)
+      FileUtils.cp_r(path.expand_path.to_s, dest.expand_path.to_s)
+    end
+
+    def template_type
+      TemplateType
+    end
+
+    def template_dir
+      TemplateDir
+    end
+
+    def log_create(path)
+      puts "Creating '#{path}'"
+    end
+
+  end
+end

data/lib/kennedy/granter.rb

@@ -0,0 +1,52 @@
+require 'kennedy/ticket'
+
+module Kennedy
+  # Granter is used to authenticate credentials and grant tickets to services
+  # once a client has been authenticated.
+  class Granter
+
+    # @param [Hash] args The arguments to create the granter with
+    # @option args [String] :iv The AES-256 initialization vector to use for encryption and decryption
+    # @option args [String] :passphrase The AES-256 passphrase to use for encryption and decryption
+    # @option args [Object] :backend An instance of a backend to use for authentication
+    def initialize(args = {})
+      @iv = args[:iv] || raise(ArgumentError, "Encryption IV must be given as :iv")
+      @passphrase = args[:passphrase] || raise(ArgumentError, "Encryption passphrase must be given as :passphrase")
+      @backend = args[:backend] || raise(ArgumentError, "Authentication backend must be given as :backend")
+    end
+    
+    # Authenticates the given credentials against the current backend
+    # @param [Hash] args The arguments to authenticate with
+    # @option args [String] :identifier The identifier (email address, for example) to use for authentication
+    # @option args [String] :password The password to use for authentication
+    # @return [true, false] A boolean indication of whether authentication was successful or not
+    def authenticate(args = {})
+      !!@backend.authenticate(args[:identifier], args[:password])
+    end
+    
+    # Generates a ticket object to pass back to clients requesting authentication
+    # @param [Hash] args The arguments to generate the ticket with
+    # @option args [String] :identifier The identifier (email address, for example) the ticket grants access for
+    # @return [Kennedy::Ticket] A Kennedy::Ticket object
+    def generate_ticket(args = {})
+      identifier = args[:identifier] || raise(ArgumentError, "An identifier must be given as :identifier")
+      new_ticket(identifier)
+    end
+    
+    def read_ticket(args = {})
+      data = args[:data] || raise(ArgumentError, "Data must be given as :data")
+      decrypt_ticket(args[:data])
+    end
+
+  private
+
+    def decrypt_ticket(data)
+      Kennedy::Ticket.from_encrypted(:data => data, :iv => @iv, :passphrase => @passphrase)
+    end
+
+    def new_ticket(identifier)
+      Kennedy::Ticket.create(:identifier => identifier, :iv => @iv, :passphrase => @passphrase)
+    end
+
+  end # Granter
+end

data/lib/kennedy/instance_configuration.rb

@@ -0,0 +1,58 @@
+require 'yaml'
+require 'pathname'
+
+module Kennedy
+  class InstanceConfiguration
+    attr_reader :backend, :encryption, :api_keys
+
+    RequiredFiles = %w[backend.rb
+                       encryption.yml
+                       sessions.yml
+                       api_keys.yml]
+
+    class << self
+      private :new
+    end
+    
+    def initialize(config_dir)
+      @config_dir = config_dir
+      load_backend
+      load_encryption
+      load_sessions
+      load_api_keys
+    end
+
+    def self.load_config(config_dir)
+      config_dir = Pathname(config_dir)
+      raise ArgumentError, "Config dir '#{config_dir}' does not exist" unless config_dir.exist?
+      RequiredFiles.each do |rf|
+        expected = config_dir + rf
+        raise ArgumentError, "Expected config file '#{expected}' to exist" unless expected.exist?
+      end
+      new(config_dir)
+    end
+    
+    def session_secret
+      @sessions['secret']
+    end
+
+  private
+
+    def load_backend
+      @backend = eval(File.read(@config_dir + "backend.rb"))
+    end
+    
+    def load_encryption
+      @encryption = YAML.load_file(@config_dir + "encryption.yml")
+    end
+
+    def load_sessions
+      @sessions = YAML.load_file(@config_dir + "sessions.yml")
+    end
+
+    def load_api_keys
+      @api_keys = YAML.load_file(@config_dir + "api_keys.yml")
+    end
+
+  end # InstanceConfiguration
+end   # Kennedy

data/lib/kennedy/server.rb

@@ -0,0 +1,164 @@
+require 'sinatra/base'
+require 'json'
+require 'base64'
+require 'rack/session/cookie'
+require 'kennedy'
+
+module Kennedy
+  class Server < Sinatra::Base
+    disable :session
+    
+    # Creates a new subclass of Kennedy::Server with the given options
+    # @param [Hash] opts The options to use when building the subclass
+    # @option opts [Hash]   :encryption     The IV and passphrase to use when generating tickets, given as
+    #                                       :iv and :passphrase keys in a Hash.
+    # @option opts [Object] :backend        An instance of a backend to use for authentication.
+    # @option opts [String] :session_secret A secret for Rack::Session::Cookie to use when generating session
+    #                                       cookies.
+    # @option opts [Hash]   :api_keys       A hash of key-value pairs to use as API users/keys with HTTP basic
+    #                                       authentication
+    #                    
+    def self.create(opts = {})
+      sc = Class.new(self)
+      sc.instance_eval do
+        opts.each { |k,v| set k.to_sym, v }
+        raise ArgumentError, "A session secret must be set with :session_secret" unless defined?(session_secret)
+        add_cookie_middleware
+        set :api_keys, (defined?(api_keys) ? api_keys : {})
+        set :require_ssl, (defined?(require_ssl) ? require_ssl : true)
+      end
+    end
+    
+    # Ensures all connections come in over SSL
+    before do
+      next unless require_ssl?
+      unless (request.env['HTTP_X_FORWARDED_PROTO'] || request.env['rack.url_scheme']) == 'https'
+        halt 403, "Only SSL connections are accepted."
+      end
+    end
+    
+    # Ensures all connections come in requesting JSON
+    before do
+      unless request.content_type == 'application/json'
+        halt 415, "Only JSON requests are accepted."
+      end
+    end
+    
+    # Parses request body as JSON
+    before do
+      begin
+        @json = JSON.parse(request.body.read)
+      rescue
+        @json = {}
+      end
+    end
+    
+    # Takes incoming requests with a 'ticket' property in the JSON body and decrypts the ticket,
+    # returning an identifier as the 'identifier' property in the JSON response body if the
+    # ticket is valid and unexpired.
+    post "/validation_request" do
+      content_type "application/json"
+      require_api_authentication
+      begin
+        encrypted_ticket = Base64.decode64(@json['ticket'])
+        ticket = granter.read_ticket(:data => encrypted_ticket)
+        if ticket.expired?
+          [406, {'error' => 'expired_ticket'}.to_json]
+        else
+          [200, {'identifier' => ticket.identifier}.to_json]
+        end
+      rescue => e
+        [406, {'error' => 'bad_ticket'}.to_json]
+      end
+    end
+
+    # Takes incoming requests and generates an encrypted and Base64 encoded ticket in the 'ticket'
+    # property of the JSON response if the user has a valid session.
+    get '/session' do
+      content_type "application/json"
+      if session['identifier']
+        ticket = granter.generate_ticket(:identifier => session['identifier'])
+        [200, {'ticket' => Base64.encode64(ticket.to_encrypted)}.to_json]
+      else
+        [401, {'error' => 'authentication_required'}.to_json]
+      end
+    end
+    
+    # Creates a session if authentication with the given credentials passed as 'identifier' and
+    # 'password' in the JSON body is successful.
+    post '/session' do
+      credentials = @json['credentials']
+      content_type "application/json"
+      if credentials.nil? || !granter.authenticate(:identifier => credentials['identifier'], :password => credentials['password'])
+        [406, {'error' => 'bad_credentials'}.to_json]
+      else
+        session['identifier'] = credentials['identifier']
+        [201, {'success' => 'session_created'}.to_json]
+      end
+    end
+    
+    # Destroys an existing session.
+    delete '/session' do
+      request.session.clear
+      [200, {'success' => 'session_destroyed'}.to_json]
+    end
+
+  private
+    
+    def auth
+      @auth ||= Rack::Auth::Basic::Request.new(request.env)
+    end
+
+    def authorized?
+      request.env['REMOTE_USER']
+    end
+    
+    def unauthorized!(realm = "Kennedy")
+      headers 'WWW-Authenticate' => %(Basic realm="#{realm}")
+      throw :halt, [401, {'error' => 'authentication_required'}.to_json]
+    end
+
+    def bad_request!
+      throw :halt, [400, {'error' => 'bad_request'}.to_json]
+    end
+    
+    def authorize(username, password)
+      api_keys.has_key?(username) && api_keys[username] == password
+    end
+
+    def require_api_authentication
+      return if authorized?
+      unauthorized! unless auth.provided?
+      bad_request! unless auth.basic?
+      unauthorized! unless authorize(*auth.credentials)
+      request.env['REMOTE_USER'] = auth.username
+    end
+
+    def self.add_cookie_middleware
+      use Rack::Session::Cookie, :secret => session_secret
+    end
+    
+    def granter
+      @granter ||= Kennedy::Granter.new(:iv => encryption[:iv], :passphrase => encryption[:passphrase],
+                                        :backend => backend)
+    end
+
+    def encryption
+      self.class.encryption
+    end
+
+    def backend
+      self.class.backend
+    end
+    
+    def api_keys
+      self.class.api_keys
+    end
+    
+    def require_ssl?
+      !!options.require_ssl
+    end
+
+  end # Server
+end   # Kennedy
+