kingsman 0.0.0.beta → 0.1.0

data/lib/kingsman/strategies/authenticatable.rb

@@ -0,0 +1,178 @@
+# frozen_string_literal: true
+
+require 'kingsman/strategies/base'
+
+module Kingsman
+  module Strategies
+    # This strategy should be used as basis for authentication strategies. It retrieves
+    # parameters both from params or from http authorization headers. See database_authenticatable
+    # for an example.
+    class Authenticatable < Base
+      attr_accessor :authentication_hash, :authentication_type, :password
+
+      def store?
+        super && !mapping.to.skip_session_storage.include?(authentication_type)
+      end
+
+      def valid?
+        valid_for_params_auth? || valid_for_http_auth?
+      end
+
+      # Override and set to false for things like OmniAuth that technically
+      # run through Authentication (user_set) very often, which would normally
+      # reset CSRF data in the session
+      def clean_up_csrf?
+        true
+      end
+
+    private
+
+      # Receives a resource and check if it is valid by calling valid_for_authentication?
+      # A block that will be triggered while validating can be optionally
+      # given as parameter. Check Kingsman::Models::Authenticatable.valid_for_authentication?
+      # for more information.
+      #
+      # In case the resource can't be validated, it will fail with the given
+      # unauthenticated_message.
+      def validate(resource, &block)
+        result = resource && resource.valid_for_authentication?(&block)
+
+        if result
+          true
+        else
+          if resource
+            fail!(resource.unauthenticated_message)
+          end
+          false
+        end
+      end
+
+      # Get values from params and set in the resource.
+      def remember_me(resource)
+        resource.remember_me = remember_me? if resource.respond_to?(:remember_me=)
+      end
+
+      # Should this resource be marked to be remembered?
+      def remember_me?
+        valid_params? && Kingsman::TRUE_VALUES.include?(params_auth_hash[:remember_me])
+      end
+
+      # Check if this is a valid strategy for http authentication by:
+      #
+      #   * Validating if the model allows http authentication;
+      #   * If any of the authorization headers were sent;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_http_auth?
+        http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
+      end
+
+      # Check if this is a valid strategy for params authentication by:
+      #
+      #   * Validating if the model allows params authentication;
+      #   * If the request hits the sessions controller through POST;
+      #   * If the params[scope] returns a hash with credentials;
+      #   * If all authentication keys are present;
+      #
+      def valid_for_params_auth?
+        params_authenticatable? && valid_params_request? &&
+          valid_params? && with_authentication_hash(:params_auth, params_auth_hash)
+      end
+
+      # Check if the model accepts this strategy as http authenticatable.
+      def http_authenticatable?
+        mapping.to.http_authenticatable?(authenticatable_name)
+      end
+
+      # Check if the model accepts this strategy as params authenticatable.
+      def params_authenticatable?
+        mapping.to.params_authenticatable?(authenticatable_name)
+      end
+
+      # Extract the appropriate subhash for authentication from params.
+      def params_auth_hash
+        params[scope]
+      end
+
+      # Extract a hash with attributes:values from the http params.
+      def http_auth_hash
+        keys = [http_authentication_key, :password]
+        Hash[*keys.zip(decode_credentials).flatten]
+      end
+
+      # By default, a request is valid if the controller set the proper env variable.
+      def valid_params_request?
+        !!env["kingsman.allow_params_authentication"]
+      end
+
+      # If the request is valid, finally check if params_auth_hash returns a hash.
+      def valid_params?
+        params_auth_hash.is_a?(Hash)
+      end
+
+      # Note: unlike `Model.valid_password?`, this method does not actually
+      # ensure that the password in the params matches the password stored in
+      # the database. It only checks if the password is *present*. Do not rely
+      # on this method for validating that a given password is correct.
+      def valid_password?
+        password.present?
+      end
+
+      # Helper to decode credentials from HTTP.
+      def decode_credentials
+        return [] unless request.authorization && request.authorization =~ /^Basic (.*)/mi
+        Base64.decode64($1).split(/:/, 2)
+      end
+
+      # Sets the authentication hash and the password from params_auth_hash or http_auth_hash.
+      def with_authentication_hash(auth_type, auth_values)
+        self.authentication_hash, self.authentication_type = {}, auth_type
+        self.password = auth_values[:password]
+
+        parse_authentication_key_values(auth_values, authentication_keys) &&
+        parse_authentication_key_values(request_values, request_keys)
+      end
+
+      def authentication_keys
+        @authentication_keys ||= mapping.to.authentication_keys
+      end
+
+      def http_authentication_key
+        @http_authentication_key ||= mapping.to.http_authentication_key || case authentication_keys
+          when Array then authentication_keys.first
+          when Hash then authentication_keys.keys.first
+        end
+      end
+
+      def request_keys
+        @request_keys ||= mapping.to.request_keys
+      end
+
+      def request_values
+        keys = request_keys.respond_to?(:keys) ? request_keys.keys : request_keys
+        values = keys.map { |k| self.request.send(k) }
+        Hash[keys.zip(values)]
+      end
+
+      def parse_authentication_key_values(hash, keys)
+        keys.each do |key, enforce|
+          value = hash[key].presence
+          if value
+            self.authentication_hash[key] = value
+          else
+            return false unless enforce == false
+          end
+        end
+        true
+      end
+
+      # Holds the authenticatable name for this class. Kingsman::Strategies::DatabaseAuthenticatable
+      # becomes simply :database.
+      def authenticatable_name
+        @authenticatable_name ||=
+          ActiveSupport::Inflector.underscore(self.class.name.split("::").last).
+            sub("_authenticatable", "").to_sym
+      end
+    end
+  end
+end

data/lib/kingsman/strategies/base.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module Kingsman
+  module Strategies
+    # Base strategy for Kingsman. Responsible for verifying correct scope and mapping.
+    class Base < ::Warden::Strategies::Base
+      # Whenever CSRF cannot be verified, we turn off any kind of storage
+      def store?
+        !env["kingsman.skip_storage"]
+      end
+
+      # Checks if a valid scope was given for kingsman and find mapping based on this scope.
+      def mapping
+        @mapping ||= begin
+          mapping = Kingsman.mappings[scope]
+          raise "Could not find mapping for #{scope}" unless mapping
+          mapping
+        end
+      end
+    end
+  end
+end

data/lib/kingsman/strategies/database_authenticatable.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'kingsman/strategies/authenticatable'
+
+module Kingsman
+  module Strategies
+    # Default strategy for signing in a user, based on their email and password in the database.
+    class DatabaseAuthenticatable < Authenticatable
+      def authenticate!
+        resource  = password.present? && mapping.to.find_for_database_authentication(authentication_hash)
+        hashed = false
+
+        if validate(resource){ hashed = true; resource.valid_password?(password) }
+          remember_me(resource)
+          resource.after_database_authentication
+          success!(resource)
+        end
+
+        # In paranoid mode, hash the password even when a resource doesn't exist for the given authentication key.
+        # This is necessary to prevent enumeration attacks - e.g. the request is faster when a resource doesn't
+        # exist in the database if the password hashing algorithm is not called.
+        mapping.to.new.password = password if !hashed && Kingsman.paranoid
+        unless resource
+          Kingsman.paranoid ? fail(:invalid) : fail(:not_found_in_database)
+        end
+      end
+    end
+  end
+end
+
+Warden::Strategies.add(:database_authenticatable, Kingsman::Strategies::DatabaseAuthenticatable)

data/lib/kingsman/strategies/rememberable.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+require 'kingsman/strategies/authenticatable'
+
+module Kingsman
+  module Strategies
+    # Remember the user through the remember token. This strategy is responsible
+    # to verify whether there is a cookie with the remember token, and to
+    # recreate the user from this cookie if it exists. Must be called *before*
+    # authenticatable.
+    class Rememberable < Authenticatable
+      # A valid strategy for rememberable needs a remember token in the cookies.
+      def valid?
+        @remember_cookie = nil
+        remember_cookie.present?
+      end
+
+      # To authenticate a user we deserialize the cookie and attempt finding
+      # the record in the database. If the attempt fails, we pass to another
+      # strategy handle the authentication.
+      def authenticate!
+        resource = mapping.to.serialize_from_cookie(*remember_cookie)
+
+        unless resource
+          cookies.delete(remember_key)
+          return pass
+        end
+
+        if validate(resource)
+          remember_me(resource) if extend_remember_me?(resource)
+          resource.after_remembered
+          success!(resource)
+        end
+      end
+
+      # No need to clean up the CSRF when using rememberable.
+      # In fact, cleaning it up here would be a bug because
+      # rememberable is triggered on GET requests which means
+      # we would render a page on first access with all csrf
+      # tokens expired.
+      def clean_up_csrf?
+        false
+      end
+
+    private
+
+      def extend_remember_me?(resource)
+        resource.respond_to?(:extend_remember_period) && resource.extend_remember_period
+      end
+
+      def remember_me?
+        true
+      end
+
+      def remember_key
+        mapping.to.rememberable_options.fetch(:key, "remember_#{scope}_token")
+      end
+
+      def remember_cookie
+        @remember_cookie ||= cookies.signed[remember_key]
+      end
+
+    end
+  end
+end
+
+Warden::Strategies.add(:rememberable, Kingsman::Strategies::Rememberable)

data/lib/kingsman/token_generator.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require 'openssl'
+
+module Kingsman
+  class TokenGenerator
+    def initialize(key_generator, digest = "SHA256")
+      @key_generator = key_generator
+      @digest = digest
+    end
+
+    def digest(klass, column, value)
+      value.present? && OpenSSL::HMAC.hexdigest(@digest, key_for(column), value.to_s)
+    end
+
+    def generate(klass, column)
+      key = key_for(column)
+
+      loop do
+        raw = Kingsman.friendly_token
+        enc = OpenSSL::HMAC.hexdigest(@digest, key, raw)
+        break [raw, enc] unless klass.to_adapter.find_first({ column => enc })
+      end
+    end
+
+    private
+
+    def key_for(column)
+      @key_generator.generate_key("Kingsman #{column}")
+    end
+  end
+end

data/lib/kingsman/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Kingsman
-  VERSION = "0.0.0.beta"
+  VERSION = "0.1.0"
 end