kraut 0.5.6

data/lib/kraut/kraut.rb

@@ -0,0 +1,21 @@
+module Kraut
+
+  class Error < RuntimeError; end
+  class InvalidAuthorization < Error; end
+  class InvalidAuthentication < Error; end
+  class ApplicationAccessDenied < Error; end
+  class InvalidPrincipalToken < Error; end
+  class UnknownError < Error; end
+
+  class << self
+
+    attr_accessor :endpoint
+
+    def namespace
+      @namespace ||= "http://authentication.integration.crowd.atlassian.com"
+    end
+
+    attr_writer :namespace
+
+  end
+end

data/lib/kraut/mapper.rb

@@ -0,0 +1,20 @@
+module Kraut
+
+  # = Kraut::Mapper
+  #
+  # Contains methods for mapping attributes.
+  module Mapper
+
+    # Accepts a Hash of +attributes+ and assigns them via writer methods.
+    # Calls an <tt>after_initialize</tt> method if available.
+    def initialize(attributes = nil)
+      mass_assign! attributes
+    end
+
+    # Expects a Hash of +attributes+ and assigns them via attribute writers.
+    def mass_assign!(attributes)
+      attributes.each { |key, value| send "#{key}=", value } if attributes
+    end
+
+  end
+end

data/lib/kraut/principal.rb

@@ -0,0 +1,85 @@
+# -*- encoding : utf-8 -*-
+require "kraut/client"
+require "kraut/mapper"
+require "kraut/application"
+
+module Kraut
+
+  # = Kraut::Principal
+  #
+  # Represents a principal registered with Crowd.
+  class Principal
+    include Mapper
+
+    # Expects a +name+ and +password+ and returns a new authenticated <tt>Kraut::Principal</tt>.
+    def self.authenticate(name, password)
+      response = Client.auth_request :authenticate_principal, :in1 => {
+        "aut:application" => Application.name,
+        "aut:credential" => { "aut:credential" => password }, "aut:name" => name
+      }
+
+      new :name => name, :password => password, :token => response[:out].to_s
+    end
+
+    def self.find_by_token(token)
+      response = Client.auth_request :find_principal_by_token, :in1 => token.to_s
+
+      # assumption: this works without failure since the auth_request raises an error if the request was not successful!
+      new :name => response[:out][:name].to_s, :token => token.to_s
+    end
+
+    attr_accessor :name, :password, :token
+
+    # Returns the principal name to display.
+    def display_name
+      attributes[:display_name]
+    end
+
+    # Returns the principal's email address.
+    def email
+      attributes[:mail]
+    end
+
+    # Returns whether the principal's password is expired. Principals with an expired password
+    # are still able to authenticate and access your application if you do not use this method.
+    def requires_password_change?
+      attributes[:requires_password_change]
+    end
+
+    # Returns a Hash of attributes for the principal.
+    def attributes
+      @attributes ||= find_attributes
+    end
+
+    attr_writer :attributes
+
+    # Returns whether the principal is a member of a given +group+.
+    def member_of?(group)
+      return groups[group] unless groups[group].nil?
+      groups[group] = Client.auth_request(:is_group_member, :in1 => group, :in2 => name)[:out]
+    end
+
+    def groups
+      @groups ||= {}
+    end
+
+    attr_writer :groups
+
+  private
+
+    # Retrieves attributes for the current principal.
+    def find_attributes
+      response = Client.auth_request(:find_principal_with_attributes_by_name, :in1 => name)[:out]
+
+      response[:attributes][:soap_attribute].inject({}) do |memo, entry|
+        # next two lines: prevent Nori::StringWithAttributes to bubble up
+        # use plain strings instead (for serializability) [thomas, 2011-06-07]
+        value = entry[:values][:string]
+        value = value.to_s if value.is_a?(String)
+        memo[entry[:name].snakecase.to_sym] = value
+        memo
+      end
+    end
+
+  end
+end

data/lib/kraut/rails/authentication.rb

@@ -0,0 +1,80 @@
+module Kraut
+
+  module Rails
+
+    module Authentication
+
+      def self.included(base)
+        base.helper_method :user, :logged_in?, :allowed_to?
+        base.rescue_from SecurityError do |e|
+          reset_session
+          redirect_to new_kraut_sessions_path, :alert => I18n.t("errors.kraut.session_expired")
+        end
+      end
+
+      # The timeout for a Crowd session in minutes.
+      CROWD_SESSION_TIMEOUT_MINUTES = 25
+
+      def switch_user(user)
+        session[:user] = user
+      end
+
+      def user
+        session[:user]
+      end
+
+      def logged_in?
+        !user.nil?
+      end
+
+      def allowed_to?(action)
+        authenticate_application
+        !!user && user.allowed_to?(action)
+      end
+
+      def check_for_crowd_token
+        if params[:crowd_token]
+          begin
+            authenticate_application
+            switch_user(Session.find_by_token(params[:crowd_token]))
+          rescue Kraut::InvalidPrincipalToken
+            reset_session
+            redirect_to new_kraut_sessions_path, :alert => I18n.t("errors.kraut.token_not_found")
+          end
+        end
+      end
+
+      def verify_login
+        unless logged_in?
+          store_current_location
+          redirect_to new_kraut_sessions_path
+        end
+      end
+
+      def verify_access
+        authenticate_application
+        unless logged_in? && user.allowed_to?("#{params[:controller]}_#{params[:action]}")
+          store_current_location
+          redirect_to new_kraut_sessions_path, :alert => I18n.t("errors.kraut.access_denied")
+        end
+      end
+
+      def authenticate_application
+        if Kraut::Application.authentication_required? CROWD_SESSION_TIMEOUT_MINUTES
+          Kraut::Application.authenticate Kraut::Rails::Engine.config.webservice[:user], Kraut::Rails::Engine.config.webservice[:password]
+        end
+      end
+
+      def store_current_location
+        session[:stored_location] = request.fullpath if request.get?
+      end
+
+      def stored_location!
+        session.delete(:stored_location)
+      end
+
+    end
+
+  end
+
+end

data/lib/kraut/rails/engine.rb

@@ -0,0 +1,29 @@
+require 'rails'
+
+require 'kraut'
+require 'kraut/rails/authentication'
+
+module Kraut
+
+  module Rails
+
+    class Engine < ::Rails::Engine
+
+      config.after_initialize do
+        ActionController::Base.class_eval do
+          include Kraut::Rails::Authentication
+        end
+      end
+
+      def self.resolve_authorization_aliases(authorizations, aliases)
+        authorizations.inject({}) do |resolved, (action, groups)|
+          resolved[action] = groups.map { |group| aliases[group] }
+          resolved
+        end
+      end
+
+    end
+
+  end
+
+end

data/lib/kraut/rails/spec/login_helper.rb

@@ -0,0 +1,28 @@
+module Kraut
+
+  module Rails
+
+    module Spec
+
+      module LoginHelper
+
+        def login!
+          Kraut::Application.stubs(:authentication_required?).returns(false)
+          session[:user] = create_user
+        end
+
+        def logout!
+          session[:user] = nil
+        end
+
+        def user
+          session[:user]
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/kraut/rails/spec/protected_action.rb

@@ -0,0 +1,68 @@
+module Kraut
+
+  module Rails
+
+    module Spec
+
+      module ProtectedAction
+
+        # This shouldn't be called outside of describe_authorized_action,
+        # since it'll just be ignored - better situated somewhere else? [thomas, 2011-06-07]
+        # used to test unauthenticated/unauthorized access
+        # keep in mind that the before/after hooks specified in describe_protected_action
+        # don't apply to this request!
+        def unauthorized_request(&block)
+          @@unauthorized_request = block
+        end
+
+        # describes an action protected by kraut:
+        # tests if the specs in the block pass when authenticated (and authorized in case +action+ is specified)
+        # tests if the action recirects to the login page when not authorized (in case +unauthorized_access+ is called within the block and +action+ is specified)
+        # tests if the action recirects to the login page when not authenticated (in case +unauthorized_access+ is called within the block)
+        def describe_protected_action(message, action = nil, &block)
+
+          @@unauthorized_request = nil
+
+          describe message do
+
+            describe "authenticated#{" and authorized to do #{action}" if action}" do
+              before do
+                login! if user.nil?
+                user.expects(:allowed_to?).with(action.to_s).at_least_once.returns(true) if action
+              end
+              module_eval &block
+            end
+
+            unauthorized_request = @@unauthorized_request
+
+            describe "authenticated but unauthorized to do #{action}" do
+              before do
+                login! if user.nil?
+                user.expects(:allowed_to?).with(action.to_s).at_least_once.returns(false)
+              end
+              it "redirects to login page with an alert" do
+                instance_eval &unauthorized_request
+                response.should redirect_to("/sessions/new")
+                flash[:alert].should_not be_nil
+              end
+            end if action && unauthorized_request
+
+            describe "unauthenticated" do
+              before { logout! }
+              it "redirects to login page" do
+                instance_eval &unauthorized_request
+                response.should redirect_to("/sessions/new")
+              end
+            end if unauthorized_request
+
+          end
+
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/kraut/rails/spec/user_helper.rb

@@ -0,0 +1,27 @@
+module Kraut
+
+  module Rails
+
+    module Spec
+
+      module UserHelper
+
+        def create_user
+          Kraut::Session.new(
+            :username => "user",
+            :password => "secret",
+            :principal => Kraut::Principal.new(
+              :name => "user",
+              :password => "secret",
+              :token => "token"
+            )
+          )
+        end
+
+      end
+
+    end
+
+  end
+
+end

data/lib/kraut/rails/spec_helper.rb

@@ -0,0 +1,15 @@
+require "kraut/rails/spec/login_helper"
+require "kraut/rails/spec/protected_action"
+require "kraut/rails/spec/user_helper"
+
+Kraut::Application.stubs(:authenticate).returns(["name", "password", "token"])
+
+RSpec.configure do |config|
+  config.include Kraut::Rails::Spec::LoginHelper, :example_group => {
+    :file_path => /spec\/(controllers|views|helpers)/
+  }
+  config.extend Kraut::Rails::Spec::ProtectedAction, :example_group => {
+    :file_path => /spec\/controllers/
+  }
+  config.include Kraut::Rails::Spec::UserHelper
+end

data/lib/kraut/version.rb

@@ -0,0 +1,6 @@
+# -*- encoding : utf-8 -*-
+module Kraut
+
+  VERSION = "0.5.6"
+
+end

data/spec/controllers/application_controller_spec.rb

@@ -0,0 +1,219 @@
+require "spec_helper"
+
+describe ApplicationController do
+
+  context "when a SecurityError was raised" do
+    controller do
+      def index
+        raise SecurityError
+      end
+    end
+
+    it "swallows error, sets an alert and redirects to the login page" do
+      lambda { get :index }.should_not raise_error(Kraut::InvalidPrincipalToken)
+      flash[:alert].should == I18n.t("errors.kraut.session_expired")
+      response.should redirect_to("/sessions/new")
+    end
+  end
+
+  describe "#switch_user" do
+    it "stores the user in the session" do
+      session[:user].should be_nil
+      controller.switch_user(user = Kraut::Session.new)
+      session[:user].should == user
+    end
+  end
+
+  describe "#user" do
+    it "retrieves the user from the session" do
+      controller.user.should be_nil
+      session[:user] = user = Kraut::Session.new
+      controller.user.should == user
+    end
+  end
+
+  describe "#logged_in?" do
+    it "returns false when not logged in" do
+      controller.logged_in?.should == false
+    end
+    it "returns true when logged in" do
+      controller.switch_user(Kraut::Session.new)
+      controller.logged_in?.should == true
+    end
+  end
+
+  context "#allowed_to?" do
+    before { controller.expects(:authenticate_application) }
+
+    it "should return false when not logged in" do
+      controller.allowed_to?(:act).should == false
+    end
+
+    it "should return false when logged in user is not allowed to perform action" do
+      controller.switch_user(user = Kraut::Session.new)
+      user.expects(:allowed_to?).with(:act).returns(false)
+      controller.allowed_to?(:act).should == false
+    end
+
+    it "should return true when logged in user is allowed to perform action" do
+      controller.switch_user(user = Kraut::Session.new)
+      user.expects(:allowed_to?).with(:act).returns(true)
+      controller.allowed_to?(:act).should == true
+    end
+  end
+
+  context "before_filters" do
+
+    describe ":check_for_crowd_token" do
+      controller do
+        before_filter :check_for_crowd_token
+        def index
+          render :text => 'no fail'
+        end
+      end
+
+      it "raises no error, resets the session, sets an alert and redirects to the login page if no principal is found" do
+        controller.expects(:authenticate_application)
+        Kraut::Session.expects(:find_by_token).with('abcd').raises(Kraut::InvalidPrincipalToken)
+        lambda { get :index, :crowd_token => 'abcd' }.should_not raise_error(Kraut::InvalidPrincipalToken)
+        session.should be_empty
+        flash[:alert].should == I18n.t("errors.kraut.token_not_found")
+        response.should redirect_to("/sessions/new")
+      end
+
+      it "sets the user session to the principal" do
+        controller.expects(:authenticate_application)
+        Kraut::Session.expects(:find_by_token).with('abcd').returns(user = Kraut::Session.new)
+        user.stubs(:allowed_to?).returns(true)
+        get :index, :crowd_token => 'abcd'
+        response.should be_success
+        response.body.should == 'no fail'
+      end
+
+      it "only takes action if the crowd_token param is set" do
+        Kraut::Session.expects(:find_by_token).never
+        get :index
+        response.should be_success
+        response.body.should == 'no fail'
+      end
+    end
+
+    describe ":verify_login" do
+      controller do
+        before_filter :verify_login
+        def index
+          render :text => 'no fail'
+        end
+      end
+
+      it "does nothing when logged in" do
+        controller.switch_user(Kraut::Session.new)
+        get :index
+        controller.stored_location!.should be_nil
+        response.should be_success
+        response.body.should == 'no fail'
+      end
+
+      it "stores the current location and redirects the the login page when not logged in" do
+        get :index
+        controller.stored_location!.should_not be_nil
+        response.should redirect_to("/sessions/new")
+      end
+    end
+
+    describe ":verify_access" do
+      before { controller.expects(:authenticate_application) }
+
+      controller do
+        before_filter :set_params, :verify_access
+        def index
+          render :text => 'no fail'
+        end
+        def set_params
+          params[:controller] = 'cont'
+          params[:action] = 'act'
+        end
+      end
+
+      it "does nothing when logged in and authorized" do
+        controller.switch_user(user = Kraut::Session.new)
+        user.expects(:allowed_to?).with('cont_act').returns(true)
+        get :index
+        controller.stored_location!.should be_nil
+        response.should be_success
+        response.body.should == 'no fail'
+      end
+
+      it "stores the current location, sets and alert and redirects the the login page when logged in but unauthorized" do
+        controller.switch_user(user = Kraut::Session.new)
+        user.expects(:allowed_to?).with('cont_act').returns(false)
+        controller.expects(:store_current_location)
+        get :index
+        flash[:alert].should == I18n.t("errors.kraut.access_denied")
+        response.should redirect_to("/sessions/new")
+      end
+
+      it "stores the current location, sets and alert and redirects the the login page when not logged in" do
+        controller.expects(:store_current_location)
+        get :index
+        flash[:alert].should == I18n.t("errors.kraut.access_denied")
+        response.should redirect_to("/sessions/new")
+      end
+    end
+
+  end
+
+  context "internal methods" do
+
+    describe "#authenticate_application" do
+      it "authenticates the application when required" do
+        Kraut::Rails::Engine.config.webservice = { :user => "u", :password => "p" }
+        Kraut::Application.expects(:authentication_required?).with(25).returns(true)
+        Kraut::Application.expects(:authenticate).with("u", "p")
+        controller.authenticate_application
+      end
+
+      it "doesn't authenticate the application when not required" do
+        Kraut::Application.stubs(:authentication_required?).returns(false)
+        Kraut::Application.expects(:authenticate).never
+        controller.authenticate_application
+      end
+    end
+
+    describe "#store_current_location" do
+      controller do
+        def index
+          store_current_location
+          render :text => 'no fail'
+        end
+      end
+
+      it "stores request's full path on a GET" do
+        get :index
+        response.should be_success
+        response.body.should == 'no fail'
+        controller.stored_location!.should == "/stub_resources"
+      end
+
+      %w(delete head post put).each do |method|
+        it "doesn't store request's full path on a #{method.upcase}" do
+          send method, :index
+          response.should be_success
+          response.body.should == 'no fail'
+          controller.stored_location!.should be_nil
+        end
+      end
+    end
+
+    describe "#stored_location!" do
+      it "retrieves the location stored in the session, then delete it" do
+        controller.stored_location!.should be_nil
+        session[:stored_location] = "loc"
+        controller.stored_location!.should == "loc"
+        controller.stored_location!.should be_nil
+      end
+    end
+
+  end
+
+end