kraut 0.5.6

data/.gitignore

@@ -0,0 +1,11 @@
+.DS_Store
+.yardoc
+doc
+coverage
+tmp
+*~
+*.gem
+.bundle
+Gemfile.lock
+spec/reports
+*.log

data/.rspec

@@ -0,0 +1 @@
+--colour

data/Gemfile

@@ -0,0 +1,3 @@
+# -*- encoding : utf-8 -*-
+source :rubygems
+gemspec

data/README.md

@@ -0,0 +1,175 @@
+Kraut
+=====
+
+Interface for the [Atlassian Crowd](http://www.atlassian.com/software/crowd/) SOAP service.
+
+Crowd endpoint
+--------------
+
+Kraut needs to know the SOAP endpoint of your Crowd installation. Set it via:
+
+```ruby
+Kraut.endpoint = "http://example.com/crowd/services/SecurityServer"
+```
+
+Kraut::Application
+------------------
+
+Crowd manages principals and applications. `Kraut::Application` obviously represents the latter.
+To authenticate your application with Crowd, you need to provide its name and password:
+
+```ruby
+Kraut::Application.authenticate "my_app", "secret"
+```
+
+After being authenticated, you can access the following attributes:
+
+```ruby
+Kraut::Application.name     => "my_app"
+Kraut::Application.password => "secret"
+Kraut::Application.token    => "Dem7p7Ns97uRV92so4IE1h10"
+```
+
+Kraut stores the time of the latest authentication:
+
+```ruby
+Kraut::Application.authenticated_at  # => Mon Jan 10 16:35:58 +0100 2011
+```
+
+To check whether the application needs to (re-)authenticate itself, you can use the following method:
+
+```ruby
+Kraut::Application.authentication_required?(timeout = 10)  # defaults to 10 minutes
+```
+
+Kraut::Principal
+----------------
+
+Represents a Crowd principal. To authenticate a principal:
+
+```ruby
+Kraut::Principal.authenticate "user", "password"
+```
+
+The `.authenticate` method returns a `Kraut::Principal` instance with basic attributes:
+
+* #name     => "user"
+* #password => "password"
+* #token    => "3p7Xs3dIuTVb2pO4II1h8A"
+
+It also contains the following attributes:
+
+* #display_name => "Chuck Norris"
+* #email        => "chuck.norris@gmail.com"
+* #attributes   => { :display_name => "Chuck Norris", ... }
+
+Make sure to verify whether a principal's password is expired. Principal's with an expired password are
+still able to authenticate and access your application.
+
+```ruby
+Kraut::Principal.requires_password_change?
+```
+
+### Groups
+
+To verify whether a principal belongs to a certain group:
+
+```ruby
+Kraut::Principal#member_of?(group)
+```
+
+Kraut stores all positive and negative group-requests in a Hash:
+
+```ruby
+Kraut::Principal#groups => { "staff" => true, "supervisor" => false }
+```
+
+Login
+-----
+
+In order to provide easy login to your apps, just require 'kraut/rails/engine' instead of just 'kraut':
+
+```ruby
+gem "kraut", :require => "kraut/rails/engine"
+```
+
+Then, you'll have a login controller unter '/sessions/new'. To configure its behaviour, add it in 'config/initializers/kraut.rb':
+
+```ruby
+Kraut.endpoint = AppConfig.webservices.crowd.baseaddress
+# the layout to use for the login page
+Kraut::Rails::Engine.config.layout = "application"
+# hash containing user and password for authenticatin the crowd app
+Kraut::Rails::Engine.config.webservice = AppConfig.webservices.crowd
+# hash containing :action => [crowd_group1, crowd_group2] pairs
+Kraut::Rails::Engine.config.authorizations = AppConfig.authorizations
+# starting url after authentication
+Kraut::Rails::Engine.config.entry_url = "/"
+```
+
+In your controllers, you have three methods to use as before_filter:
+
+* `check_for_crowd_token` => checks for `params[:crowd_token]` and logs in with that token
+* `verify_login`          => checks whether a user is logged in and redirects to the login page if necessary
+* `verify_access`         => checks whether the logged in user has access to the current action
+
+`verify_access` uses the `Kraut::Rails::Engine.config.authorizations` hash. It checks for controller-action actions (eg :orders_show). If a controller action protected by `verify_access` isn't listed there, no one can access this action!
+
+In your controllers and views, you can access user specific methods:
+
+* `logged_in?`  => checks whether someone is logged in
+* `user`        => returns the currently logged in user (or nil)
+* `allowed_to?` => checks whether someone is logged in and this user has access to the given action (see `Kraut::Rails::Engine.config.authorizations` above)
+
+Testing authentication/authorization behaviour
+----------------------------------------------
+
+In your spec_helper.rb:
+
+```ruby
+require "kraut/rails/spec_helper"
+```
+
+Then you have in all your specs:
+
+* `create_user` => creates a new user to spec against
+
+And in your controller/view/helper specs:
+
+* `login!`  => log in with a newly created user
+* `logout!` => log out again
+* `user`    => user you're logged in with
+
+And finally in your controller specs:
+
+* `describe_protected_action` => tests an action protected by `verify_login`/`verify_access`
+
+Example:
+
+```ruby
+describe_protected_action "GET :show", :orders_index do
+  unauthorized_request { get :show, :id => "5" }
+  
+  before do
+    @order = Order.create
+  end
+  
+  it "should be successful" do
+    get :index, :id => @order.id
+    response.should be_success
+    assigns(:order).should == @order
+  end
+end
+```
+
+This runs three tests:
+
+* the test written in the block above that checks whether the response is a success when logged with a user allowed to do :orders_index
+* an automatically generated test that checks that you're redirected to the login page when logged in with a user not allowed to do :orders_index
+* an automatically generated test that checks that you're redirected to the login page when not logged in
+
+If you leave out the `action` parameter (:orders_index in the example), the first test only checks with a logged in user and the second test is omitted.
+
+If you leave out the `unauthorized_request`, the second and third test are omitted and only the successful tests are executed.
+
+`unauthorized_request` is run outside the scope of the `describe_protected_action` block, so you can't access stuff initialized within it's before block (eg the @order above).

data/Rakefile

@@ -0,0 +1,10 @@
+require "rake"
+
+require "rspec/core/rake_task"
+require "ci/reporter/rake/rspec"
+
+RSpec::Core::RakeTask.new do |t|
+  t.rspec_opts = %w(-fd -c)
+end
+
+task :default => %w(ci:setup:rspec spec)

data/app/controllers/kraut/sessions_controller.rb

@@ -0,0 +1,30 @@
+module Kraut
+
+  class SessionsController < ActionController::Base
+
+    layout Kraut::Rails::Engine.config.layout
+
+    def new
+      @session = Kraut::Session.new
+    end
+
+    def create
+      @session = Kraut::Session.new params[:kraut_session]
+
+      authenticate_application
+      if @session.valid?
+        switch_user(@session)
+        redirect_to stored_location! || Kraut::Rails::Engine.config.entry_url
+      else
+        render :new
+      end
+    end
+
+    def destroy
+      reset_session
+      redirect_to Kraut::Rails::Engine.config.entry_url
+    end
+
+  end
+
+end

data/app/models/kraut/session.rb

@@ -0,0 +1,67 @@
+module Kraut
+
+  class Session
+
+    include ActiveModel::Validations
+    include ActiveModel::Conversion
+    include Mapper
+
+    attr_accessor :username, :password, :principal
+    validates :username, :password, :presence => true
+
+    def name
+      principal.name
+    end
+
+    def token
+      principal.token
+    end
+
+    def allowed_to?(action)
+      in_group? Kraut::Rails::Engine.config.authorizations[action]
+    end
+
+    def in_group?(groups)
+      Array.wrap(groups).any? { |group| principal.member_of? group }
+    end
+
+    def valid?
+      return unless super
+      if self.principal.nil?
+        login!
+      else
+        true
+      end
+    end
+
+    def self.find_by_token(token)
+      self.new(:principal => Kraut::Principal.find_by_token(token))
+    end
+
+    def persisted?
+      false
+    end
+
+  private
+
+    def login!
+      self.principal = Kraut::Principal.authenticate(username, password)
+      valid_password?
+    rescue Kraut::InvalidAuthentication, Kraut::InvalidAuthorization
+      errors[:base] << I18n.t("errors.kraut.invalid_credentials")
+      false
+    rescue Kraut::ApplicationAccessDenied
+      errors[:base] << I18n.t("errors.kraut.application_access_denied")
+      false
+    end
+
+    def valid_password?
+      return true unless principal.requires_password_change?
+
+      errors[:base] << I18n.t("errors.kraut.password_expired")
+      false
+    end
+
+  end
+
+end

data/app/views/kraut/sessions/new.html.haml

@@ -0,0 +1,15 @@
+%section
+  %h1 Anmelden
+  - if flash[:alert]
+    .flash.alert= flash[:alert]
+
+  = form_for @session do |f|
+    = f.error_messages :id => nil, :class => "errors"
+
+    %fieldset
+      = f.label :username
+      = f.text_field :username, :class => "width m"
+      = f.label :password
+      = f.password_field :password, :class => "width m"
+
+    %button(type="submit" id="session_submit") Anmelden

data/autotest/discover.rb

@@ -0,0 +1 @@
+Autotest.add_discovery { "rspec2" }

data/config/initializers/savon.rb

@@ -0,0 +1,12 @@
+# -*- encoding : utf-8 -*-
+Savon::Model.handle_response = Proc.new do |response|
+  if response.soap_fault?
+    begin
+     if response.to_hash[:fault][:detail][:voucher_exception][:error_code] == "NOT_AUTHORIZED"
+       raise SecurityError
+     end
+    rescue NoMethodError
+    end
+  end
+  response
+end if defined?(Savon::Model)

data/config/locales/kraut.yml

@@ -0,0 +1,14 @@
+de:
+  activemodel:
+    attributes:
+      kraut/session:
+        username: "Benutzername"
+        password: "Passwort"
+  errors:
+    kraut:
+      invalid_credentials: "Benutzername und/oder Passwort ungültig"
+      application_access_denied: "Sie haben keinen Zugriff auf diese Anwendung"
+      password_expired: "Ihr Passwort ist abgelaufen"
+      session_expired: "Die Sitzung ist abgelaufen. Bitte melde dich erneut an."
+      token_not_found: "Das Authentifizierungs-Token wurde nicht gefunden! Bitte melden Sie sich neu an."
+      access_denied: "Auf diesen Bereich haben Sie keinen Zugriff."

data/config/routes.rb

@@ -0,0 +1,5 @@
+Rails.application.routes.draw do
+
+  resource :sessions, :controller => "kraut/sessions", :only => [:new, :create, :destroy], :as => "kraut_sessions"
+
+end

data/kraut.gemspec

@@ -0,0 +1,43 @@
+# -*- encoding : utf-8 -*-
+lib = File.expand_path("../lib", __FILE__)
+$:.unshift lib unless $:.include? lib
+
+require "kraut/version"
+
+Gem::Specification.new do |s|
+  s.name = "kraut"
+  s.version = Kraut::VERSION
+  s.authors = ["Daniel Harrington", "Thilko Richter"]
+  s.email = "blaulabs@blau.de"
+  s.homepage = "http://github.com/blaulabs/#{s.name}"
+  s.summary = "Crowd Interface"
+  s.description = "Interface for the Atlassian Crowd SOAP API"
+
+  s.rubyforge_project = s.name
+ 
+  #savon 0.9.8 ships with Savon::Model, which does not support handle_response method used in savon initializer [mw-21.02.12]
+  #<= 0.9.7 is broken due to invalid dependencies [aj-18.04.12]
+  s.add_dependency "savon", "= 0.9.7"
+
+  # nail down gyoku until savon_spec 1.0.0 is on rubygems
+  # NoMethodError:
+  #     undefined method `lower_camelcase' for "send_sms_to_any_provider":String
+  s.add_development_dependency "gyoku", "= 0.4.4"
+
+  s.add_development_dependency "ci_reporter", "~> 1.6.5"
+  s.add_development_dependency "rspec", "~> 2.5.0"
+  s.add_development_dependency "autotest", "~> 4.4.2"
+  s.add_development_dependency "mocha", "~> 0.9.9"
+  s.add_development_dependency "webmock", "~> 1.3.5"
+  s.add_development_dependency "savon_spec", "~> 0.1.6"
+  s.add_development_dependency "rake", "0.8.7"
+  s.add_development_dependency "rails", "3.0.7"
+  s.add_development_dependency "rspec-rails", "~> 2.5.0"
+  s.add_development_dependency "haml", "~> 3.0"
+
+  # ZenTest 4.6 requires RubyGems version ~> 1.8 [dh, 2011-08-19]
+  s.add_development_dependency "ZenTest", "4.5.0"
+
+  s.files = `git ls-files`.split("\n")
+  s.require_path = "lib"
+end

data/lib/kraut.rb

@@ -0,0 +1,3 @@
+require "kraut/version"
+require "kraut/application"
+require "kraut/principal"

data/lib/kraut/application.rb

@@ -0,0 +1,31 @@
+# -*- encoding : utf-8 -*-
+require "kraut/client"
+
+module Kraut
+
+  # = Kraut::Application
+  #
+  # Represents an application registered with Crowd.
+  class Application
+    class << self
+
+      # Authenticates an application with a given +name+ and +password+.
+      def authenticate(name, password)
+        response = Client.request :authenticate_application,
+          :in0 => { "aut:credential" => { "aut:credential" => password }, "aut:name" => name }
+
+        self.authenticated_at = Time.now
+        self.name, self.password, self.token = name, password, response[:out][:token]
+      end
+
+      attr_accessor :name, :password, :token, :authenticated_at
+
+      # Returns whether the application needs to (re-)authenticate itself.
+      # Defaults to a +timeout+ of 10 minutes.
+      def authentication_required?(timeout = 10)
+        !authenticated_at || authenticated_at < Time.now - (60 * timeout)
+      end
+
+    end
+  end
+end

data/lib/kraut/client.rb

@@ -0,0 +1,63 @@
+require "savon"
+require "kraut/kraut"
+
+module Kraut
+
+  autoload :Application, "kraut/application"
+
+  # = Kraut::Client
+  #
+  # Wraps a <tt>Savon::Client</tt> and executes SOAP requests.
+  module Client
+    class << self
+
+      # Executes a SOAP request to a given +method+ with an optional +body+ Hash.
+      # Ensures to always raise SOAP faults if they happen and returns a response Hash.
+      def request(method, body = {})
+        response = client.request :wsdl, method do
+          soap.namespaces["xmlns:aut"] = Kraut.namespace
+          soap.body = body
+        end
+        
+        if response.soap_fault?
+          handle_soap_fault response.soap_fault
+        else
+          response.to_hash["#{method}_response".to_sym]
+        end
+      rescue Savon::SOAP::Fault => soap_fault
+        handle_soap_fault soap_fault
+      end
+
+      # Executes a SOAP request to a given +method+ with an optional +body+ Hash.
+      # Adds application authentication credentials and delegates to the +request+ method.
+      def auth_request(method, body = {})
+        body[:in0] = { "aut:name" => Application.name, "aut:token" => Application.token }
+        body[:order!] = body.keys.sort_by { |key| key.to_s }
+        request method, body
+      end
+
+      # Returns a memoized <tt>Savon::Client</tt> for executing SOAP requests.
+      def client
+        @client ||= Savon::Client.new do
+          wsdl.endpoint = Kraut.endpoint
+          wsdl.namespace = "urn:SecurityServer"
+        end
+      end
+
+    private
+
+      def handle_soap_fault(soap_fault)
+        error = case soap_fault.to_hash[:fault][:detail].keys.first
+          when :invalid_authentication_exception    then InvalidAuthentication
+          when :invalid_authorization_exception     then InvalidAuthorization
+          when :application_access_denied_exception then ApplicationAccessDenied
+          when :invalid_token_exception             then InvalidPrincipalToken
+          else                                           UnknownError
+        end
+        
+        raise error, soap_fault.to_s
+      end
+
+    end
+  end
+end