lockdown 0.1.0

data/lib/lockdown/controller.rb

@@ -0,0 +1,220 @@
+module Lockdown
+  module Controller#:nodoc:
+    #
+    # Core Controller locking methods
+    #
+    module Core
+      def self.included(base)
+        base.send :include, Lockdown::Controller::Core::InstanceMethods
+      end
+
+      module InstanceMethods
+        def configure_lock_down
+          check_session_expiry
+          store_location
+        end
+
+        def set_current_user
+          login_from_basic_auth? unless logged_in?
+          if logged_in?
+            Thread.current[:profile_id] = current_profile_id
+            Thread.current[:client_id] = current_client_id if respond_to? :current_client_id
+          end
+        end
+  
+        def check_request_authorization
+          unless authorized?(path_from_hash(params))
+            raise SecurityError, "Authorization failed for params #{params.inspect}"
+          end
+        end
+      
+        def redirect_back_or_default(default)
+          session[:prevpage] ? send_to(session[:prevpage]) : send_to(default)
+        end
+
+        private
+
+        def path_allowed?(url)
+          req = Lockdown.format_controller_action(url)
+          session[:access_rights] ||= Lockdown::UserGroups[:public_access]
+          session[:access_rights].each do |ar|
+            return true if req =~ /#{ar}$/
+          end
+          false
+        end
+        
+        def check_session_expiry
+          if session[:expiry_time] && session[:expiry_time] < Time.now
+            nil_lockdown_values
+          end
+          session[:expiry_time] = Time.now + Lockdown::SESSION_TIMEOUT
+        end
+              
+        def store_location
+          if request.method == :get && !(session[:thispage] == sent_from_uri)
+            session[:prevpage] = session[:thispage] || ''
+            session[:thispage] = sent_from_uri
+          end
+        end
+      
+        # Called from current_user.  Now, attempt to login by
+        # basic authentication information.
+        def login_from_basic_auth?
+          username, passwd = get_auth_data
+          if username && passwd
+            set_session_user User.authenticate(username, passwd)
+          end
+        end
+    
+        @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+        # gets BASIC auth info
+        def get_auth_data
+          auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+          auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+          return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
+        end
+      end # InstanceMethods
+    end # Core
+
+    #
+    # Merb Controller locking methods
+    #
+    module Merb
+      def self.included(base)
+        base.send :include, Lockdown::Controller::Merb::InstanceMethods
+
+        base.before :set_current_user
+        base.before :configure_lock_down
+        base.before :check_request_authorization
+      end
+
+      module InstanceMethods
+        def self.included(base)
+          base.class_eval do
+            alias :send_to  :redirect
+          end
+          base.send :include, Lockdown::Controller::Core
+        end
+
+        def sent_from_uri
+          request.uri
+        end
+
+        def authorized?(path)
+          return true if current_user_is_admin?
+
+          # See if path is known
+          return true if path_allowed?(path)
+
+          return false
+        end
+      
+        # Can log Error => e if desired, I don't desire to now.
+        # For now, just send home, but will probably make this configurable
+        def access_denied(e)
+          send_to "/"
+        end
+
+        def path_from_hash(hsh)
+          return hsh if hsh.is_a?(String)
+          hsh = hsh.to_hash if hsh.is_a?(Mash)
+          hsh['controller'].to_s + "/" + hsh['action'].to_s
+        end
+        
+      end # InstanceMethods
+    end # Merb
+
+    #
+    # Rails Controller locking methods
+    #
+    module Rails
+      def self.included(base)
+        base.send :include, Lockdown::Controller::Rails::InstanceMethods
+
+        base.before_filter do |controller|
+          controller.set_current_user
+          controller.configure_lock_down
+          controller.check_request_authorization
+        end
+
+        base.send :helper_method, :authorized?
+
+        base.filter_parameter_logging :password, :password_confirmation
+      
+        base.rescue_from SecurityError,
+          :with => proc{|e| access_denied(e)}
+      end
+
+      module InstanceMethods
+        def self.included(base)
+          base.class_eval do
+            alias :send_to  :redirect_to
+          end
+          base.send :include, Lockdown::Controller::Core
+        end
+
+        def sent_from_uri
+          request.request_uri
+        end
+
+        def authorized?(options)
+          return true if current_user_is_admin?
+
+          url_parts = URI::split url_for(options)
+        
+          path = url_parts[5]
+
+          # See if path is known
+          return true if path_allowed?(path)
+
+          if options.is_a?(String)
+            # Test for a named routed
+            begin
+              hsh = ActionController::Routing::Routes.recognize_path(options)
+              return true if path_allowed?(path_from_hash(hsh)) unless hsh.nil?
+            rescue Exception => e
+              # continue on
+            end
+          end
+          
+          # Test to see if using a get method (show)
+          path += "/show" if path.split("/").last.to_i > 0
+
+          return true if path_allowed?(path)
+
+          return false
+        end
+      
+        def access_denied(e)
+          reset_session
+          respond_to do |accepts|
+            accepts.html do
+              store_location
+              send_to login_path
+            end
+            accepts.xml do
+              headers["Status"] = "Unauthorized"
+              headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+              render :text => e.message, :status => "401 Unauthorized"
+            end
+          end
+          false
+        end
+
+        def path_from_hash(hsh)
+          hsh[:controller].to_s + "/" + hsh[:action].to_s
+        end
+        
+      end # InstanceMethods
+    end # Rails
+
+    
+  end # Controller
+end # Lockdown
+
+if Lockdown.merb_app?
+  Merb::Controller.send :include, Lockdown::Controller::Merb
+elsif Lockdown.rails_app?
+  ActionController::Base.send :include, Lockdown::Controller::Rails
+end
+

data/lib/lockdown/controller_inspector.rb

@@ -0,0 +1,214 @@
+require File.join(File.dirname(__FILE__), "helper") unless Lockdown.const_defined?("Helper")
+
+module Lockdown
+  module ControllerInspector
+    def self.included(base)
+      if Lockdown.merb_app?
+        base.send :include, Lockdown::ControllerInspector::Merb
+      elsif Lockdown.rails_app?
+        base.send :include, Lockdown::ControllerInspector::Rails
+      end
+    end
+
+    module Core
+      include Lockdown::Helper
+      #
+      # *syms is a splat of controller symbols,
+      # e.g all_methods(:users, :authors, :books)
+      #
+      def all_methods(*syms)
+        syms.collect{ |sym| paths_for(sym) }.flatten
+      end
+    
+      #
+      # controller name (sym) and a splat of methods to 
+      # exclude from result
+      #
+      # All user methods except destroy:
+      # e.g all_except_methods(:users, :destroy)
+      #
+      def all_except_methods(sym, *methods)
+        paths_for(sym) - paths_for(sym, *methods) 
+      end
+    
+      #
+      # controller name (sym) and a splat of methods to 
+      # to build the result
+      # 
+      # Only user methods index (list), show (good for readonly access):
+      # e.g only_methods(:users, :index, :show)
+      #
+      def only_methods(sym, *methods)
+        paths_for(sym, *methods)
+      end
+
+      #
+      # all controllers, all actions
+      #
+      # This is admin access
+      # 
+      def all_controllers
+        controllers = find_all_controller_classes
+      
+        controllers.collect do |controller|
+          methods = available_actions(controller)
+          paths_for(controller_name(controller), methods)
+        end.flatten!
+      end
+    
+      private 
+
+      def paths_for(sym_str, *methods)
+        str = sym_str.to_s if sym_str.is_a?(Symbol)
+        if methods.empty?
+          klass = get_controller_class(str)
+          methods = available_actions(klass) 
+        end
+        methods.collect{|meth| ctr_path(str) + "/" + meth.to_s }
+      end
+    
+      def get_controller_class(str)
+        load_controller(str)
+        lockdown_const_get(str)
+      end
+
+      def find_all_controller_classes
+        load_all_controllers
+        return ObjectSpace.controller_classes
+      end
+
+      def ObjectSpace.controller_classes
+        subclasses = []
+        self.each_object(Class) do |klass|
+          subclasses << klass if klass.ancestors.include?(Lockdown.controller_parent)
+        end
+        subclasses
+      end
+      
+      def load_controller(str)
+        unless lockdown_const_defined?("Application")
+          require(Lockdown.project_root + "/app/controllers/application.rb")
+        end
+        
+        unless lockdown_const_defined?(kontroller_class_name(str))
+          require(Lockdown.project_root + "/app/controllers/#{kontroller_file_name(str)}")
+        end
+      end
+
+      def load_all_controllers
+        Dir["#{Lockdown.project_root}/app/controllers/**/*.rb"].sort.each do |c|
+         require(c) unless c == "application.rb"
+        end
+      end
+      
+      def lockdown_const_defined?(str)
+        if str.include?("__")
+          # this is a namespaced controller.  need to apply const_defined_to the namespace
+          parts = str.split("__")
+          eval("#{camelize(parts[0])}.const_defined?(\"#{kontroller_class_name(parts[1])}\")") 
+        else
+          const_defined?(camelize(str))
+        end
+      end
+
+      def lockdown_const_get(str)
+        if str.include?("__")
+          # this is a namespaced controller.  need to apply const_get the namespace
+          parts = str.split("__")
+          eval("#{camelize(parts[0])}.const_get(\"#{kontroller_class_name(parts[1])}\")") 
+        else
+          const_get(kontroller_class_name(str))
+        end
+      end
+
+      def ctr_path(str)
+        str.gsub("__","\/")
+      end
+
+      #
+      # Convert the str parameter (originally the symbol) to the 
+      # class name.
+      #
+      # For a controller defined as :users in access.rb, the str
+      # parameter here would be "users". The result of this method
+      # would be "/users"
+      #
+      # For a namespaced controller:
+      # In access.rb it would be defined as :admin__users.
+      # The str paramter would be "admin__users".
+      # The result would be "/admin/users".
+      #
+      def controller_file_name(str)
+        if str.include?("__")
+          str.split("__").join("/")
+        else
+          str
+        end
+      end
+
+      #
+      # Convert the str parameter (originally the symbol) to the 
+      # class name.
+      #
+      # For a controller defined as :users in access.rb, the str
+      # parameter here would be "users". The result of this method
+      # would be "Users"
+      #
+      def controller_class_name(str)
+        if str.include?("__")
+          str.split("__").collect{|p| camelize(p)}.join("::")
+        else
+          camelize(str)
+        end
+      end
+
+      #
+      # The reverse of controller_class_name.  Convert the controllers
+      # class name to the string version of the symbols used in acces.rb.
+      #
+      # For a controller defined as :users in access.rb, the klass 
+      # parameter here would be Users (the class). The result of this method
+      # would be "users", the string version of :users.
+      #
+      # Luckily both Rails and Merb have the controller_name method. This 
+      # is here in case that changes.
+      #
+      def controller_name(klass)
+        klass.controller_name
+      end
+    end #Core
+
+    module Rails #:nodoc:
+      include Lockdown::ControllerInspector::Core
+      
+      def kontroller_class_name(str)
+        "#{controller_class_name(str)}Controller"
+      end
+
+      def kontroller_file_name(str)
+       "#{controller_file_name(str)}_controller.rb"
+      end
+
+      def available_actions(klass)
+        klass.public_instance_methods - klass.hidden_actions
+      end
+    end # Rails
+
+    module Merb #:nodoc:
+      include Lockdown::ControllerInspector::Core
+      
+      def kontroller_class_name(str)
+        controller_class_name(str)
+      end
+
+      def kontroller_file_name(str)
+       controller_file_name(str) + ".rb"
+      end
+
+      def available_actions(klass)
+        klass.callable_actions.keys
+      end
+
+    end # Merb
+  end # ControllerInspector
+end # Lockdown

data/lib/lockdown/helper.rb

@@ -0,0 +1,53 @@
+module Lockdown
+  module Helper
+    def syms_from_names(ary)
+      rvalue = []
+      ary.each{|ar| rvalue << symbolize(ar.name)}
+      rvalue
+    end
+
+    #
+    # If str_sym is a Symbol (:users), give me back "Users"
+    # If str_sym is a String ("Users"), give me back :users
+    #
+    # Was :to_title_sym for String and :to_title_str for Symbol
+    #
+    def convert_reference_name(str_sym)
+      if str_sym.is_a?(Symbol)
+        titleize(str_sym)
+      else
+        underscore(str_sym).tr(' ','_').to_sym
+      end
+    end
+
+    def symbolize(str)
+      str.downcase.gsub("admin ","admin__").gsub(" ","_").to_sym
+    end
+
+    def camelize(str)
+      str.to_s.gsub(/\/(.?)/) { "::" + $1.upcase }.gsub(/(^|_)(.)/) { $2.upcase }
+    end
+    
+
+    def random_string(len = 10)
+      chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a
+      Array.new(len){||chars[rand(chars.size)]}.join
+    end
+
+    private
+    def titleize(str)
+      humanize(underscore(str)).gsub(/\b([a-z])/) { $1.capitalize }
+    end
+    
+    def humanize(str)
+      str.to_s.gsub(/_id$/, "").gsub(/_/, " ").capitalize
+    end
+
+    def underscore(str)
+      str.to_s.gsub(/::/, '/').
+        gsub(/([A-Z]+)([A-Z][a-z])/,'\1_\2').
+        gsub(/([a-z\d])([A-Z])/,'\1_\2').
+        tr("-", "_").downcase
+    end
+  end
+end

data/lib/lockdown/model.rb

@@ -0,0 +1,40 @@
+require File.join(File.dirname(__FILE__), "helper") unless Lockdown.const_defined?("Helper")
+
+module Lockdown
+  module Model
+    def self.included(base)
+      base.send :include, Lockdown::Model::InstanceMethods
+    end
+
+    module InstanceMethods
+      def self.included(base)
+        base.class_eval do
+          alias :create_without_stamps  :create
+          alias :update_without_stamps  :update
+        end
+      end
+
+      def current_profile_id
+        Thread.current[:profile_id]
+      end
+
+
+      def create_with_stamps
+        profile_id = current_profile_id || Profile::SYSTEM
+        self[:created_by] = profile_id if self.respond_to?(:created_by) 
+        self[:updated_by] = profile_id if self.respond_to?(:updated_by) 
+        create_without_stamps
+      end
+      alias :create  :create_with_stamps
+                  
+      def update_with_stamps
+        profile_id = current_profile_id || Profile::SYSTEM
+        self[:updated_by] = profile_id if self.respond_to?(:updated_by)
+        update_without_stamps
+      end
+      alias :update  :update_with_stamps
+    end # InstanceMethods
+  end # Model
+end # Lockdown
+
+Lockdown.orm_parent.send :include, Lockdown::Model

data/lib/lockdown/version.rb

@@ -0,0 +1,9 @@
+module Lockdown #:nodoc:
+  module VERSION #:nodoc:
+    MAJOR = 0
+    MINOR = 1
+    TINY  = 0
+
+    STRING = [MAJOR, MINOR, TINY].join('.')
+  end
+end

data/lib/lockdown/view.rb

@@ -0,0 +1,82 @@
+module Lockdown
+  module View
+    module Core
+      def links(*lis)
+        rvalue = []
+        lis.each{|link| rvalue << link if link.length > 0 }
+        rvalue.join(" | ")
+      end
+    end # Core
+
+    module Merb
+      include Lockdown::View::Core
+      def self.included(base)
+        base.send :alias_method, :merb_link_to,  :link_to
+      end
+
+      def link_to(name, url = '', options = {})
+        if authorized? url
+          return merb_link_to(name, url, options)
+        end
+        return ""
+      end
+
+			def link_to_or_show(name, url = '', options = {})
+				lnk = link_to(name, options, html_options)
+				lnk.length == 0  ? name : lnk
+      end
+    end # Merb
+
+    module Rails
+      include Lockdown::View::Core
+      def self.included(base)
+         base.send :alias_method, :rails_link_to,  :link_to
+         base.send :alias_method, :rails_button_to,  :button_to
+      end
+    
+      def ld_link_to(name, options = {}, html_options = nil)
+        url = lock_down_url(options, html_options)
+        if authorized? url
+          return rails_link_to(name,options,html_options)
+        end
+        return ""
+      end
+
+			def link_to_or_show(name, options = {}, html_options = nil)
+				lnk = link_to(name, options, html_options)
+				lnk.length == 0 ? name : lnk
+      end
+
+    
+      def button_to(name, options = {}, html_options = nil)
+        url = lock_down_url(options, html_options)
+        if authorized? url
+          return rails_button_to(name,options,html_options)
+        end
+        return ""
+      end
+      
+    
+      private
+        def lock_down_url(options, html_options = {})
+          return options unless options.respond_to?(:new_record?)
+          p = polymorphic_path(options)
+          if html_options.is_a?(Hash) && html_options[:method] == :delete
+            p += "/destroy"
+          elsif p.split("/").last.to_i > 0
+            p += "/show"
+          end
+          return p
+        end
+    end # Rails
+  end # View
+end # Lockdown
+
+if Object.const_defined?("Merb") && Merb.const_defined?("AssetsMixin")
+  Merb::AssetsMixin.send :include, Lockdown::View::Merb
+elsif Object.const_defined?("ActionView")
+  ActionView::Base.send :include, Lockdown::View::Rails
+else
+  raise NotImplementedError, "Application helper unknown to Lockdown."
+end
+