lockdown 0.7.1 → 0.8.0

data/History.txt

@@ -1,3 +1,6 @@
+== 0.7.1 2009-01-xx
+* Update init.rb with documentation on how to use admin namespaces
+
 == 0.7.0 2009-01-xx
 * Removed lockdown as an executable.  Will always go through the generator used by the framework.
 * Removed references to classy inheritance.  Directly coded some of classy inheritance's functionality into User model.

data/README.txt

@@ -8,7 +8,7 @@ Lockdown is a authentication/authorization system for RubyOnRails (ver >= 2.1).
 
 == INSTALL:
 
-sudo gem install lockdown 
+  sudo gem install lockdown 
 
 == LICENSE:
 

data/Rakefile

@@ -12,7 +12,20 @@ end
 ensure_in_path 'lib'
 require 'lockdown'
 
-task :default => 'spec:run'
+task :default => 'rcov'
+
+desc "Flog your code for Justice!"
+task :flog do
+    sh('flog lib/**/*.rb')
+end
+
+desc "Run all specs and rcov in a non-sucky way"
+Spec::Rake::SpecTask.new(:rcov) do |t|
+  t.spec_opts = IO.readlines("spec/spec.opts").map {|l| l.chomp.split " "}.flatten
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.rcov = true
+  t.rcov_opts = IO.readlines("spec/rcov.opts").map {|l| l.chomp.split " "}.flatten
+end
 
 PROJ.name = 'lockdown'
 PROJ.authors = 'Andrew Stone'
@@ -22,5 +35,7 @@ PROJ.version = Lockdown::VERSION
 PROJ.rubyforge.name = 'lockdown'
 
 PROJ.spec.opts << '--color'
+PROJ.exclude << ".swp"
+PROJ.exclude << ".gitignore"
 
 # EOF

data/lib/lockdown/context.rb

@@ -0,0 +1,41 @@
+module Lockdown
+  class Context
+    attr_accessor :name, :allowed_methods
+
+    def to_s
+      self.class.to_s
+    end
+
+    def allows?(method_name)
+      @allowed_methods.include?(method_name)
+    end
+  end
+
+  class RootContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model)
+    end
+  end
+
+  class ControllerContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model only_methods except_methods)
+    end
+  end
+
+  class ModelContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(where)
+    end
+  end
+
+  class ModelWhereContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(is_in includes equals)
+    end
+  end
+end

data/lib/lockdown/database.rb

@@ -19,24 +19,22 @@ module Lockdown
         puts ">> Lockdown sync failed: #{e}" 
       end
 
-      private
-
       # Create permissions not found in the database
       def create_new_permissions
         @permissions.each do |key|
           next if Lockdown::System.permission_assigned_automatically?(key)
           str = Lockdown.get_string(key)
-          p = Permission.find(:first, :conditions => ["name = ?", str])
+          p = ::Permission.find(:first, :conditions => ["name = ?", str])
           unless p
             puts ">> Lockdown: Permission not found in db: #{str}, creating."
-            Permission.create(:name => str)
+            ::Permission.create(:name => str)
           end
         end
       end
 
       # Delete the permissions not found in init.rb
       def delete_extinct_permissions
-        db_perms = Permission.find(:all).dup
+        db_perms = ::Permission.find(:all).dup
         db_perms.each do |dbp|
           unless @permissions.include?(Lockdown.get_symbol(dbp.name))
             puts ">> Lockdown: Permission no longer in init.rb: #{dbp.name}, deleting."
@@ -50,7 +48,7 @@ module Lockdown
         # Create user groups not found in the database
         @user_groups.each do |key|
           str = Lockdown.get_string(key)
-          unless ug = UserGroup.find(:first, :conditions => ["name = ?", str])
+          unless ug = ::UserGroup.find(:first, :conditions => ["name = ?", str])
             create_user_group(str, key)
           else
             # Remove permissions from user group not found in init.rb
@@ -64,14 +62,13 @@ module Lockdown
 
       def create_user_group(name_str, key)
         puts ">> Lockdown: UserGroup not in the db: #{name_str}, creating."
-        ug = UserGroup.create(:name => name_str)
+        ug = ::UserGroup.create(:name => name_str)
         #Inefficient, definitely, but shouldn't have any issues across orms.
-        Lockdown::System.permissions_for_user_group(key) do |perm|
-          p = Permission.find(:first, :conditions => ["name = ?", Lockdown.get_string(perm)])
-          Lockdown.database_execute <<-SQL 
-                insert into permissions_user_groups(permission_id, user_group_id)
-                values(#{p.id}, #{ug.id})
-          SQL
+        Lockdown::System.permissions_for_user_group(key).each do |perm|
+          p = ::Permission.find(:first, :conditions => ["name = ?", 
+                                Lockdown.get_string(perm)])
+
+          Lockdown.database_execute "insert into permissions_user_groups(permission_id, user_group_id) values(#{p.id}, #{ug.id})"
         end
       end
 
@@ -97,7 +94,7 @@ module Lockdown
           # if not found, add it
           unless found
             puts ">> Lockdown: Permission: #{perm_string} not found for User Group: #{ug.name}, adding it."
-            p = Permission.find(:first, :conditions => ["name = ?", perm_string])
+            p = ::Permission.find(:first, :conditions => ["name = ?", perm_string])
             ug.permissions << p
           end
         end

data/lib/lockdown/frameworks/rails/controller.rb

@@ -37,9 +37,45 @@ module Lockdown
           end
 
           module InstanceMethods
-            def self.included(base)
-              base.class_eval do
-                include Lockdown::Controller::Core
+
+            def configure_lockdown
+              check_session_expiry
+              store_location
+            end
+
+            def set_current_user
+              login_from_basic_auth? unless logged_in?
+              if logged_in?
+                Thread.current[:profile_id] = current_profile_id
+              end
+            end
+
+            def check_request_authorization
+              unless authorized?(path_from_hash(params))
+                raise SecurityError, "Authorization failed for params #{params.inspect}"
+              end
+            end
+    
+            def path_allowed?(url)
+              session[:access_rights] ||= Lockdown::System.public_access
+              session[:access_rights].include?(url)
+            end
+      
+            def check_session_expiry
+              if session[:expiry_time] && session[:expiry_time] < Time.now
+                nil_lockdown_values
+                timeout_method = Lockdown::System.fetch(:session_timeout_method)
+                if timeout_method.is_a?(Symbol) && self.respond_to?(timeout_method)
+                  send(timeout_method) 
+                end
+              end
+              session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
+            end
+            
+            def store_location
+              if (request.method == :get) && (session[:thispage] != sent_from_uri)
+                session[:prevpage] = session[:thispage] || ''
+                session[:thispage] = sent_from_uri
               end
             end
 
@@ -105,7 +141,24 @@ module Lockdown
             def redirect_back_or_default(default)
               session[:prevpage] ? redirect_to(session[:prevpage]) : redirect_to(default)
             end
-
+    
+            # Called from current_user.  Now, attempt to login by
+            # basic authentication information.
+            def login_from_basic_auth?
+              username, passwd = get_auth_data
+              if username && passwd
+                set_session_user ::User.authenticate(username, passwd)
+              end
+            end
+  
+            @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+            # gets BASIC auth info
+            def get_auth_data
+              auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+              auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+              return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
+            end
+ 
           end # InstanceMethods
         end # Lock
       end # Controller

data/lib/lockdown/frameworks/rails/view.rb

@@ -42,7 +42,7 @@ module Lockdown
         def links(*lis)
           rvalue = []
           lis.each{|link| rvalue << link if link.length > 0 }
-          rvalue.join(" | ")
+          rvalue.join( Lockdown::System.fetch(:link_separator) )
         end
       end # View
     end # Rails

data/lib/lockdown/frameworks/rails.rb

@@ -30,7 +30,11 @@ module Lockdown
       module Environment
 
         def project_root
-          RAILS_ROOT
+          ::RAILS_ROOT
+        end
+
+        def init_file
+          "#{project_root}/lib/lockdown/init.rb"
         end
 
         def controller_parent
@@ -80,23 +84,30 @@ module Lockdown
         end
 
         def maybe_load_framework_controller_parent
-          if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load("application.rb")
+          if ::Rails::VERSION::MAJOR >= 2 && ::Rails::VERSION::MINOR >= 3
+            filename = "application_controller.rb"
           else
-            Dependencies.require_or_load("application.rb")
+            filename = "application.rb"
           end
+          
+          require_or_load(filename)
+        end
+
+        def lockdown_load(filename)
+          klass = Lockdown.class_name_from_file(filename)
+
+          require_or_load(filename)
+
+          @controller_classes[klass] = Lockdown.qualified_const_get(klass) 
         end
 
-        def lockdown_load(file)
-          klass = Lockdown.class_name_from_file(file)
+        def require_or_load(filename)
           if ActiveSupport.const_defined?("Dependencies")
-            ActiveSupport::Dependencies.require_or_load(file)
+            ActiveSupport::Dependencies.require_or_load(filename)
           else
-            Dependencies.require_or_load(file)
+            Dependencies.require_or_load(filename)
           end
-          @controller_classes[klass] = Lockdown.qualified_const_get(klass) 
         end
-
       end # System
     end # Rails
   end # Frameworks

data/lib/lockdown/helper.rb

@@ -66,7 +66,7 @@ module Lockdown
         const_get(klass)
       end
     end
-    
+
     private
 
     def string_name(str_sym)

data/lib/lockdown/permission.rb

@@ -0,0 +1,204 @@
+module Lockdown
+  class InvalidRuleContext < StandardError; end
+  class PermissionScopeCollision < StandardError; end
+
+  class Controller
+    attr_accessor :name, :access_methods
+
+    def initialize(name)
+      @name = name
+    end
+  end
+
+  class Model
+    attr_accessor :name, :controller_method, :model_method, :association
+
+    def initialize(name)
+      @name = name
+    end
+
+    def association=(type)
+      @assocation = type
+    end
+  end
+  
+  class Permission
+    attr_reader :name, :controllers, :models
+
+    # A Permission is a set of rules that are, through UserGroups, assigned
+    # to users to allow access to system resources.
+    #
+    # ==== Summary of controller oriented methods:
+    #
+    #   # defines which controller we're talking about
+    #   .with_controller(:controller_name)  #all_methods is the default
+    #
+    #   # only these methods on the controller
+    #   .only_methods(:meth1, :meth2)       
+    #
+    #   # all controller methods except these
+    #   .except_methods(:meth1, :meth2)
+    #
+    # ==== Summary of model oriented methods:
+    #
+    #   # defines which model we're talking about
+    #   .to_model(:model_name)         
+    #
+    #   # data_method must be available to the controller
+    #   .where(:data_method)           
+    #
+    #   # model_name.value_method must equal data_method
+    #   .equals(:value_method)         
+    #
+    #   # model_name.values_method.include?(data_method)
+    #   .is_in(:values_method)         
+    #   
+    #
+    # ==== Example:
+    #
+    #   # Define a permission called 'Manage Users' that allows users access
+    #   # all methods on the users_controller
+    #
+    #   set_permission(:manage_users).
+    #     with_controller(:users)
+    #
+    #   # Define a permission called "My Account" that only allows a user access
+    #   # to methods show and update and the current_user_id must match the id 
+    #   # of the user being modified
+    #
+    #   set_permission(:my_account).
+    #     with_controller(:users).
+    #     only_methods(:show, :update).
+    #     to_model(:user).
+    #       where(:current_user_id).
+    #       equals(:id)
+    #
+    def initialize(name_symbol)
+      @name         = name_symbol
+      @controllers  = {}
+      @models       = {}
+      @current_context = Lockdown::RootContext.new(name_symbol)
+    end
+
+    def with_controller(name_symbol)
+      validate_context
+
+      controller = Controller.new(name_symbol)
+      controller.access_methods = paths_for(name_symbol)
+      @controllers[name_symbol] = controller
+      @current_context = Lockdown::ControllerContext.new(name_symbol)
+      self
+    end
+
+    alias_method :and_controller, :with_controller
+
+    def only_methods(*methods)
+      validate_context
+
+      current_controller.access_methods = paths_for(current_controller.name, 
+                                                    *methods)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def except_methods(*methods)
+      validate_context
+
+      current_controller.access_methods = current_controller.access_methods - paths_for(current_controller.name, *methods)
+
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def to_model(name_symbol)
+      validate_context
+
+      @models[name_symbol] = Model.new(name_symbol)
+      @current_context = Lockdown::ModelContext.new(name_symbol)
+      self
+    end
+
+    def where(controller_method)
+      validate_context
+
+      @current_context = Lockdown::ModelWhereContext.new(current_context.name)
+      self
+    end
+
+    def equals(model_method)
+      validate_context
+
+      associate_model_method(model_method, :equals)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    def is_in(model_method)
+      validate_context
+
+      associate_model_method(model_method, :includes)
+      @current_context = Lockdown::RootContext.new(@name)
+      self
+    end
+
+    alias_method :includes, :is_in
+
+    def public_access?
+      @public_access
+    end
+
+    def protected_access?
+      @protected_access
+    end
+
+    def set_as_public_access
+      if protected_access?
+        raise PermissionScopeCollision, "Permission: #{name} already marked as protected and trying to set as public."
+      end
+      @public_access = true
+    end
+
+    def set_as_protected_access
+      if public_access?
+        raise PermissionScopeCollision, "Permission: #{name} already marked as public and trying to set as protected."
+      end
+      @protected_access = true
+    end
+
+    def current_context
+      @current_context
+    end
+
+    def current_controller
+      @controllers[current_context.name]
+    end
+
+    def current_model
+      @models[current_context.name]
+    end
+
+    def ==(other)
+      name == other.name
+    end
+
+    private
+
+    def associate_model_method(model_method, association)
+      current_model.model_method = model_method
+      current_model.association = association
+      @current_context = Lockdown::RootContext.new(@name)
+    end
+
+    def validate_context
+      method_trace = caller.first;  
+      calling_method = caller.first[/#{__FILE__}:(\d+):in `(.*)'/,2]
+      unless current_context.allows?(calling_method)
+        raise InvalidRuleContext, "Method: #{calling_method} was called on wrong context #{current_context}. Allowed methods are: #{current_context.allowed_methods.join(',')}."
+      end
+    end
+
+    def paths_for(controller, *methods)
+      Lockdown::System.paths_for(controller, *methods)
+    end
+  end
+end