lockdown 0.9.1 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/lib/lockdown.rb +1 -1
- data/lib/lockdown/frameworks/rails.rb +32 -1
- data/lib/lockdown/frameworks/rails/controller.rb +95 -118
- data/lib/lockdown/session.rb +4 -0
- data/rails_generators/lockdown/templates/lib/lockdown/README +2 -2
- data/spec/lockdown/frameworks/rails/controller_spec.rb +1 -1
- metadata +2 -2
data/lib/lockdown.rb
CHANGED
@@ -16,12 +16,28 @@ module Lockdown
|
|
16
16
|
|
17
17
|
def mixin
|
18
18
|
Lockdown.controller_parent.class_eval do
|
19
|
-
include Lockdown::Frameworks::Rails::Controller::Lock
|
20
19
|
include Lockdown::Session
|
20
|
+
include Lockdown::Frameworks::Rails::Controller::Lock
|
21
21
|
end
|
22
|
+
|
23
|
+
Lockdown.controller_parent.helper_method :authorized?
|
24
|
+
|
25
|
+
Lockdown.controller_parent.before_filter do |c|
|
26
|
+
c.set_current_user
|
27
|
+
c.configure_lockdown
|
28
|
+
c.check_request_authorization
|
29
|
+
end
|
30
|
+
|
31
|
+
Lockdown.controller_parent.filter_parameter_logging :password,
|
32
|
+
:password_confirmation
|
33
|
+
|
34
|
+
Lockdown.controller_parent.rescue_from SecurityError,
|
35
|
+
:with => proc{|e| access_denied(e)}
|
36
|
+
|
22
37
|
Lockdown.view_helper.class_eval do
|
23
38
|
include Lockdown::Frameworks::Rails::View
|
24
39
|
end
|
40
|
+
|
25
41
|
Lockdown::System.class_eval do
|
26
42
|
extend Lockdown::Frameworks::Rails::System
|
27
43
|
end
|
@@ -68,6 +84,21 @@ module Lockdown
|
|
68
84
|
|
69
85
|
maybe_load_framework_controller_parent
|
70
86
|
|
87
|
+
ApplicationController.helper_method :authorized?
|
88
|
+
|
89
|
+
ApplicationController.before_filter do |c|
|
90
|
+
c.set_current_user
|
91
|
+
c.configure_lockdown
|
92
|
+
c.check_request_authorization
|
93
|
+
end
|
94
|
+
|
95
|
+
ApplicationController.filter_parameter_logging :password,
|
96
|
+
:password_confirmation
|
97
|
+
|
98
|
+
ApplicationController.rescue_from SecurityError,
|
99
|
+
:with => proc{|e| access_denied(e)}
|
100
|
+
|
101
|
+
|
71
102
|
Dir.chdir("#{Lockdown.project_root}/app/controllers") do
|
72
103
|
Dir["**/*.rb"].sort.each do |c|
|
73
104
|
next if c == "application.rb"
|
@@ -17,151 +17,128 @@ module Lockdown
|
|
17
17
|
|
18
18
|
# Locking methods
|
19
19
|
module Lock
|
20
|
-
def
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
helper_method :authorized?
|
25
|
-
end
|
26
|
-
|
27
|
-
base.before_filter do |c|
|
28
|
-
c.set_current_user
|
29
|
-
c.configure_lockdown
|
30
|
-
c.check_request_authorization
|
31
|
-
end
|
32
|
-
|
33
|
-
|
34
|
-
base.filter_parameter_logging :password, :password_confirmation
|
35
|
-
|
36
|
-
base.rescue_from SecurityError, :with => proc{|e| access_denied(e)}
|
20
|
+
def configure_lockdown
|
21
|
+
check_session_expiry
|
22
|
+
store_location
|
37
23
|
end
|
38
24
|
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
25
|
+
def set_current_user
|
26
|
+
login_from_basic_auth? unless logged_in?
|
27
|
+
if logged_in?
|
28
|
+
Thread.current[:who_did_it] = Lockdown::System.
|
29
|
+
call(self, :who_did_it)
|
44
30
|
end
|
31
|
+
end
|
45
32
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
Thread.current[:who_did_it] = Lockdown::System.
|
50
|
-
call(self, :who_did_it)
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
def check_request_authorization
|
55
|
-
unless authorized?(path_from_hash(params))
|
56
|
-
raise SecurityError, "Authorization failed for params #{params.inspect}"
|
57
|
-
end
|
33
|
+
def check_request_authorization
|
34
|
+
unless authorized?(path_from_hash(params))
|
35
|
+
raise SecurityError, "Authorization failed for params #{params.inspect}"
|
58
36
|
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def path_allowed?(url)
|
40
|
+
session[:access_rights] ||= Lockdown::System.public_access
|
41
|
+
session[:access_rights].include?(url)
|
42
|
+
end
|
59
43
|
|
60
|
-
|
61
|
-
|
62
|
-
|
44
|
+
def check_session_expiry
|
45
|
+
if session[:expiry_time] && session[:expiry_time] < Time.now
|
46
|
+
nil_lockdown_values
|
47
|
+
Lockdown::System.call(self, :session_timeout_method)
|
63
48
|
end
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
session[:
|
71
|
-
end
|
72
|
-
|
73
|
-
def store_location
|
74
|
-
if (request.method == :get) && (session[:thispage] != sent_from_uri)
|
75
|
-
session[:prevpage] = session[:thispage] || ''
|
76
|
-
session[:thispage] = sent_from_uri
|
77
|
-
end
|
78
|
-
end
|
79
|
-
|
80
|
-
def sent_from_uri
|
81
|
-
request.request_uri
|
49
|
+
session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
|
50
|
+
end
|
51
|
+
|
52
|
+
def store_location
|
53
|
+
if (request.method == :get) && (session[:thispage] != sent_from_uri)
|
54
|
+
session[:prevpage] = session[:thispage] || ''
|
55
|
+
session[:thispage] = sent_from_uri
|
82
56
|
end
|
83
|
-
|
84
|
-
def authorized?(url, method = nil)
|
85
|
-
return false unless url
|
57
|
+
end
|
86
58
|
|
87
|
-
|
59
|
+
def sent_from_uri
|
60
|
+
request.request_uri
|
61
|
+
end
|
62
|
+
|
63
|
+
def authorized?(url, method = nil)
|
64
|
+
return false unless url
|
88
65
|
|
89
|
-
|
66
|
+
return true if current_user_is_admin?
|
90
67
|
|
91
|
-
|
68
|
+
method ||= request.method
|
92
69
|
|
93
|
-
|
70
|
+
url_parts = URI::split(url.strip)
|
94
71
|
|
95
|
-
|
72
|
+
url = url_parts[5]
|
96
73
|
|
97
|
-
|
98
|
-
hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
|
99
|
-
return path_allowed?(path_from_hash(hash)) if hash
|
100
|
-
rescue Exception
|
101
|
-
# continue on
|
102
|
-
end
|
74
|
+
return true if path_allowed?(url)
|
103
75
|
|
104
|
-
|
105
|
-
|
76
|
+
begin
|
77
|
+
hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
|
78
|
+
return path_allowed?(path_from_hash(hash)) if hash
|
79
|
+
rescue Exception
|
80
|
+
# continue on
|
106
81
|
end
|
107
|
-
|
108
|
-
def access_denied(e)
|
109
82
|
|
110
|
-
|
83
|
+
# Passing in different domain
|
84
|
+
return remote_url?(url_parts[2])
|
85
|
+
end
|
86
|
+
|
87
|
+
def access_denied(e)
|
88
|
+
|
89
|
+
RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
|
111
90
|
|
112
|
-
|
113
|
-
|
91
|
+
if Lockdown::System.fetch(:logout_on_access_violation)
|
92
|
+
reset_session
|
93
|
+
end
|
94
|
+
respond_to do |format|
|
95
|
+
format.html do
|
96
|
+
store_location
|
97
|
+
redirect_to Lockdown::System.fetch(:access_denied_path)
|
98
|
+
return
|
114
99
|
end
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
end
|
121
|
-
format.xml do
|
122
|
-
headers["Status"] = "Unauthorized"
|
123
|
-
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
|
124
|
-
render :text => e.message, :status => "401 Unauthorized"
|
125
|
-
return
|
126
|
-
end
|
100
|
+
format.xml do
|
101
|
+
headers["Status"] = "Unauthorized"
|
102
|
+
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
|
103
|
+
render :text => e.message, :status => "401 Unauthorized"
|
104
|
+
return
|
127
105
|
end
|
128
106
|
end
|
107
|
+
end
|
129
108
|
|
130
|
-
|
131
|
-
|
132
|
-
|
109
|
+
def path_from_hash(hash)
|
110
|
+
hash[:controller].to_s + "/" + hash[:action].to_s
|
111
|
+
end
|
133
112
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
113
|
+
def remote_url?(domain = nil)
|
114
|
+
return false if domain.nil? || domain.strip.length == 0
|
115
|
+
request.host.downcase != domain.downcase
|
116
|
+
end
|
138
117
|
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
end
|
145
|
-
end
|
146
|
-
|
147
|
-
# Called from current_user. Now, attempt to login by
|
148
|
-
# basic authentication information.
|
149
|
-
def login_from_basic_auth?
|
150
|
-
username, passwd = get_auth_data
|
151
|
-
if username && passwd
|
152
|
-
set_session_user ::User.authenticate(username, passwd)
|
153
|
-
end
|
118
|
+
def redirect_back_or_default(default)
|
119
|
+
if session[:prevpage].nil? || session[:prevpage].blank?
|
120
|
+
redirect_to(default)
|
121
|
+
else
|
122
|
+
redirect_to(session[:prevpage])
|
154
123
|
end
|
124
|
+
end
|
155
125
|
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
126
|
+
# Called from current_user. Now, attempt to login by
|
127
|
+
# basic authentication information.
|
128
|
+
def login_from_basic_auth?
|
129
|
+
username, passwd = get_auth_data
|
130
|
+
if username && passwd
|
131
|
+
set_session_user ::User.authenticate(username, passwd)
|
162
132
|
end
|
163
|
-
|
164
|
-
|
133
|
+
end
|
134
|
+
|
135
|
+
@@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
|
136
|
+
# gets BASIC auth info
|
137
|
+
def get_auth_data
|
138
|
+
auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
|
139
|
+
auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
|
140
|
+
return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
|
141
|
+
end
|
165
142
|
end # Lock
|
166
143
|
end # Controller
|
167
144
|
end # Rails
|
data/lib/lockdown/session.rb
CHANGED
@@ -3,8 +3,6 @@
|
|
3
3
|
#
|
4
4
|
#*** MUST define a current_user method that will return the current user object
|
5
5
|
#
|
6
|
-
#*** MUST define a logged_in? method that will return true if a user is logged in
|
7
|
-
#
|
8
6
|
#*** MUST add call to add_lockdown_session_values to your login method
|
9
7
|
#
|
10
8
|
# # This method uses the current_user method.
|
@@ -21,6 +19,8 @@
|
|
21
19
|
#
|
22
20
|
# current_user_id: returns the id of the current_user
|
23
21
|
#
|
22
|
+
# logged_in? : returns true if current_user_id > 0
|
23
|
+
#
|
24
24
|
# current_user_is_admin?: returns true if user is assigned
|
25
25
|
# administrator rights.
|
26
26
|
#
|
@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
|
|
2
2
|
|
3
3
|
class TestAController
|
4
4
|
extend Lockdown::Frameworks::Rails::Controller
|
5
|
-
include Lockdown::Frameworks::Rails::Controller::Lock
|
5
|
+
include Lockdown::Frameworks::Rails::Controller::Lock
|
6
6
|
end
|
7
7
|
|
8
8
|
describe Lockdown::Frameworks::Rails::Controller do
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: lockdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
4
|
+
version: 0.9.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Stone
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
11
|
|
12
|
-
date: 2009-03-
|
12
|
+
date: 2009-03-25 00:00:00 -04:00
|
13
13
|
default_executable:
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|