lockdown 0.9.1 → 0.9.2
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/lockdown.rb +1 -1
- data/lib/lockdown/frameworks/rails.rb +32 -1
- data/lib/lockdown/frameworks/rails/controller.rb +95 -118
- data/lib/lockdown/session.rb +4 -0
- data/rails_generators/lockdown/templates/lib/lockdown/README +2 -2
- data/spec/lockdown/frameworks/rails/controller_spec.rb +1 -1
- metadata +2 -2
data/lib/lockdown.rb
CHANGED
@@ -16,12 +16,28 @@ module Lockdown
|
|
16
16
|
|
17
17
|
def mixin
|
18
18
|
Lockdown.controller_parent.class_eval do
|
19
|
-
include Lockdown::Frameworks::Rails::Controller::Lock
|
20
19
|
include Lockdown::Session
|
20
|
+
include Lockdown::Frameworks::Rails::Controller::Lock
|
21
21
|
end
|
22
|
+
|
23
|
+
Lockdown.controller_parent.helper_method :authorized?
|
24
|
+
|
25
|
+
Lockdown.controller_parent.before_filter do |c|
|
26
|
+
c.set_current_user
|
27
|
+
c.configure_lockdown
|
28
|
+
c.check_request_authorization
|
29
|
+
end
|
30
|
+
|
31
|
+
Lockdown.controller_parent.filter_parameter_logging :password,
|
32
|
+
:password_confirmation
|
33
|
+
|
34
|
+
Lockdown.controller_parent.rescue_from SecurityError,
|
35
|
+
:with => proc{|e| access_denied(e)}
|
36
|
+
|
22
37
|
Lockdown.view_helper.class_eval do
|
23
38
|
include Lockdown::Frameworks::Rails::View
|
24
39
|
end
|
40
|
+
|
25
41
|
Lockdown::System.class_eval do
|
26
42
|
extend Lockdown::Frameworks::Rails::System
|
27
43
|
end
|
@@ -68,6 +84,21 @@ module Lockdown
|
|
68
84
|
|
69
85
|
maybe_load_framework_controller_parent
|
70
86
|
|
87
|
+
ApplicationController.helper_method :authorized?
|
88
|
+
|
89
|
+
ApplicationController.before_filter do |c|
|
90
|
+
c.set_current_user
|
91
|
+
c.configure_lockdown
|
92
|
+
c.check_request_authorization
|
93
|
+
end
|
94
|
+
|
95
|
+
ApplicationController.filter_parameter_logging :password,
|
96
|
+
:password_confirmation
|
97
|
+
|
98
|
+
ApplicationController.rescue_from SecurityError,
|
99
|
+
:with => proc{|e| access_denied(e)}
|
100
|
+
|
101
|
+
|
71
102
|
Dir.chdir("#{Lockdown.project_root}/app/controllers") do
|
72
103
|
Dir["**/*.rb"].sort.each do |c|
|
73
104
|
next if c == "application.rb"
|
@@ -17,151 +17,128 @@ module Lockdown
|
|
17
17
|
|
18
18
|
# Locking methods
|
19
19
|
module Lock
|
20
|
-
def
|
21
|
-
|
22
|
-
|
23
|
-
|
24
|
-
helper_method :authorized?
|
25
|
-
end
|
26
|
-
|
27
|
-
base.before_filter do |c|
|
28
|
-
c.set_current_user
|
29
|
-
c.configure_lockdown
|
30
|
-
c.check_request_authorization
|
31
|
-
end
|
32
|
-
|
33
|
-
|
34
|
-
base.filter_parameter_logging :password, :password_confirmation
|
35
|
-
|
36
|
-
base.rescue_from SecurityError, :with => proc{|e| access_denied(e)}
|
20
|
+
def configure_lockdown
|
21
|
+
check_session_expiry
|
22
|
+
store_location
|
37
23
|
end
|
38
24
|
|
39
|
-
|
40
|
-
|
41
|
-
|
42
|
-
|
43
|
-
|
25
|
+
def set_current_user
|
26
|
+
login_from_basic_auth? unless logged_in?
|
27
|
+
if logged_in?
|
28
|
+
Thread.current[:who_did_it] = Lockdown::System.
|
29
|
+
call(self, :who_did_it)
|
44
30
|
end
|
31
|
+
end
|
45
32
|
|
46
|
-
|
47
|
-
|
48
|
-
|
49
|
-
Thread.current[:who_did_it] = Lockdown::System.
|
50
|
-
call(self, :who_did_it)
|
51
|
-
end
|
52
|
-
end
|
53
|
-
|
54
|
-
def check_request_authorization
|
55
|
-
unless authorized?(path_from_hash(params))
|
56
|
-
raise SecurityError, "Authorization failed for params #{params.inspect}"
|
57
|
-
end
|
33
|
+
def check_request_authorization
|
34
|
+
unless authorized?(path_from_hash(params))
|
35
|
+
raise SecurityError, "Authorization failed for params #{params.inspect}"
|
58
36
|
end
|
37
|
+
end
|
38
|
+
|
39
|
+
def path_allowed?(url)
|
40
|
+
session[:access_rights] ||= Lockdown::System.public_access
|
41
|
+
session[:access_rights].include?(url)
|
42
|
+
end
|
59
43
|
|
60
|
-
|
61
|
-
|
62
|
-
|
44
|
+
def check_session_expiry
|
45
|
+
if session[:expiry_time] && session[:expiry_time] < Time.now
|
46
|
+
nil_lockdown_values
|
47
|
+
Lockdown::System.call(self, :session_timeout_method)
|
63
48
|
end
|
64
|
-
|
65
|
-
|
66
|
-
|
67
|
-
|
68
|
-
|
69
|
-
|
70
|
-
session[:
|
71
|
-
end
|
72
|
-
|
73
|
-
def store_location
|
74
|
-
if (request.method == :get) && (session[:thispage] != sent_from_uri)
|
75
|
-
session[:prevpage] = session[:thispage] || ''
|
76
|
-
session[:thispage] = sent_from_uri
|
77
|
-
end
|
78
|
-
end
|
79
|
-
|
80
|
-
def sent_from_uri
|
81
|
-
request.request_uri
|
49
|
+
session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
|
50
|
+
end
|
51
|
+
|
52
|
+
def store_location
|
53
|
+
if (request.method == :get) && (session[:thispage] != sent_from_uri)
|
54
|
+
session[:prevpage] = session[:thispage] || ''
|
55
|
+
session[:thispage] = sent_from_uri
|
82
56
|
end
|
83
|
-
|
84
|
-
def authorized?(url, method = nil)
|
85
|
-
return false unless url
|
57
|
+
end
|
86
58
|
|
87
|
-
|
59
|
+
def sent_from_uri
|
60
|
+
request.request_uri
|
61
|
+
end
|
62
|
+
|
63
|
+
def authorized?(url, method = nil)
|
64
|
+
return false unless url
|
88
65
|
|
89
|
-
|
66
|
+
return true if current_user_is_admin?
|
90
67
|
|
91
|
-
|
68
|
+
method ||= request.method
|
92
69
|
|
93
|
-
|
70
|
+
url_parts = URI::split(url.strip)
|
94
71
|
|
95
|
-
|
72
|
+
url = url_parts[5]
|
96
73
|
|
97
|
-
|
98
|
-
hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
|
99
|
-
return path_allowed?(path_from_hash(hash)) if hash
|
100
|
-
rescue Exception
|
101
|
-
# continue on
|
102
|
-
end
|
74
|
+
return true if path_allowed?(url)
|
103
75
|
|
104
|
-
|
105
|
-
|
76
|
+
begin
|
77
|
+
hash = ActionController::Routing::Routes.recognize_path(url, :method => method)
|
78
|
+
return path_allowed?(path_from_hash(hash)) if hash
|
79
|
+
rescue Exception
|
80
|
+
# continue on
|
106
81
|
end
|
107
|
-
|
108
|
-
def access_denied(e)
|
109
82
|
|
110
|
-
|
83
|
+
# Passing in different domain
|
84
|
+
return remote_url?(url_parts[2])
|
85
|
+
end
|
86
|
+
|
87
|
+
def access_denied(e)
|
88
|
+
|
89
|
+
RAILS_DEFAULT_LOGGER.info "Access denied: #{e}"
|
111
90
|
|
112
|
-
|
113
|
-
|
91
|
+
if Lockdown::System.fetch(:logout_on_access_violation)
|
92
|
+
reset_session
|
93
|
+
end
|
94
|
+
respond_to do |format|
|
95
|
+
format.html do
|
96
|
+
store_location
|
97
|
+
redirect_to Lockdown::System.fetch(:access_denied_path)
|
98
|
+
return
|
114
99
|
end
|
115
|
-
|
116
|
-
|
117
|
-
|
118
|
-
|
119
|
-
|
120
|
-
end
|
121
|
-
format.xml do
|
122
|
-
headers["Status"] = "Unauthorized"
|
123
|
-
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
|
124
|
-
render :text => e.message, :status => "401 Unauthorized"
|
125
|
-
return
|
126
|
-
end
|
100
|
+
format.xml do
|
101
|
+
headers["Status"] = "Unauthorized"
|
102
|
+
headers["WWW-Authenticate"] = %(Basic realm="Web Password")
|
103
|
+
render :text => e.message, :status => "401 Unauthorized"
|
104
|
+
return
|
127
105
|
end
|
128
106
|
end
|
107
|
+
end
|
129
108
|
|
130
|
-
|
131
|
-
|
132
|
-
|
109
|
+
def path_from_hash(hash)
|
110
|
+
hash[:controller].to_s + "/" + hash[:action].to_s
|
111
|
+
end
|
133
112
|
|
134
|
-
|
135
|
-
|
136
|
-
|
137
|
-
|
113
|
+
def remote_url?(domain = nil)
|
114
|
+
return false if domain.nil? || domain.strip.length == 0
|
115
|
+
request.host.downcase != domain.downcase
|
116
|
+
end
|
138
117
|
|
139
|
-
|
140
|
-
|
141
|
-
|
142
|
-
|
143
|
-
|
144
|
-
end
|
145
|
-
end
|
146
|
-
|
147
|
-
# Called from current_user. Now, attempt to login by
|
148
|
-
# basic authentication information.
|
149
|
-
def login_from_basic_auth?
|
150
|
-
username, passwd = get_auth_data
|
151
|
-
if username && passwd
|
152
|
-
set_session_user ::User.authenticate(username, passwd)
|
153
|
-
end
|
118
|
+
def redirect_back_or_default(default)
|
119
|
+
if session[:prevpage].nil? || session[:prevpage].blank?
|
120
|
+
redirect_to(default)
|
121
|
+
else
|
122
|
+
redirect_to(session[:prevpage])
|
154
123
|
end
|
124
|
+
end
|
155
125
|
|
156
|
-
|
157
|
-
|
158
|
-
|
159
|
-
|
160
|
-
|
161
|
-
|
126
|
+
# Called from current_user. Now, attempt to login by
|
127
|
+
# basic authentication information.
|
128
|
+
def login_from_basic_auth?
|
129
|
+
username, passwd = get_auth_data
|
130
|
+
if username && passwd
|
131
|
+
set_session_user ::User.authenticate(username, passwd)
|
162
132
|
end
|
163
|
-
|
164
|
-
|
133
|
+
end
|
134
|
+
|
135
|
+
@@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
|
136
|
+
# gets BASIC auth info
|
137
|
+
def get_auth_data
|
138
|
+
auth_key = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
|
139
|
+
auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
|
140
|
+
return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil]
|
141
|
+
end
|
165
142
|
end # Lock
|
166
143
|
end # Controller
|
167
144
|
end # Rails
|
data/lib/lockdown/session.rb
CHANGED
@@ -3,8 +3,6 @@
|
|
3
3
|
#
|
4
4
|
#*** MUST define a current_user method that will return the current user object
|
5
5
|
#
|
6
|
-
#*** MUST define a logged_in? method that will return true if a user is logged in
|
7
|
-
#
|
8
6
|
#*** MUST add call to add_lockdown_session_values to your login method
|
9
7
|
#
|
10
8
|
# # This method uses the current_user method.
|
@@ -21,6 +19,8 @@
|
|
21
19
|
#
|
22
20
|
# current_user_id: returns the id of the current_user
|
23
21
|
#
|
22
|
+
# logged_in? : returns true if current_user_id > 0
|
23
|
+
#
|
24
24
|
# current_user_is_admin?: returns true if user is assigned
|
25
25
|
# administrator rights.
|
26
26
|
#
|
@@ -2,7 +2,7 @@ require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
|
|
2
2
|
|
3
3
|
class TestAController
|
4
4
|
extend Lockdown::Frameworks::Rails::Controller
|
5
|
-
include Lockdown::Frameworks::Rails::Controller::Lock
|
5
|
+
include Lockdown::Frameworks::Rails::Controller::Lock
|
6
6
|
end
|
7
7
|
|
8
8
|
describe Lockdown::Frameworks::Rails::Controller do
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: lockdown
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.9.
|
4
|
+
version: 0.9.2
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Andrew Stone
|
@@ -9,7 +9,7 @@ autorequire:
|
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
11
|
|
12
|
-
date: 2009-03-
|
12
|
+
date: 2009-03-25 00:00:00 -04:00
|
13
13
|
default_executable:
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|