lockdown_vail 1.6.2.1

data/rails_generators/lockdown/templates/lib/lockdown/README

@@ -0,0 +1,42 @@
+#
+#                           !!!!IMPORTANT!!!!
+#
+#*** MUST define a current_user method that will return the current user object
+#
+#*** MUST add call to add_lockdown_session_values to your login method
+#
+#*** MAY NEED to add call to reset_lockdown_session to your logout method. 
+# ** Not needed if your authentication system resets the session
+#   
+# Definitely need to use the user_group and permission models.  The lockdown 
+# generator will provide those for you.  Just add the following to your user
+# model:
+#   has_and_belongs_to_many :user_groups
+#
+# That's it! 
+#
+#
+#                       ~~~~Method Descriptions~~~~
+
+# The Lockdown gem defines these session methods:
+#
+# current_user_id: returns the id of the current_user
+#
+# logged_in? : returns true if current_user_id > 0
+#
+# current_user_is_admin?: returns true if user is assigned 
+# administrator rights.
+#
+# reset_lockdown_session: This will nil the following session values:
+#   current_user_id
+#   access_rights
+#   expiry_time
+#
+# current_user_access_in_group?(grp):  grp is a symbol referencing a 
+# Lockdown::UserGroups method such as :registered_users
+# Will return true if the session[:access_rights] contain at 
+# least one match to the access_right list associated to the group
+#
+# If you want access to any of these methods in your view, just add them 
+# as helpers in your controller (application controller for global use).
+#

data/rails_generators/lockdown/templates/lib/lockdown/init.rb

@@ -0,0 +1,136 @@
+Lockdown::System.configure do
+
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Configuration Options
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Options with defaults:
+  #
+  #
+  # Set User model:
+  #      # make sure you use the string "User", not the constant
+  #      options[:user_model] = "User"
+  #
+  # Set UserGroup model:
+  #      # make sure you use the string "UserGroup", not the constant
+  #      options[:user_group_model] = "UserGroup"
+  #
+  # Set who_did_it method:
+  #   This method is used in setting the created_by/updated_by fields and
+  #   should be accessible to the controller
+  #      options[:who_did_it] = :current_user_id
+  #
+  # Set default_who_did_it:
+  #   When current_user_id returns nil, this is the value to use
+  #      options[:default_who_did_it] = 1
+  #
+  #   Lockdown version < 0.9.0 set this to:
+  #       options[:default_who_did_it] = Profile::System
+  #
+  #   Should probably be something like:
+  #      options[:default_who_did_it] = User::SystemId
+  #
+  # Set timeout to 1 hour:
+  #       options[:session_timeout] = (60 * 60)
+  #
+  # Call method when timeout occurs (method must be callable by controller):
+  #       options[:session_timeout_method] = :clear_session_values
+  #
+  # Set system to logout if unauthorized access is attempted:
+  #       options[:logout_on_access_violation] = false
+  #
+  # Set redirect to path on unauthorized access attempt:
+  #       options[:access_denied_path] = "/"
+  #
+  #
+  # Set redirect to path on session timeout if different from unauthorized:
+  #       options[:session_timeout_path] = "/"
+  #
+  #
+  # Set redirect to path on successful login:
+  #       options[:successful_login_path] = "/"
+  #
+  # Set separator on links call
+  #       options[:links_separator] = "|"
+  #
+  # If deploying to a subdirectory, set that here. Defaults to nil
+  #       options[:subdirectory] = "blog"
+  #       *Notice: Do not add leading or trailing slashes,
+  #                Lockdown will handle this
+  #
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Define permissions
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  #
+  # set_permission(:product_management).
+  #   with_controller(:products)
+  #
+  # :product_management is the name of the permission which is later
+  # referenced by the set_user_group method
+  #
+  # .with_controller(:products) defaults to all action_methods available on that
+  #  controller.  You can change this behaviour by chaining on except_methods or
+  #  only_methods.  (see examples below)
+  #
+  #  ** To define a namespaced controller use two underscores:
+  #     :admin__products
+  #
+  # if products is your standard RESTful resource you'll get:
+  #   ["products/index , "products/show",
+  #    "products/new", "products/edit",
+  #    "products/create", "products/update",
+  #    "products/destroy"]
+  #
+  # You can chain method calls to restrict the methods for one controller
+  # or you can add multiple controllers to one permission.
+  #      
+  #   set_permission(:security_management).
+  #     with_controller(:users).
+  #     and_controller(:user_groups).
+  #     and_controller(:permissions) 
+  #
+  # In addition to with_controller(:controller) there are:
+  #
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       only_methods(:only_method_1, :only_method_2)
+  #
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       except_methods(:except_method_1, :except_method_2)
+  #
+  #   set_permission(:some_nice_permission_name).
+  #     with_controller(:some_controller_name).
+  #       except_methods(:except_method_1, :except_method_2).
+  #     and_controller(:another_controller_name).
+  #     and_controller(:yet_another_controller_name)
+  #
+  # Define your permissions here:
+
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Built-in user groups
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  #  You can assign the above permission to one of the built-in user groups
+  #  by using the following:
+  # 
+  #  To allow public access on the permissions :sessions and :home:
+  #    set_public_access :sessions, :home
+  #     
+  #  Restrict :my_account access to only authenticated users:
+  #    set_protected_access :my_account
+  #
+  # Define the built-in user groups here:
+
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  # Define user groups
+  #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+  #
+  #  set_user_group(:catalog_management, :category_management, 
+  #                                      :product_management) 
+  #
+  #  :catalog_management is the name of the user group
+  #  :category_management and :product_management refer to permission names
+  #
+  # 
+  # Define your user groups here:
+
+end 

data/spec/lockdown/context_spec.rb

@@ -0,0 +1,191 @@
+require File.join(File.dirname(__FILE__), %w[.. spec_helper])
+
+describe Lockdown::Context do
+  before do
+    @name = :my_account
+  end
+
+  describe Lockdown::RootContext do
+    before do
+      @c = Lockdown::RootContext.new(@name)
+    end
+
+    it "should return rootcontext" do
+      @c.to_s.should == "Lockdown::RootContext"
+    end
+
+    it "should allow with_controller" do
+      @c.allows?('with_controller').should == true
+    end
+
+    it "should allow and_controller" do
+      @c.allows?('and_controller').should == true
+    end
+
+    it "should allow to_model" do
+      @c.allows?('to_model').should == true
+    end
+
+    it "should not allow only_methods" do
+      @c.allows?('only_methods').should == false
+    end
+
+    it "should not allow except_methods" do
+      @c.allows?('except_methods').should == false
+    end
+
+    it "should not allow where" do
+      @c.allows?('where').should == false
+    end
+
+    it "should not allow is_in" do
+      @c.allows?('is_in').should == false
+    end
+
+    it "should not allow includes" do
+      @c.allows?('includes').should == false
+    end
+
+    it "should not allow equals" do
+      @c.allows?('equals').should == false
+    end
+  end
+
+  describe Lockdown::ControllerContext do
+    before do
+      @c = Lockdown::ControllerContext.new(@name)
+    end
+
+    it "should return rootcontext" do
+      @c.to_s.should == "Lockdown::ControllerContext"
+    end
+
+    it "should allow with_controller" do
+      @c.allows?('with_controller').should == true
+    end
+
+    it "should allow and_controller" do
+      @c.allows?('and_controller').should == true
+    end
+
+    it "should allow to_model" do
+      @c.allows?('to_model').should == true
+    end
+
+    it "should allow only_methods" do
+      @c.allows?('only_methods').should == true
+    end
+
+    it "should allow except_methods" do
+      @c.allows?('except_methods').should == true
+    end
+
+    it "should not allow where" do
+      @c.allows?('where').should == false
+    end
+
+    it "should not allow is_in" do
+      @c.allows?('is_in').should == false
+    end
+
+    it "should not allow includes" do
+      @c.allows?('includes').should == false
+    end
+
+    it "should not allow equals" do
+      @c.allows?('equals').should == false
+    end
+  end 
+
+  describe Lockdown::ModelContext do
+    before do
+      @c = Lockdown::ModelContext.new(@name)
+    end
+
+    it "should return rootcontext" do
+      @c.to_s.should == "Lockdown::ModelContext"
+    end
+
+    it "should not allow with_controller" do
+      @c.allows?('with_controller').should == false
+    end
+
+    it "should not allow and_controller" do
+      @c.allows?('and_controller').should == false
+    end
+
+    it "should not allow to_model" do
+      @c.allows?('to_model').should == false
+    end
+
+    it "should not allow only_methods" do
+      @c.allows?('only_methods').should == false
+    end
+
+    it "should not allow except_methods" do
+      @c.allows?('except_methods').should == false
+    end
+
+    it "should allow where" do
+      @c.allows?('where').should == true
+    end
+
+    it "should not allow is_in" do
+      @c.allows?('is_in').should == false
+    end
+
+    it "should not allow includes" do
+      @c.allows?('includes').should == false
+    end
+
+    it "should not allow equals" do
+      @c.allows?('equals').should == false
+    end
+  end 
+
+  describe Lockdown::ModelWhereContext do
+    before do
+      @c = Lockdown::ModelWhereContext.new(@name)
+    end
+
+    it "should return rootcontext" do
+      @c.to_s.should == "Lockdown::ModelWhereContext"
+    end
+
+    it "should not allow with_controller" do
+      @c.allows?('with_controller').should == false
+    end
+
+    it "should not allow and_controller" do
+      @c.allows?('and_controller').should == false
+    end
+
+    it "should not allow to_model" do
+      @c.allows?('to_model').should == false
+    end
+
+    it "should not allow only_methods" do
+      @c.allows?('only_methods').should == false
+    end
+
+    it "should not allow except_methods" do
+      @c.allows?('except_methods').should == false
+    end
+
+    it "should not allow where" do
+      @c.allows?('where').should == false
+    end
+
+    it "should allow is_in" do
+      @c.allows?('is_in').should == true
+    end
+
+    it "should allow includes" do
+      @c.allows?('includes').should == true
+    end
+
+    it "should allow equals" do
+      @c.allows?('equals').should == true
+    end
+  end 
+end

data/spec/lockdown/database_spec.rb

@@ -0,0 +1,66 @@
+require File.join(File.dirname(__FILE__), %w[.. spec_helper])
+
+class Permission; end;
+
+describe Lockdown::Database do
+  before do    
+    Lockdown::System.stub!(:get_permissions).and_return([:permission])
+    Lockdown::System.stub!(:get_user_groups).and_return([:user_group])
+    @user_group_class = mock(:table_exists? => true, :find => false)
+    Lockdown.stub!(:user_group_class).and_return @user_group_class
+
+  end
+
+  describe "#sync_with_db" do
+    it "should call create_new_permissions, delete_extinct_permissions and maintain_user_groups" do
+      Permission.stub!(:table_exists?).and_return(true)
+      Lockdown::Database.should_receive :maintain_user_groups
+
+      Lockdown::Database.sync_with_db
+    end
+  end
+
+  describe "#maintain_user_groups" do
+    before do
+      UserGroup = mock('UserGroup') unless defined?(UserGroup)
+    end
+
+    it "should create user group for non-existent user group" do
+      @user_group_class.should_receive(:find).and_return(false)
+      
+      Lockdown::Database.should_receive(:create_user_group).
+        with("User Group",:user_group)
+
+      Lockdown::Database.maintain_user_groups
+    end
+
+    it "should sync user group permissions for existing user group" do
+      ug = mock('user group')
+
+      @user_group_class.should_receive(:find).
+        with(:first, :conditions => ["name = ?", "User Group"]).
+        and_return(ug)
+      
+      Lockdown::Database.maintain_user_groups
+    end
+  end
+
+  describe "#create_user_group" do
+    it "should create new user group" do
+      ug = mock('user group')
+      ug.stub!(:id).and_return(123)
+
+      @user_group_class.should_receive(:create).
+        with(:name => "some group").
+        and_return(ug)
+
+      Lockdown::System.stub!(:permissions_for_user_group).
+        and_return([:perm])
+
+      Lockdown::System.stub!(:permission_assigned_automatically?).
+        and_return(false)
+
+      Lockdown::Database.create_user_group("some group",  :some_group)
+    end
+  end
+end

data/spec/lockdown/frameworks/rails/controller_spec.rb

@@ -0,0 +1,240 @@
+require File.join(File.dirname(__FILE__), %w[.. .. .. spec_helper])
+
+class TestAController
+  extend Lockdown::Frameworks::Rails::Controller
+  include Lockdown::Frameworks::Rails::Controller::Lock
+end
+
+describe Lockdown::Frameworks::Rails::Controller do
+  before do
+    @controller = TestAController
+
+    @actions = %w(posts/index posts/show posts/new posts/edit posts/create posts/update posts/destroy)
+
+    @lockdown = mock("lockdown")
+  end
+
+  describe "#controller_name" do
+    it "should return action_methods" do
+      post_controller = mock("PostController")
+      post_controller.stub!(:controller_name).and_return("PostController")
+
+      @controller.controller_name(post_controller).should == "PostController"
+    end
+  end
+
+end
+
+describe Lockdown::Frameworks::Rails::Controller::Lock do
+  before do
+    @controller = TestAController.new
+
+    @actions = %w(posts/index posts/show posts/new posts/edit posts/create posts/update posts/destroy)
+
+    @session = {:access_rights => @actions}
+
+    @controller.stub!(:session).and_return(@session)
+  end
+  
+  describe "#configure_lockdown" do
+    it "should call Lockdown.maybe_parse_init, check_session_expiry and store_location" do
+      Lockdown.should_receive(:maybe_parse_init)
+      @controller.should_receive(:check_session_expiry)
+      @controller.should_receive(:store_location)
+
+      @controller.configure_lockdown
+    end
+  end
+
+  describe "#set_current_user" do
+    it "should set who_did_it  in Thread.current" do
+      Lockdown::System.stub!(:fetch).with(:who_did_it).and_return(:current_user_id)
+      @controller.stub!(:logged_in?).and_return(true)
+      @controller.stub!(:current_user_id).and_return(1234)
+
+      @controller.set_current_user
+
+      Thread.current[:who_did_it].should == 1234
+    end
+  end
+
+  describe "#check_request_authorization" do
+    it "should raise SecurityError if not authorized" do
+      @controller.stub!(:authorized?).and_return(false)
+      @controller.stub!(:params).and_return({:p => 1})
+
+      lambda{@controller.check_request_authorization}.
+        should raise_error(SecurityError)
+
+    end
+  end
+
+  describe "#path_allowed" do
+    it "should return false for an invalid path" do
+      Lockdown::System.stub!(:public_access).and_return([])
+      @controller.stub!(:access_rights_from_session).and_return(["/a/good/path"])
+      @controller.send(:path_allowed?,"/no/good").should be_false
+    end
+  end
+
+  describe "#check_session_expiry" do
+    it "should set expiry if null" do
+      Lockdown::System.stub!(:fetch).with(:session_timeout).and_return(10)
+      @session[:expiry_time].should be_nil
+      @controller.send(:check_session_expiry)
+      @session[:expiry_time].should_not be_nil
+    end
+    
+    it "should raise an exception if the session has expired" do
+      time = Time.now
+      Lockdown::System.stub!(:fetch).with(:session_timeout).and_return(10)
+      @session[:expiry_time] = time - 10.seconds
+      @controller.should_receive(:nil_lockdown_values)
+      Lockdown::System.stub!(:call)
+      @controller.stub!(:call)
+      lambda {@controller.send(:check_session_expiry)}.should(
+        raise_error(Lockdown::Frameworks::Rails::Controller::Lock::LockdownSessionExpired, "Authorization failed! \nSession expired."))
+    end
+  end
+  
+  describe "#session_expired" do
+    it "should reset the session if configured to do so on access violation" do
+      Lockdown::System.stub!(:fetch).with(:logout_on_access_violation).and_return(true)
+      @controller.should_receive(:reset_session)
+      @controller.stub!(:respond_to)
+      @controller.send(:session_expired, nil)
+    end
+  end
+
+  describe "#store_location" do
+    it "should set prevpage and thispage" do
+      request = mock("request")
+      request.stub!(:method).and_return(:get)
+      @controller.stub!(:request).and_return(request)
+
+      @controller.stub!(:sent_from_uri).and_return("/blop")
+      @controller.send(:store_location)
+
+      @session[:prevpage].should == ''
+      @session[:thispage].should == '/blop'
+    end
+  end
+
+  describe "#sent_from_uri" do
+    it "should return request.request_uri" do
+      request = mock("request")
+      request.stub!(:request_uri).and_return("/blip")
+
+      @controller.stub!(:request).and_return(request)
+
+      @controller.send(:sent_from_uri).should == "/blip"
+    end
+  end
+
+  describe "#authorized?" do
+    before do
+      @sample_url = "http://stonean.com/posts/index"
+      @a_path = "/a_path"
+      
+      Lockdown::System.stub!(:public_access).and_return([])
+      @controller.stub!(:access_rights_from_session).and_return(["/no/good", "posts/index"])
+
+      request = mock("request")
+      request.stub!(:method).and_return(:get)
+      Lockdown.stub(:caching?).and_return(true)
+      @controller.stub!(:params).and_return({})
+      @controller.stub!(:request).and_return(request)
+
+      stonean_parts = ["http", nil, "stonean.com", nil, nil, "posts/index", nil, nil, nil]
+
+      a_path_parts = [nil, nil, nil, nil, nil, "/a_path", nil, nil, nil]
+
+      URI = mock('uri class') unless defined?(URI)
+      URI.stub!(:split).with(@sample_url).and_return(stonean_parts)
+      URI.stub!(:split).with(@a_path).and_return(a_path_parts)
+    end
+
+    it "should call add_lockdown_session_values unless caching" do
+      Lockdown.stub(:caching?).and_return(false)
+      @controller.should_receive(:add_lockdown_session_values)
+
+      @controller.send(:authorized?,nil)
+    end
+
+    it "should return false if url is nil" do
+      @controller.send(:authorized?,nil).should be_false
+    end
+
+    it "should return true if current_user_is_admin" do
+      @controller.stub!(:current_user_is_admin?).and_return(true)
+      @controller.send(:authorized?,@a_path).should be_true
+    end
+
+    it "should return false if path not in access_rights" do
+      @controller.send(:authorized?,@a_path).should be_false
+    end
+
+    it "should return true if path is in access_rights" do
+      @controller.send(:authorized?,@sample_url).should be_true
+    end
+
+  end
+
+  describe "#access_denied" do
+  end
+
+  describe "#path_from_hash" do
+    it "should return controller/action string" do
+      hash = {:controller => "users", :action => "show", :id => "1"}
+      @controller.send(:path_from_hash,hash).should == "users/show"
+    end
+  end
+
+  describe "#remote_url?" do
+    it "should return false if domain is nil" do
+      @controller.send(:remote_url?).should be_false
+    end
+
+    it "should return false if domain matches request domain" do
+      request = mock("request")
+      request.stub!(:host).and_return("stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.send(:remote_url?,"stonean.com").should be_false
+    end
+
+    it "should return true if subdomain differs" do
+      request = mock("request")
+      request.stub!(:host).and_return("blog.stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.send(:remote_url?,"stonean.com").should be_true
+    end
+
+    it "should return true if host doesn't match  domain" do
+      request = mock("request")
+      request.stub!(:host).and_return("stonean.com")
+      @controller.stub!(:request).and_return(request)
+      @controller.send(:remote_url?,"google.com").should be_true
+    end
+  end
+
+  describe "#redirect_back_or_default" do
+    it "should redirect to default without session[:prevpage]" do
+      @controller.should_receive(:redirect_to).with("/")
+      @controller.send :redirect_back_or_default, "/"
+    end
+
+    it "should redirect to session[:prevpage]" do
+      path = "/previous"
+      path.stub!(:blank?).and_return(false)
+      @session[:prevpage] = path
+      @controller.should_receive(:redirect_to).with(path)
+      @controller.send :redirect_back_or_default, "/"
+    end
+  end
+
+  describe "#login_from_basic_auth?" do
+  end
+
+  describe "#get_auth_data" do
+  end
+end