lockdown_vail 1.6.2.1

data/.gitignore

@@ -0,0 +1,6 @@
+*.DS_Store
+*.swp
+pkg/**
+doc/**
+email.txt
+coverage/**

data/README.txt

@@ -0,0 +1,36 @@
+lockdown
+    by Andrew Stone
+    http://stonean.com
+
+== DESCRIPTION:
+
+Lockdown is an authorization system for RubyOnRails (ver >= 2.1).
+
+== INSTALL:
+
+  sudo gem install lockdown 
+
+== LICENSE:
+
+(The MIT License)
+
+Copyright (c) 2009 Andrew Stone
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+'Software'), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1,38 @@
+require 'rubygems'
+require 'rake'
+require 'rcov'
+require 'spec/rake/spectask'
+
+require 'lib/lockdown.rb'
+task :default => 'rcov'
+
+desc "Flog your code for Justice!"
+task :flog do
+    sh('flog lib/**/*.rb')
+end
+
+desc "Run all specs and rcov in a non-sucky way"
+Spec::Rake::SpecTask.new(:rcov) do |t|
+  t.spec_opts = IO.readlines("spec/spec.opts").map {|l| l.chomp.split " "}.flatten
+  t.spec_files = FileList['spec/**/*_spec.rb']
+  t.rcov = true
+  t.rcov_opts = IO.readlines("spec/rcov.opts").map {|l| l.chomp.split " "}.flatten
+end
+
+begin
+  require 'jeweler'
+  Jeweler::Tasks.new do |gemspec|
+    gemspec.name = "lockdown_vail"
+    gemspec.version = Lockdown.version
+    gemspec.rubyforge_project = "lockdown"
+    gemspec.summary = "Authorization system for Rails 2.x"
+    gemspec.description = "Restrict access to your controller actions.  Supports basic model level restrictions as well"
+    gemspec.email = "andy@stonean.com"
+    gemspec.homepage = "http://stonean.com/wiki/lockdown"
+    gemspec.authors = ["Andrew Stone"]
+    gemspec.add_development_dependency('rspec')
+  end
+  Jeweler::GemcutterTasks.new
+rescue LoadError
+  puts "Jeweler not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
+end

data/VERSION

@@ -0,0 +1 @@
+1.6.2

data/lib/lockdown/context.rb

@@ -0,0 +1,41 @@
+module Lockdown
+  class Context
+    attr_accessor :name, :allowed_methods
+
+    def to_s
+      self.class.to_s
+    end
+
+    def allows?(method_name)
+      @allowed_methods.include?(method_name)
+    end
+  end
+
+  class RootContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model)
+    end
+  end
+
+  class ControllerContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(with_controller and_controller to_model only_methods except_methods)
+    end
+  end
+
+  class ModelContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(where)
+    end
+  end
+
+  class ModelWhereContext < Context
+    def initialize(name)
+      @name = name
+      @allowed_methods = %w(is_in includes equals)
+    end
+  end
+end

data/lib/lockdown/database.rb

@@ -0,0 +1,41 @@
+module Lockdown
+  class Database
+    class << self
+      # This is very basic and could be handled better using orm specific
+      # functionality, but I wanted to keep it generic to avoid creating 
+      # an interface for each the different orm implementations. 
+      # We'll see how it works...
+      def sync_with_db
+
+        @permissions = Lockdown::System.get_permissions
+        @user_groups = Lockdown::System.get_user_groups
+
+        unless Lockdown.user_group_class.table_exists?
+          Lockdown.logger.info ">> Lockdown tables not found.  Skipping database sync."
+          return
+        end
+      
+        maintain_user_groups
+      rescue Exception => e
+        Lockdown.logger.error ">> Lockdown sync failed: #{e.backtrace.join("\n")}" 
+      end
+
+
+      def maintain_user_groups
+        # Create user groups not found in the database
+        @user_groups.each do |key|
+          str = Lockdown.get_string(key)
+          unless ug = Lockdown.user_group_class.find(:first, :conditions => ["name = ?", str])
+            create_user_group(str, key)
+          end
+        end
+      end
+
+      def create_user_group(name_str, key)
+        Lockdown.logger.info ">> Lockdown: #{Lockdown::System.fetch(:user_group_model)} not in the db: #{name_str}, creating."
+        ug = Lockdown.user_group_class.create(:name => name_str)
+      end
+
+    end # class block
+  end # Database
+end #Lockdown

data/lib/lockdown/errors.rb

@@ -0,0 +1,11 @@
+module Lockdown
+  class InvalidRuleAssignment < StandardError; end
+
+  class InvalidRuleContext < StandardError; end
+
+  class PermissionScopeCollision < StandardError; end
+
+  class InvalidPermissionAssignment < StandardError; end
+
+  class GroupUndefinedError < StandardError; end
+end

data/lib/lockdown/frameworks/rails/controller.rb

@@ -0,0 +1,187 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module Controller
+        
+        def available_actions(klass)
+          klass.action_methods
+        end
+
+        def controller_name(klass)
+          klass.controller_name
+        end
+
+        # Locking methods
+        module Lock
+
+          class LockdownSessionExpired < Exception         
+          end
+
+          def configure_lockdown
+            Lockdown.maybe_parse_init
+            check_session_expiry
+            store_location
+          end
+
+          # Basic auth functionality needs to be reworked as 
+          # Lockdown doesn't provide authentication functionality.
+          def set_current_user
+            login_from_basic_auth? unless logged_in?
+            if logged_in?
+              Thread.current[:who_did_it] = Lockdown::System.
+                call(self, :who_did_it)
+            end
+          end
+
+          def check_request_authorization
+            unless authorized?(path_from_hash(params))
+              raise SecurityError, "Authorization failed! \nparams: #{params.inspect}\nsession: #{session.inspect}"
+            end
+          end
+
+          protected 
+  
+          def path_allowed?(url)
+            access_rights = Lockdown::System.public_access + access_rights_from_session
+            access_rights.include?(url)
+          end
+    
+          def check_session_expiry
+            if session[:expiry_time] && session[:expiry_time] < Time.now
+              nil_lockdown_values
+              Lockdown::System.call(self, :session_timeout_method)
+              raise LockdownSessionExpired, "Authorization failed! \nSession expired."
+            end
+            session[:expiry_time] = Time.now + Lockdown::System.fetch(:session_timeout)
+          end
+          
+          def store_location
+            if (request.method == :get) && (session[:thispage] != sent_from_uri)
+              session[:prevpage] = session[:thispage] || ''
+              session[:thispage] = sent_from_uri
+            end
+          end
+
+          def sent_from_uri
+            request.request_uri
+          end
+      
+          def authorized?(url, method = nil)
+            # Reset access unless caching?
+            add_lockdown_session_values unless Lockdown.caching?
+
+            return false unless url
+
+            return true if current_user_is_admin?
+
+            method ||= (params[:method] || request.method)
+
+            url_parts = URI::split(url.strip)
+
+            path = url_parts[5]
+            
+            return true if path_allowed?(path)
+
+            begin
+              hash = ActionController::Routing::Routes.recognize_path(path, :method => method)
+              return path_allowed?(path_from_hash(hash)) if hash
+            rescue Exception => e
+              # continue on
+            end
+
+            # Mailto link
+            return true if url =~ /^mailto:/
+
+            # Public file
+            file = File.join(RAILS_ROOT, 'public', url)
+            return true if File.exists?(file)
+
+            # Passing in different domain
+            return remote_url?(url_parts[2])
+          end
+    
+          def ld_access_denied(e)
+
+            Lockdown.logger.info "Access denied: #{e}"
+
+            if Lockdown::System.fetch(:logout_on_access_violation)
+              reset_session
+            end
+            respond_to do |format|
+              format.html do
+                store_location
+                redirect_to Lockdown::System.fetch(:access_denied_path)
+                return
+              end
+              format.xml do
+                headers["Status"] = "Unauthorized"
+                headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+                render :text => e.message, :status => "401 Unauthorized"
+                return
+              end
+            end
+          end
+          
+          def session_expired(e)
+            
+            Lockdown.logger.info "Access denied: #{e}"
+            
+            if Lockdown::System.fetch(:logout_on_access_violation)
+              reset_session
+            end
+            
+            respond_to do |format|
+              format.html do
+                store_location
+                session_timeout_path = Lockdown::System.fetch(:session_timeout_path) || Lockdown::System.fetch(:access_denied_path)
+                redirect_to session_timeout_path
+                return
+              end
+              format.xml do
+                headers["Status"] = "Unauthorized"
+                headers["WWW-Authenticate"] = %(Basic realm="Web Password")
+                render :text => e.message, :status => "401 Unauthorized"
+                return
+              end
+            end
+          end
+
+          def path_from_hash(hash)
+            hash[:controller].to_s + "/" + hash[:action].to_s
+          end
+
+          def remote_url?(domain = nil)
+            return false if domain.nil? || domain.strip.length == 0
+            request.host.downcase != domain.downcase
+          end
+
+          def redirect_back_or_default(default)
+            if session[:prevpage].nil? || session[:prevpage].blank?
+              redirect_to(default) 
+            else
+              redirect_to(session[:prevpage])
+            end
+          end
+  
+          # Called from current_user.  Now, attempt to login by
+          # basic authentication information.
+          def login_from_basic_auth?
+            username, passwd = get_auth_data
+            if username && passwd
+              set_session_user ::User.authenticate(username, passwd)
+            end
+          end
+
+          @@http_auth_headers = %w(X-HTTP_AUTHORIZATION HTTP_AUTHORIZATION Authorization)
+          # gets BASIC auth info
+          def get_auth_data
+            auth_key  = @@http_auth_headers.detect { |h| request.env.has_key?(h) }
+            auth_data = request.env[auth_key].to_s.split unless auth_key.blank?
+            return auth_data && auth_data[0] == 'Basic' ? Base64.decode64(auth_data[1]).split(':')[0..1] : [nil, nil] 
+          end
+        end # Lock
+      end # Controller
+    end # Rails
+  end # Frameworks
+end # Lockdown
+

data/lib/lockdown/frameworks/rails/view.rb

@@ -0,0 +1,50 @@
+module Lockdown
+  module Frameworks
+    module Rails
+      module View
+        def self.included(base)
+          base.class_eval do
+            alias_method :link_to_open, :link_to
+            alias_method :link_to, :link_to_secured
+
+            alias_method :button_to_open, :button_to
+            alias_method :button_to, :button_to_secured
+          end
+        end
+    
+        def link_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return link_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def button_to_secured(name, options = {}, html_options = nil)
+          url = url_for(options)
+
+          method = html_options ? html_options[:method] : :get
+
+          if authorized?(url, method)
+            return button_to_open(name, url, html_options)
+          end
+          return ""
+        end
+
+        def link_to_or_show(name, options = {}, html_options = nil)
+          lnk = link_to(name, options, html_options)
+          lnk.length == 0 ? name : lnk
+        end
+
+        def links(*lis)
+          rvalue = []
+          lis.each{|link| rvalue << link if link.length > 0 }
+          rvalue.join( Lockdown::System.fetch(:link_separator) )
+        end
+      end # View
+    end # Rails
+  end # Frameworks
+end # Lockdown

data/lib/lockdown/frameworks/rails.rb

@@ -0,0 +1,114 @@
+require File.join(File.dirname(__FILE__), "rails", "controller")
+require File.join(File.dirname(__FILE__), "rails", "view")
+
+module Lockdown
+  module Frameworks
+    module Rails
+      class << self
+        def use_me?
+          Object.const_defined?("ActionController") && ActionController.const_defined?("Base")
+        end
+
+        def included(mod)
+          mod.extend Lockdown::Frameworks::Rails::Environment
+          mixin
+        end
+        
+        def mixin
+          mixin_controller
+
+          Lockdown.view_helper.class_eval do
+            include Lockdown::Frameworks::Rails::View
+          end
+
+          Lockdown.system.class_eval do 
+            extend Lockdown::Frameworks::Rails::System
+          end
+        end
+
+        def mixin_controller(klass = Lockdown.controller_parent)
+          klass.class_eval do
+            include Lockdown::Session
+            include Lockdown::Frameworks::Rails::Controller::Lock
+          end
+
+          klass.helper_method :authorized?
+
+          klass.hide_action(:set_current_user, :configure_lockdown, :check_request_authorization, :check_model_authorization)
+
+          klass.before_filter do |c|
+            c.set_current_user
+            c.configure_lockdown
+            c.check_request_authorization
+            c.check_model_authorization
+          end
+
+          klass.filter_parameter_logging :password, :password_confirmation
+      
+          klass.rescue_from SecurityError, :with => proc{|e| ld_access_denied(e)}
+          klass.rescue_from Lockdown::Frameworks::Rails::Controller::Lock::LockdownSessionExpired, :with => proc{|e| session_expired(e)}
+        end
+      end # class block
+
+      module Environment
+
+        def project_root
+          ::RAILS_ROOT
+        end
+
+        def init_file
+          "#{project_root}/lib/lockdown/init.rb"
+        end
+
+        def view_helper
+          ::ActionView::Base 
+        end
+
+        # cache_classes is true in production and testing, need to
+        # modify the ApplicationController 
+        def controller_parent
+          if caching?
+            ApplicationController
+          else
+            ActionController::Base
+          end
+        end
+        
+        def caching?
+          ::Rails.configuration.cache_classes
+        end
+
+        # cache_classes is true in production and testing, need to
+        # do an instance eval instead
+        def add_controller_method(code)
+          Lockdown.controller_parent.class_eval code, __FILE__,__LINE__ +1
+        end
+
+        def controller_class_name(str)
+          str = "#{str}Controller"
+          if str.include?("__")
+            str.split("__").collect{|p| Lockdown.camelize(p)}.join("::")
+          else
+            Lockdown.camelize(str)
+          end
+        end
+
+        def fetch_controller_class(str)
+          eval("::#{controller_class_name(str)}")
+        end
+      end
+
+      module System
+        include Lockdown::Frameworks::Rails::Controller
+
+        def skip_sync?
+          Lockdown.system.fetch(:skip_db_sync_in).include?(framework_environment)
+        end
+        
+        def framework_environment
+          ::Rails.env
+        end
+      end # System
+    end # Rails
+  end # Frameworks
+end # Lockdown