maestrano-rails-test 0.9.3

data/lib/generators/mongoid/maestrano_user_generator.rb

@@ -0,0 +1,26 @@
+require 'rails/generators/named_base'
+require 'generators/maestrano/orm_helpers'
+
+module Mongoid
+  module Generators
+    class MaestranoUserGenerator < Rails::Generators::NamedBase
+      include Maestrano::Generators::OrmHelpers
+      
+      def inject_field_types
+        inject_into_file model_path, migration_data, after: "include Mongoid::Document\n" if model_exists?
+      end
+
+      def inject_maestrano_content
+        inject_into_file model_path, model_contents, after: "include Mongoid::Document\n" if model_exists?
+      end
+      
+      def migration_data
+<<RUBY
+  ## User source identification fields
+  field :provider,  type: String, default: ""
+  field :uid,       type: String, default: ""
+RUBY
+      end
+    end
+  end
+end

data/lib/maestrano-rails.rb

@@ -0,0 +1 @@
+require 'maestrano/rails'

data/lib/maestrano/rails.rb

@@ -0,0 +1,11 @@
+require 'maestrano'
+require 'maestrano/rails/routing/routes'
+require 'maestrano/rails/models/maestrano_auth_resource'
+require 'maestrano/rails/controllers/maestrano_security'
+
+module Maestrano
+  module Rails
+    class Engine < ::Rails::Engine
+    end
+  end
+end

data/lib/maestrano/rails/controllers/maestrano_security.rb

@@ -0,0 +1,32 @@
+module Maestrano
+  module Rails
+    module MaestranoSecurity
+      # This module aims at being included into ApplicationController
+      # but we do not do until a maestrano_user_via is declared on
+      # a model (no need to polute the app)
+      # - 
+      # See MaestranoAuthResource for details on how the inclusion
+      # is done
+      def self.included(base)
+        base.send :include, ControllerFilters
+        base.before_filter :verify_maestrano_session
+      end
+      
+      module ControllerFilters
+        # If a maestrano session is present then we check
+        # its validity. If not valid anymore the filter
+        # triggers a Maestrano SSO handshake
+        def verify_maestrano_session
+          if Maestrano.param(:sso_enabled)
+            unless controller_name == 'saml' && ['init','consume'].include?(action_name)
+              if !Maestrano::SSO::Session.new(session).valid?(if_session:true)
+                redirect_to Maestrano::SSO.init_url
+              end
+            end
+          end
+          true
+        end
+      end
+    end
+  end
+end

data/lib/maestrano/rails/models/maestrano_auth_resource.rb

@@ -0,0 +1,116 @@
+require 'digest/sha1'
+
+module Maestrano
+  module Rails
+    module MaestranoAuthResource
+      extend ActiveSupport::Concern
+ 
+      included do
+      end
+      
+      # These methods are used to extend the
+      # behaviour of a model
+      module ClassMethods
+        # Configure a user model with mapping to SSO fields
+        # and add user behaviour
+        def maestrano_user_via(provider_field,uid_field, &block)
+          extend Maestrano::Rails::MaestranoAuthResource::LocalClassGenericMethods
+          self.maestrano_generic_configurator(provider_field,uid_field, &block)
+          
+          include Maestrano::Rails::MaestranoAuthResource::LocalInstanceUserMethods
+          
+          # Finally extend ApplicationController with MaestranoSecurity
+          # filters. It's useless to do that unless a maestrano_user is
+          # declared
+          ApplicationController.send :include, Maestrano::Rails::MaestranoSecurity
+        end
+        
+        # Configure a group model with mapping to SSO fields
+        # and add group behaviour
+        def maestrano_group_via(provider_field,uid_field, &block)
+          extend Maestrano::Rails::MaestranoAuthResource::LocalClassGenericMethods
+          self.maestrano_generic_configurator(provider_field,uid_field, &block)
+          
+          include Maestrano::Rails::MaestranoAuthResource::LocalInstanceGroupMethods
+        end
+      end
+      
+      # Actual class methods - injected after behaviour 
+      # has been added (don't polute the model scope)
+      module LocalClassGenericMethods
+        def maestrano_generic_configurator(provider_field,uid_field, &block)
+          cattr_accessor :maestrano_options
+          self.maestrano_options = {
+            provider: provider_field.to_s,
+            uid: uid_field.to_s,
+            mapping: block
+          }
+          
+          include Maestrano::Rails::MaestranoAuthResource::LocalInstanceGenericMethods
+        end
+        
+        # Find the resource based on provider and uid fields or create
+        # it using the mapping block defined at the model level
+        def find_or_create_for_maestrano(auth_hash)
+          # Look for the entity first
+          entity = self.where(
+            self.maestrano_options[:provider].to_sym => auth_hash[:provider],
+            self.maestrano_options[:uid].to_sym => auth_hash[:uid],
+          ).first
+          
+          # Create it otherwise
+          unless entity
+            # Extract maestrano information into proper objects
+            info = OpenStruct.new(auth_hash[:info])
+            extra = OpenStruct.new(auth_hash[:extra])
+            
+            # Create entity
+            entity = self.new
+            
+            # Set password on entity in case this is required
+            # This is done before the mapping block in case
+            # password has been taken care of by the developer
+            password = Digest::SHA1.hexdigest("#{Time.now.utc}-#{rand(100)}")[0..20]
+            begin
+              entity.password = password if entity.respond_to?(:password)
+              entity.password_confirmation = password if entity.respond_to?(:password_confirmation)
+            rescue Exception => e
+            end
+            
+            # Call mapping block
+            self.maestrano_options[:mapping].call(entity,info,extra)
+            
+            # Finally set provider and uid then save
+            entity.send("#{self.maestrano_options[:provider]}=",auth_hash[:provider])
+            entity.send("#{self.maestrano_options[:uid]}=",auth_hash[:uid])
+            entity.save!
+          end
+          
+          return entity
+        end
+      end
+      
+      # Generic Instance behaviour
+      module LocalInstanceGenericMethods
+        def maestrano?
+          send(self.maestrano_options[:provider]) == 'maestrano' &&
+          !send(self.maestrano_options[:uid]).blank?
+        end
+      end
+      
+      module LocalInstanceUserMethods
+      end
+      
+      module LocalInstanceGroupMethods
+      end
+    end
+  end
+end
+
+if defined?(ActiveRecord)
+  ActiveRecord::Base.send :include, Maestrano::Rails::MaestranoAuthResource
+end
+
+if defined?(Mongoid)
+  Mongoid::Document.send :include, Maestrano::Rails::MaestranoAuthResource
+end

data/lib/maestrano/rails/routing/routes.rb

@@ -0,0 +1,28 @@
+module ActionDispatch::Routing
+  class Mapper
+    def maestrano_routes
+      namespace :maestrano do
+        scope module: :rails do
+          get '/metadata' => 'metadata#index'
+        end
+        
+        namespace :rails do
+          get '/maestrano/metadata'
+        end
+        
+        namespace :auth do
+          resources :saml, only:[] do
+            get 'init', on: :collection
+            post 'consume', on: :collection
+          end
+        end
+        
+        namespace :account do
+          resources :groups, only: [:destroy] do
+            resources :users, only: [:destroy], controller: 'group_users'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/maestrano/rails/version.rb

@@ -0,0 +1,5 @@
+module Maestrano
+  module Rails
+    VERSION = "0.9.3"
+  end
+end

data/test/controllers/generic_controller_test.rb

@@ -0,0 +1,56 @@
+require 'test_helper'
+
+class GenericControllerTest < ActionController::TestCase
+  tests PagesController
+  
+  context "with a maestrano session" do
+    setup do
+      @original_sso_value = Maestrano.param(:sso_enabled)
+      Maestrano.configure { |config| config.sso_enabled = true }
+      
+      @request.session[:maestrano] = Base64.encode64({
+        uid: 'usr-1',
+        session: 'fdsf544fd5sd4f',
+        session_recheck: Time.now.utc.iso8601,
+        group_uid: 'cld-1'
+      }.to_json)
+    end
+    
+    teardown do
+      Maestrano.configure { |config| config.sso_enabled = @original_sso_value }
+    end
+    
+    should "be successful if the maestrano session is still valid" do
+      sso_session = mock('maestrano_sso_session')
+      sso_session.stubs(:valid?).returns(true)
+      Maestrano::SSO::Session.stubs(:new).returns(sso_session)
+      get :home
+      assert_response :success
+    end
+    
+    should "initialize redirect to SSO initialization if invalid" do
+      sso_session = mock('maestrano_sso_session')
+      sso_session.stubs(:valid?).returns(false)
+      Maestrano::SSO::Session.stubs(:new).returns(sso_session)
+      get :home
+      assert_redirected_to Maestrano::SSO.init_url
+    end
+    
+    should "not redirect to SSO init if sso is disabled" do
+      Maestrano.configure { |config| config.sso_enabled = false }
+      sso_session = mock('maestrano_sso_session')
+      sso_session.stubs(:valid?).returns(false)
+      Maestrano::SSO::Session.stubs(:new).returns(sso_session)
+      get :home
+      assert_response :success
+    end
+  end
+  
+  context "with no maestrano session" do
+    should "be successful" do
+      get :home
+      assert_response :success
+    end
+  end
+  
+end

data/test/controllers/group_users_controller_test.rb

@@ -0,0 +1,23 @@
+require 'test_helper'
+
+class GroupUsersControllerTest < ActionController::TestCase
+  tests Maestrano::Account::GroupUsersController
+  
+  context "unauthenticated" do
+    should "deny access" do
+      delete :destroy, group_id: 'cld-1', id: 'usr-1'
+      assert_equal '401', response.code
+    end
+  end
+  
+  context "authenticated" do
+    setup do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("#{Maestrano.param('api.id')}:#{Maestrano.param('api.key')}")
+    end
+    
+    should "be successful" do
+      delete :destroy, group_id: 'cld-1', id: 'usr-1'
+      assert_equal '200', response.code
+    end
+  end
+end

data/test/controllers/groups_controller_test.rb

@@ -0,0 +1,24 @@
+require 'test_helper'
+
+class GroupsControllerTest < ActionController::TestCase
+  tests Maestrano::Account::GroupsController
+  
+  context "unauthenticated" do
+    should "deny access" do
+      delete :destroy, id: 'cld-1'
+      assert_equal '401', response.code
+    end
+  end
+  
+  context "authenticated" do
+    setup do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("#{Maestrano.param('api.id')}:#{Maestrano.param('api.key')}")
+    end
+    
+    should "be successful" do
+      delete :destroy, id: 'cld-1'
+      assert_equal '200', response.code
+    end
+  end
+  
+end

data/test/controllers/metadata_controller_test.rb

@@ -0,0 +1,25 @@
+require 'test_helper'
+
+class MetadataControllerTest < ActionController::TestCase
+  tests Maestrano::Rails::MetadataController
+  
+  context "unauthenticated" do
+    should "deny access" do
+      get :index
+      assert_equal '401', response.code
+    end
+  end
+  
+  context "authenticated" do
+    setup do
+      @request.env["HTTP_AUTHORIZATION"] = "Basic " + Base64.encode64("#{Maestrano.param('api.id')}:#{Maestrano.param('api.key')}")
+    end
+    
+    should "be successful" do
+      get :index
+      assert_equal '200', response.code
+      assert_equal Maestrano.to_metadata.to_json, response.body
+    end
+  end
+  
+end

data/test/controllers/saml_controller_test.rb

@@ -0,0 +1,123 @@
+require 'test_helper'
+
+class SamlBaseControllerTest < ActionController::TestCase
+  tests Maestrano::Auth::SamlController
+  
+  context "init phase" do
+    setup do
+      @req = mock('saml_request_instance')
+      @req_params = {'controller' => 'maestrano/auth/saml', 'action' => 'init', 'a_param' => 'value'}
+      @req.stubs(:redirect_url).returns("http://idpprovider.com?r=request")
+      
+    end
+    
+    should "create a saml request using params and session and redirect the user" do
+      Maestrano::Saml::Request.stubs(:new).with(@req_params,@request.session).returns(@req)
+      get :init, a_param: 'value'
+      assert_redirected_to @req.redirect_url
+    end
+    
+    should "create a saml request successfully if a maestrano session is already set" do
+      @request.session[:mno_uid] = 'usr-1'
+      @request.session[:mno_session] = 'fdsf544fd5sd4f'
+      @request.session[:mno_session_recheck] = Time.now.utc.iso8601
+      @request.session[:mno_group_uid] = 'cld-1'
+      
+      Maestrano::Saml::Request.stubs(:new).with(@req_params,@request.session).returns(@req)
+      get :init, a_param: 'value'
+      assert_redirected_to @req.redirect_url
+    end
+  end
+  
+  context "consume phase" do
+    setup do
+      @saml_attr = {
+        'mno_session'          => 'f54sd54fd64fs5df4s3d48gf2',
+        'mno_session_recheck'  => Time.now.utc.iso8601,
+        'group_uid'            => 'cld-1',
+        'group_end_free_trial' => Time.now.utc.iso8601,
+        'group_role'           => 'Admin',
+        'uid'                  => "usr-1",
+        'virtual_uid'          => "usr-1.cld-1",
+        'email'                => "j.doe@doecorp.com",
+        'virtual_email'        => "usr-1.cld-1@mail.maestrano.com",
+        'name'                 => "John",
+        "surname"              => "Doe",
+        "country"              => "AU",
+        "company_name"         => "DoeCorp"
+      }
+      @saml_resp = mock('saml_response')
+      @saml_resp.stubs(:attributes).returns(@saml_attr)
+      @saml_resp.stubs(:validate!).returns(true)
+      Maestrano::Saml::Response.stubs(:new).returns(@saml_resp)
+    end
+    
+    should "set a saml_request in scope" do
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      assert_equal @saml_resp, @controller.saml_response
+    end
+    
+    should "set the user_auth_hash in scope" do
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      expected_hash = Maestrano::SSO::BaseUser.new(@saml_resp).to_hash
+      assert_equal expected_hash, @controller.user_auth_hash
+    end
+    
+    should "set the group_auth_hash in scope" do
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      expected_hash = Maestrano::SSO::BaseGroup.new(@saml_resp).to_hash
+      assert_equal expected_hash, @controller.group_auth_hash
+    end
+    
+    should "set the user_group_rel_hash in scope" do
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      expected_hash = {
+        provider: 'maestrano',
+        user_uid: @saml_attr['uid'],
+        group_uid: @saml_attr['group_uid'],
+        role: @saml_attr['group_role'],
+      }
+      assert_equal expected_hash, @controller.user_group_rel_hash
+    end
+    
+    should "set the maestrano session" do
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      decrypted_session = JSON.parse(Base64.decode64(@request.session[:maestrano]))
+      
+      assert_equal @saml_attr['uid'], decrypted_session['uid']
+      assert_equal @saml_attr['mno_session'], decrypted_session['session']
+      assert_equal @saml_attr['mno_session_recheck'], decrypted_session['session_recheck']
+      assert_equal @saml_attr['group_uid'], decrypted_session['group_uid']
+    end
+    
+    should "reset the maestrano session successfully if one already exists" do
+      params = {
+        uid: 'usr-1',
+        session: 'fdsf544fd5sd4f',
+        session_recheck: Time.now.utc.iso8601,
+        group_uid: 'cld-1'
+      }
+      @request.session[:maestrano] = Base64.encode64(params.to_json)
+      
+      post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+      decrypted_session = JSON.parse(Base64.decode64(@request.session[:maestrano]))
+      
+      assert_equal @saml_attr['uid'], decrypted_session['uid']
+      assert_equal @saml_attr['mno_session'], decrypted_session['session']
+      assert_equal @saml_attr['mno_session_recheck'], decrypted_session['session_recheck']
+      assert_equal @saml_attr['group_uid'], decrypted_session['group_uid']
+    end
+    
+    context "error" do
+      setup do
+        @saml_resp.stubs(:validate!).raises(NoMethodError.new("Bla"))
+      end
+    
+      should "redirect to maestrano on any error" do
+        post :consume, SAMLResponse: "g45ad5v40xc4b3fd478"
+        assert_redirected_to "#{Maestrano::SSO.unauthorized_url}?err=internal"
+      end
+    end
+  end
+  
+end