masq2 1.0.0

data/lib/masq/active_record_openid_store/openid_ar_store.rb

@@ -0,0 +1,58 @@
+require "openid/store/interface"
+
+module Masq
+  # not in OpenID module to avoid namespace conflict
+  class ActiveRecordStore < OpenID::Store::Interface
+    def store_association(server_url, assoc)
+      remove_association(server_url, assoc.handle)
+      Association.create(
+        server_url: server_url,
+        handle: assoc.handle,
+        secret: assoc.secret,
+        issued: assoc.issued,
+        lifetime: assoc.lifetime,
+        assoc_type: assoc.assoc_type,
+      )
+    end
+
+    def get_association(server_url, handle = nil)
+      assocs = if handle.blank?
+        Association.where(server_url: server_url)
+      else
+        Association.where(server_url: server_url, handle: handle)
+      end
+
+      assocs.reverse_each do |assoc|
+        a = assoc.from_record
+        if a.expires_in == 0
+          assoc.destroy
+        else
+          return a
+        end
+      end if assocs.any?
+
+      nil
+    end
+
+    def remove_association(server_url, handle)
+      Association.where("server_url = ? AND handle = ?", server_url, handle).delete_all > 0
+    end
+
+    def use_nonce(server_url, timestamp, salt)
+      return false if Nonce.find_by(server_url: server_url, timestamp: timestamp, salt: salt)
+      return false if (timestamp - Time.now.to_i).abs > OpenID::Nonce.skew
+      Nonce.create(server_url: server_url, timestamp: timestamp, salt: salt)
+      true
+    end
+
+    def cleanup_nonces
+      now = Time.now.to_i
+      Nonce.where("timestamp > ? OR timestamp < ?", now + OpenID::Nonce.skew, now - OpenID::Nonce.skew).delete_all
+    end
+
+    def cleanup_associations
+      now = Time.now.to_i
+      Association.where("issued + lifetime > ?", now).delete_all
+    end
+  end
+end

data/lib/masq/authenticated_system.rb

@@ -0,0 +1,136 @@
+module Masq
+  module AuthenticatedSystem
+    protected
+
+    # Returns true or false if the account is logged in.
+    # Preloads @current_account with the account model if they're logged in.
+    def logged_in?
+      current_account != :false
+    end
+
+    # Accesses the current account from the session.  Set it to :false if login fails
+    # so that future calls do not hit the database.
+    def current_account
+      @current_account ||= login_from_session || login_from_basic_auth || login_from_cookie || :false
+    end
+
+    # Store the given account id in the session.
+    def current_account=(new_account)
+      if auth_type_used != :basic
+        session[:account_id] = (new_account.nil? || new_account.is_a?(Symbol)) ? nil : new_account.id
+      end
+      @current_account = new_account || :false
+    end
+
+    # Check if the account is authorized
+    #
+    # Override this method in your controllers if you want to restrict access
+    # to only a few actions or if you want to check if the account
+    # has the correct rights.
+    #
+    # Example:
+    #
+    #  # only allow nonbobs
+    #  def authorized?
+    #    current_account.login != "bob"
+    #  end
+    def authorized?
+      logged_in?
+    end
+
+    # Filter method to enforce a login requirement.
+    #
+    # To require logins for all actions, use this in your controllers:
+    #
+    #   before_action :login_required
+    #
+    # To require logins for specific actions, use this in your controllers:
+    #
+    #   before_action :login_required, :only => [ :edit, :update ]
+    #
+    # To skip this in a subclassed controller:
+    #
+    #   skip_before_action :login_required
+    #
+    def login_required
+      authorized? || access_denied
+    end
+
+    # Redirect as appropriate when an access request fails.
+    #
+    # The default action is to redirect to the login screen.
+    #
+    # Override this method in your controllers if you want to have special
+    # behavior in case the account is not authorized
+    # to access the requested action.  For example, a popup window might
+    # simply close itself.
+    def access_denied
+      respond_to do |format|
+        format.html do
+          store_location
+          redirect_to(login_path)
+        end
+        format.any do
+          request_http_basic_authentication("Web Password")
+        end
+      end
+    end
+
+    # Store the URI of the current request in the session.
+    #
+    # We can return to this location by calling #redirect_back_or_default.
+    def store_location(url = request.fullpath)
+      session[:return_to] = url
+    end
+
+    # Redirect to the URI stored by the most recent store_location call or
+    # to the passed default.
+    def redirect_back_or_default(default)
+      redirect_to(session[:return_to] || default)
+      session[:return_to] = nil
+    end
+
+    # Inclusion hook to make #current_account and #logged_in?
+    # available as ActionView helper methods.
+    def self.included(base)
+      base.send(:helper_method, :current_account, :logged_in?, :auth_type_used)
+    end
+
+    # Called from #current_account.  First attempt to log in by the account id stored in the session.
+    def login_from_session
+      account = Account.find(session[:account_id]) if session[:account_id]
+      self.auth_type_used = :session if !account.nil?
+      self.current_account = account
+    end
+
+    def auth_type_used
+      @auth_type_used if defined?(@auth_type_used)
+    end
+
+    def auth_type_used= t
+      @auth_type_used = t
+    end
+
+    # Called from #current_account.  Now, attempt to log in by basic authentication information.
+    def login_from_basic_auth
+      authenticate_with_http_basic do |accountname, password|
+        account = Account.authenticate(accountname, password, true)
+        self.auth_type_used = :basic if !account.nil?
+        self.current_account = account
+        account
+      end
+    end
+
+    # Called from #current_account.  Finally, attempt to log in by an expiring token in the cookie.
+    def login_from_cookie
+      account = cookies[:auth_token] && Account.find_by(remember_token: cookies[:auth_token])
+      if account && account.remember_token?
+        account.remember_me
+        cookies[:auth_token] = {value: account.remember_token, expires: account.remember_token_expires_at}
+        self.auth_type_used = :cookie if !account.nil?
+        self.current_account = account
+        account
+      end
+    end
+  end
+end

data/lib/masq/engine.rb

@@ -0,0 +1,12 @@
+require "rails/engine"
+
+module Masq
+  class Engine < ::Rails::Engine
+    # An isolated engine will set its name according to namespace,
+    #   so Masq::Engine.engine_name will be “masq”.
+    # It will also set Masq.table_name_prefix to “masq_”,
+    #   changing the MyEngine::Persona model to use the masq_personas table
+    # See: http://edgeapi.rubyonrails.org/classes/Rails/Engine.html#label-Isolated+Engine
+    isolate_namespace Masq
+  end
+end

data/lib/masq/openid_server_system.rb

@@ -0,0 +1,110 @@
+module Masq
+  # This module is mainly a wrapper for the OpenID::Server functionality provided
+  # by the ruby-openid gem. Included in your server controller it gives you some
+  # helpful methods to access and answer OpenID requests.
+  module OpenidServerSystem
+    protected
+
+    # OpenID store reader, used inside this module
+    # to procide access to the storage machanism
+    def openid_store
+      @openid_store ||= ActiveRecordStore.new
+    end
+
+    # OpenID server reader, use this to access the server
+    # functionality from inside your server controller
+    def openid_server
+      @openid_server ||= OpenID::Server::Server.new(openid_store, endpoint_url)
+    end
+
+    # OpenID parameter reader, use this to access only OpenID
+    # request parameters from inside your server controller
+    def openid_params
+      @openid_params ||= params.permit(params.keys.select { |k| k.start_with?("openid.") })
+    end
+
+    # OpenID request accessor
+    def openid_request
+      @openid_request ||= openid_server.decode_request(openid_params.to_h)
+    end
+
+    # Sets the current OpenID request and resets all dependent requests
+    def openid_request=(req)
+      @openid_request, @sreg_request, @ax_fetch_request, @ax_store_request = req, nil, nil, nil
+    end
+
+    # SReg request reader
+    def sreg_request
+      @sreg_request ||= OpenID::SReg::Request.from_openid_request(openid_request)
+    end
+
+    # Attribute Exchange fetch request reader
+    def ax_fetch_request
+      @ax_fetch_request ||= OpenID::AX::FetchRequest.from_openid_request(openid_request)
+    end
+
+    # Attribute Exchange store request reader
+    def ax_store_request
+      @ax_store_request ||= OpenID::AX::StoreRequest.from_openid_request(openid_request)
+    end
+
+    # PAPE request reader
+    def pape_request
+      @pape_request ||= OpenID::PAPE::Request.from_openid_request(openid_request)
+    end
+
+    # Adds SReg data (Hash) to an OpenID response.
+    def add_sreg(resp, data)
+      sreg_resp = OpenID::SReg::Response.extract_response(sreg_request, data)
+      resp.add_extension(sreg_resp)
+      resp
+    end
+
+    # Adds Attribute Exchange data (Hash) to an OpenID response. See:
+    # http://rakuto.blogspot.com/2008/03/ruby-fetch-and-store-some-attributes.html
+    def add_ax(resp, data)
+      ax_resp = OpenID::AX::FetchResponse.new
+      ax_args = data.reverse_merge("mode" => "fetch_response")
+      ax_resp.parse_extension_args(ax_args)
+      resp.add_extension(ax_resp)
+      resp
+    end
+
+    # Adds PAPE information for your server to an OpenID response.
+    def add_pape(resp, policies = [], nist_auth_level = 0, auth_time = nil)
+      if OpenID::PAPE::Request.from_openid_request(openid_request)
+        paperesp = OpenID::PAPE::Response.new
+        policies.each { |p| paperesp.add_policy_uri(p) }
+        paperesp.nist_auth_level = nist_auth_level
+        paperesp.auth_time = auth_time.utc.iso8601
+        resp.add_extension(paperesp)
+      end
+      resp
+    end
+
+    # Answers check auth and associate requests.
+    def handle_non_checkid_request
+      resp = openid_server.handle_request(openid_request)
+      render_openid_response(resp)
+    end
+
+    # Renders the final response output
+    def render_openid_response(resp)
+      openid_server.signatory.sign(resp) if resp.needs_signing
+      web_response = openid_server.encode_response(resp)
+      case web_response.code
+      when OpenID::Server::HTTP_OK then render(plain: web_response.body, status: 200)
+      when OpenID::Server::HTTP_REDIRECT then redirect_to(web_response.headers["location"])
+      else render(plain: web_response.body, status: 400)
+      end
+    end
+
+    # If the request contains a max_auth_age, the last authentication date
+    # must meet this requirement, otherwise the user has to reauthenticate:
+    # http://openid.net/specs/openid-provider-authentication-policy-extension-1_0-02.html#anchor9
+    def pape_requirements_met?(auth_time)
+      return true unless pape_request && pape_request.max_auth_age
+      (Time.now - auth_time).to_i <= pape_request.max_auth_age
+    end
+  end
+end

data/lib/masq/signup.rb

@@ -0,0 +1,53 @@
+require "digest/sha1"
+
+module Masq
+  class Signup
+    attr_accessor :account
+
+    class << self
+      def create_account!(attrs = {})
+        factory = new(attrs)
+        factory.send(:create_account!)
+        factory
+      end
+    end
+
+    def succeeded?
+      !account.new_record?
+    end
+
+    def send_activation_email?
+      Masq::Engine.config.masq["send_activation_mail"]
+    end
+
+    protected
+
+    def initialize(attrs = {})
+      self.account = Masq::Account.new(attrs)
+    end
+
+    def create_account!
+      return false unless account.valid?
+
+      make_activation_code if send_activation_email?
+      account.save!
+      make_default_persona
+      if send_activation_email?
+        Masq::AccountMailer.signup_notification(account).deliver_now
+      else
+        account.activate!
+      end
+      account
+    end
+
+    def make_activation_code
+      account.activation_code = Digest::SHA1.hexdigest(Time.now.to_s.split("").sort_by { rand }.join)
+    end
+
+    def make_default_persona
+      account.public_persona = account.personas.build(title: "Standard", email: account.email)
+      account.public_persona.deletable = false
+      account.public_persona.save!
+    end
+  end
+end

data/lib/masq/version.rb

@@ -0,0 +1,5 @@
+module Masq
+  module Version
+    VERSION = "1.0.0"
+  end
+end

data/lib/masq.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+# external gems
+require "version_gem"
+
+# this library's version
+require_relative "masq/version"
+
+module Masq
+  # Load order matters here!
+  # This gem must be loaded **after** Rails in order for the Engine to register itself automatically.
+  # Otherwise, you'd have to manually require what you need from below.
+  if defined?(::Rails) && defined?(::Rails::VERSION)
+    begin
+      require_relative "masq/engine"
+      require_relative "masq/authenticated_system"
+      require_relative "masq/openid_server_system"
+      require_relative "masq/active_record_openid_store/association"
+      require_relative "masq/active_record_openid_store/nonce"
+      require_relative "masq/active_record_openid_store/openid_ar_store"
+      require_relative "masq/signup"
+    rescue StandardError, LoadError => error
+      if !defined?(::Rails::Engine)
+        warn("masq2 is a Rails engine, but Rails::Engine isn't defined.")
+      else
+        warn(<<~WARNING)
+          Unable to load masq2. Please check your configuration.
+          If you're using Rails 5.2 or later, you should add masq2 to your Gemfile and run `bundle install`.
+          Then add:
+            require "masq/engine"
+    
+          If unable to resolve, please report a bug to the issue tracker at https://github.com/oauth-xx/masq2
+
+          Original Error:
+          #{error.class}: #{error.message}
+
+          BACKTRACE:
+          #{Array(error.backtrace).join("\n")}
+        WARNING
+      end
+    end
+  else
+    warn("masq2 was loaded before Rails. Please check your configuration.")
+  end
+end
+
+# Ensure version is configured before loading the rest of the library
+Masq::Version.class_eval do
+  extend VersionGem::Basic
+end

data/lib/masq2.rb

@@ -0,0 +1 @@
+require_relative "masq"

data/lib/tasks/masq_tasks.rake

@@ -0,0 +1,58 @@
+namespace :masq do
+  namespace :install do
+    desc "Install configuration and migrations"
+    task :all do
+      %w(config migrations).each { |t| Rake::Task["masq:install:#{t}"].invoke }
+    end
+
+    desc "Copy configuration file from masq to application"
+    task :config do
+      target = Rails.root.join("config/masq.yml")
+      unless File.exist?(target)
+        require "fileutils"
+        source = File.expand_path("../../../config/masq.example.yml", __FILE__)
+        FileUtils.cp(source, target)
+        puts "Created config/masq.yml"
+      end
+    end
+  end
+
+  namespace :openid do
+    desc "Cleanup OpenID store"
+    task cleanup_store: :environment do
+      Masq::ActiveRecordStore.new.cleanup
+    end
+  end
+
+  namespace :test do
+    desc "Prepare CI build task"
+    task :prepare_ci do
+      adapter = ENV["DB_ADAPTER"] || "sqlite3"
+      database = ENV["DB_DATABASE"] || (("sqlite3" == adapter) ? "db/test.sqlite3" : "masq_test")
+
+      config = {
+        "test" => {
+          "adapter" => adapter,
+          "database" => database,
+          "username" => ENV["DB_USERNAME"],
+          "password" => ENV["DB_PASSWORD"],
+          "port" => ENV["DB_PORT"] ? ENV["DB_PORT"].to_i : nil,
+          "socket" => ENV["DB_SOCKET"] ? ENV["DB_SOCKET"] : nil,
+          "host" => "localhost",
+          "encoding" => "utf8",
+          "pool" => 5,
+          "timeout" => 5000,
+        },
+      }
+
+      File.open(Rails.root.join("config/database.yml"), "w") do |f|
+        f.write(config.to_yaml)
+      end
+    end
+
+    desc "Run CI build task"
+    task ci: [:prepare_ci] do
+      Rake::Task["test"].invoke
+    end
+  end
+end

data.tar.gz.sig

@@ -0,0 +1,2 @@
+��1/����ڦ�̍Ȕ���{�T�CC۠�Xx��j��
+�'���mQ'�[��#�mv6,y~VD�n�d����
]�t#o