masq2 1.0.0

data/app/controllers/masq/sites_controller.rb

@@ -0,0 +1,60 @@
+module Masq
+  class SitesController < BaseController
+    before_action :login_required
+    before_action :find_personas, only: [:create, :edit, :update]
+
+    helper_method :site, :persona
+
+    def index
+      @sites = current_account.sites.includes(:persona).order(:url)
+
+      respond_to do |format|
+        format.html
+      end
+    end
+
+    def edit
+      site.persona = current_account.personas.find(params[:persona_id]) if params[:persona_id]
+    end
+
+    def update
+      respond_to do |format|
+        if site.update(site_params)
+          flash[:notice] = t(:release_policy_for_site_updated)
+          format.html { redirect_to(edit_account_site_path(site)) }
+        else
+          format.html { render(action: "edit") }
+        end
+      end
+    end
+
+    def destroy
+      site.destroy
+
+      respond_to do |format|
+        format.html { redirect_to(account_sites_path) }
+      end
+    end
+
+    def create
+    end
+
+    private
+
+    def site
+      @site ||= current_account.sites.find(params[:id])
+    end
+
+    def persona
+      @persona ||= site.persona
+    end
+
+    def find_personas
+      @personas = current_account.personas.order(:title)
+    end
+
+    def site_params
+      params.require(:site).permit(:persona_id, :url, properties: {})
+    end
+  end
+end

data/app/controllers/masq/yubikey_associations_controller.rb

@@ -0,0 +1,25 @@
+module Masq
+  class YubikeyAssociationsController < BaseController
+    before_action :login_required
+
+    def create
+      if current_account.associate_with_yubikey(params[:yubico_otp])
+        flash[:notice] = t(:account_associated_with_yubico_identity)
+      else
+        flash[:alert] = t(:sorry_yubico_one_time_password_incorrect)
+      end
+      respond_to do |format|
+        format.html { redirect_to(edit_account_path) }
+      end
+    end
+
+    def destroy
+      current_account.yubico_identity = nil
+      current_account.save
+
+      respond_to do |format|
+        format.html { redirect_to(edit_account_path, notice: t(:account_disassociated_from_yubico_identity)) }
+      end
+    end
+  end
+end

data/app/helpers/masq/application_helper.rb

@@ -0,0 +1,57 @@
+module Masq
+  module ApplicationHelper
+    def page_title
+      (@page_title ||= nil) ? "#{@page_title} | #{Masq::Engine.config.masq["name"]}" : Masq::Engine.config.masq["name"]
+    end
+
+    def label_tag(field, text = nil, options = {})
+      content_tag(:label, text ? text : field.to_s.humanize, options.reverse_merge(for: field.to_s))
+    end
+
+    def error_messages_for(*objects)
+      render("masq/shared/error_messages", objects: objects.flatten)
+    end
+
+    # Is the current page an identity page? This is used to display
+    # further information (like the endoint url) in the <head>
+    def identity_page?
+      active_page?("accounts" => ["show"])
+    end
+
+    # Is the current page the home page? This is used to display
+    # further information (like the endoint url) in the <head>
+    def home_page?
+      active_page?("info" => ["index"])
+    end
+
+    # Custom label names for request properties (like SReg data)
+    def property_label_text(property)
+      case property.to_sym
+      when :image_default then t(:image_url)
+      when :web_default then t(:website_url)
+      when :web_blog then t(:blog_url)
+      else t(property.to_sym)
+      end
+    end
+
+    def property_label_text_for_type_uri(type_uri)
+      property = Persona.attribute_name_for_type_uri(type_uri)
+      property ? property_label_text(property) : type_uri
+    end
+
+    # Renders a navigation element and marks it as active where
+    # appropriate. See active_page? for details
+    def nav(name, url, pages = nil, active = false)
+      content_tag(:li, link_to(name, url), class: ((active || (pages && active_page?(pages))) ? "act" : nil))
+    end
+
+    # Takes a hash with pages and tells whether the current page is among them.
+    # The keys must be controller names and their value must be an array of
+    # action names. If the array is empty, every action is supposed to be valid.
+    def active_page?(pages = {})
+      is_active = pages.include?(params[:controller])
+      is_active = pages[params[:controller]].include?(params[:action]) if is_active && !pages[params[:controller]].empty?
+      is_active
+    end
+  end
+end

data/app/helpers/masq/personas_helper.rb

@@ -0,0 +1,15 @@
+require "i18n_data"
+
+module Masq
+  module PersonasHelper
+    # get list of codes and names sorted by country name
+    def countries_for_select
+      ::I18nData.countries.map { |pair| pair.reverse }.sort_by(&:first)
+    end
+
+    # get list of codes and names sorted by language name
+    def languages_for_select
+      ::I18nData.languages.map { |pair| pair.reverse }.sort_by(&:first)
+    end
+  end
+end

data/app/helpers/masq/server_helper.rb

@@ -0,0 +1,15 @@
+module Masq
+  module ServerHelper
+    def sreg_request_for_field(field_name)
+      if sreg_request.required.include?(field_name)
+        t(:required)
+      elsif sreg_request.optional.include?(field_name)
+        t(:optional)
+      end
+    end
+
+    def ax_request_for_field(ax_attribute)
+      ax_attribute.required ? t(:required) : t(:optional)
+    end
+  end
+end

data/app/mailers/masq/account_mailer.rb

@@ -0,0 +1,17 @@
+module Masq
+  class AccountMailer < ActionMailer::Base
+    default from: Masq::Engine.config.masq["email"]
+    default_url_options[:host] = Masq::Engine.config.masq["host"]
+
+    def signup_notification(account)
+      raise "send_activation_mail deactivated" unless Masq::Engine.config.masq["send_activation_mail"]
+      @account = account
+      mail(to: account.email, subject: I18n.t(:please_activate_your_account))
+    end
+
+    def forgot_password(account)
+      @account = account
+      mail(to: account.email, subject: I18n.t(:your_request_for_a_new_password))
+    end
+  end
+end

data/app/models/masq/account.rb

@@ -0,0 +1,245 @@
+require "digest/sha1"
+
+module Masq
+  class Account < ActiveRecord::Base
+    has_many :personas, ->() { order(:id) }, dependent: :delete_all
+    has_many :sites, dependent: :destroy
+    belongs_to :public_persona, class_name: "Persona", optional: true
+
+    validates_presence_of :login
+    validates_length_of :login, within: 3..254
+    validates_uniqueness_of :login, case_sensitive: false
+    validates_format_of :login, with: /\A[A-Za-z0-9_@.-]+\z/
+    validates_presence_of :email
+    validates_uniqueness_of :email, case_sensitive: false
+    validates_format_of :email, with: /(\A([^@\s]+)@((?:[-_a-z0-9]+\.)+[a-z]{2,})\z)/i, allow_blank: true
+    validates_presence_of :password, if: :password_required?
+    validates_presence_of :password_confirmation, if: :password_required?
+    validates_length_of :password, within: 6..40, if: :password_required?
+    validates_confirmation_of :password, if: :password_required?
+    # check `rake routes' for whether this list is still complete when routes are changed
+    validates_exclusion_of :login, in: %w[account session password help safe-login forgot_password reset_password login logout server consumer]
+
+    before_save :encrypt_password
+    after_save :deliver_forgot_password
+
+    # attr_accessible :login, :email, :password, :password_confirmation, :public_persona_id, :yubikey_mandatory
+    attr_accessor :password
+
+    class ActivationCodeNotFound < StandardError; end
+
+    class AlreadyActivated < StandardError
+      attr_reader :user, :message
+      def initialize(account, message = nil)
+        @message, @account = message, account
+      end
+    end
+
+    class << self
+      # Finds the user with the corresponding activation code, activates their account and returns the user.
+      #
+      # Raises:
+      # [Account::ActivationCodeNotFound] if there is no user with the corresponding activation code
+      # [Account::AlreadyActivated] if the user with the corresponding activation code has already activated their account
+      def find_and_activate!(activation_code)
+        raise ArgumentError if activation_code.nil?
+        user = find_by(activation_code: activation_code)
+        raise ActivationCodeNotFound unless user
+        raise AlreadyActivated.new(user) if user.active?
+        user.send(:activate!)
+        user
+      end
+
+      # Authenticates a user by their login name and password.
+      # Returns the user or nil.
+      def authenticate(login, password, basic_auth_used = false)
+        a = find_by(login: login)
+        if a.nil? && Masq::Engine.config.masq["create_auth_ondemand"]["enabled"]
+          # Need to set some password - but is never used
+          pw = if Masq::Engine.config.masq["create_auth_ondemand"]["random_password"]
+            SecureRandom.hex(13)
+          else
+            password
+          end
+          signup = Masq::Signup.create_account!(
+            login: login,
+            password: pw,
+            password_confirmation: pw,
+            email: "#{login}@#{Masq::Engine.config.masq["create_auth_ondemand"]["default_mail_domain"]}",
+          )
+          a = signup.account if signup.succeeded?
+        end
+
+        if !a.nil? && a.active? && a.enabled
+          if a.authenticated?(password) || (Masq::Engine.config.masq["trust_basic_auth"] && basic_auth_used)
+            a.last_authenticated_at = Time.now.utc
+            a.last_authenticated_by_yubikey = a.authenticated_with_yubikey?
+            a.save(validate: false)
+            a
+          end
+        end
+      end
+
+      # Encrypts some data with the salt.
+      def encrypt(password, salt)
+        Digest::SHA1.hexdigest("--#{salt}--#{password}--")
+      end
+
+      # Receives a login token which consists of the users password and
+      # a Yubico one time password (the otp is always 44 characters long)
+      def split_password_and_yubico_otp(token)
+        token.reverse!
+        yubico_otp = token.slice!(0..43).reverse
+        password = token.reverse
+        [password, yubico_otp]
+      end
+
+      # Returns the first twelve chars from the Yubico OTP,
+      # which are used to identify a Yubikey
+      def extract_yubico_identity_from_otp(yubico_otp)
+        yubico_otp[0..11]
+      end
+
+      # Utilizes the Yubico library to verify a one time password
+      def verify_yubico_otp(otp)
+        Yubikey::OTP::Verify.new(otp).valid?
+      rescue Yubikey::OTP::InvalidOTPError
+        false
+      end
+    end
+
+    def to_param
+      login
+    end
+
+    # The existence of an activation code means they have not activated yet
+    def active?
+      activation_code.nil?
+    end
+
+    def activate!
+      @activated = true
+      self.activated_at = Time.now.utc
+      self.activation_code = nil
+      save
+    end
+
+    # True if the user has just been activated
+    def pending?
+      @activated ||= false
+    end
+
+    # Does the user have the possibility to authenticate with a one time password?
+    def has_otp_device?
+      !yubico_identity.nil?
+    end
+
+    # Encrypts the password with the user salt
+    def encrypt(password)
+      self.class.encrypt(password, salt)
+    end
+
+    def authenticated?(password)
+      if password.nil?
+        false
+      elsif password.length < 50 && !(yubico_identity? && yubikey_mandatory?)
+        encrypt(password) == crypted_password
+      elsif Masq::Engine.config.masq["can_use_yubikey"]
+        password, yubico_otp = self.class.split_password_and_yubico_otp(password)
+        @authenticated_with_yubikey = yubikey_authenticated?(yubico_otp) if encrypt(password) == crypted_password
+      end
+    end
+
+    # Is the Yubico OTP valid and belongs to this account?
+    def yubikey_authenticated?(otp)
+      if yubico_identity? && self.class.verify_yubico_otp(otp)
+        (self.class.extract_yubico_identity_from_otp(otp) == yubico_identity)
+      else
+        false
+      end
+    end
+
+    def authenticated_with_yubikey?
+      @authenticated_with_yubikey ||= false
+    end
+
+    def associate_with_yubikey(otp)
+      if self.class.verify_yubico_otp(otp)
+        self.yubico_identity = self.class.extract_yubico_identity_from_otp(otp)
+        save(validate: false)
+      else
+        false
+      end
+    end
+
+    def remember_token?
+      remember_token_expires_at && Time.now.utc < remember_token_expires_at
+    end
+
+    # These create and unset the fields required for remembering users between browser closes
+    def remember_me
+      remember_me_for(2.weeks)
+    end
+
+    def remember_me_for(time)
+      remember_me_until(time.from_now.utc)
+    end
+
+    def remember_me_until(time)
+      self.remember_token_expires_at = time
+      self.remember_token = encrypt("#{email}--#{remember_token_expires_at}")
+      save(validate: false)
+    end
+
+    def forget_me
+      self.remember_token_expires_at = nil
+      self.remember_token = nil
+      save(validate: false)
+    end
+
+    def forgot_password!
+      @forgotten_password = true
+      make_password_reset_code
+      save
+    end
+
+    # First update the password_reset_code before setting the
+    # reset_password flag to avoid duplicate email notifications.
+    def reset_password
+      update_attribute(:password_reset_code, nil)
+      @reset_password = true
+    end
+
+    def recently_forgot_password?
+      @forgotten_password ||= false
+    end
+
+    def recently_reset_password?
+      @reset_password ||= false
+    end
+
+    def disable!
+      update_attribute(:enabled, false)
+    end
+
+    protected
+
+    def encrypt_password
+      return if password.blank?
+      self.salt = Digest::SHA1.hexdigest("--#{Time.now}--#{login}--") if new_record?
+      self.crypted_password = encrypt(password)
+    end
+
+    def password_required?
+      crypted_password.blank? || !password.blank?
+    end
+
+    def make_password_reset_code
+      self.password_reset_code = Digest::SHA1.hexdigest(Time.now.to_s.split("").sort_by { rand }.join)
+    end
+
+    def deliver_forgot_password
+      Masq::AccountMailer.forgot_password(self).deliver_now if recently_forgot_password?
+    end
+  end
+end

data/app/models/masq/open_id_request.rb

@@ -0,0 +1,42 @@
+module Masq
+  class OpenIdRequest < ActiveRecord::Base
+    validates_presence_of :token, :parameters
+
+    before_validation :make_token, on: :create
+
+    if Rails.gem_version >= Gem::Version.create("6.1")
+      serialize :parameters, type: Hash, coder: JSON
+    else # Rails 5.2 & 6.0
+      serialize :parameters, JSON
+    end
+
+    def parameters
+      self[:parameters]
+    end
+
+    def parameters=(params)
+      self[:parameters] =
+        case params
+          # arbitrary params passed as Hash
+        when Hash
+          params.delete_if { |k, _v| k.index("openid.") != 0 }
+          # params from ActionController (does not inherit directly from HashWithIndifferentAccess after Rails 4.2)
+        when ActionController::Parameters
+          params.to_unsafe_h.delete_if { |k, _v| k.index("openid.") != 0 }
+        end
+    end
+
+    def from_trusted_domain?
+      host = URI.parse(parameters["openid.realm"] || parameters["openid.trust_root"]).host
+      return false if Masq::Engine.config.masq["trusted_domains"].nil?
+
+      Masq::Engine.config.masq["trusted_domains"].find { |domain| host.to_s.ends_with?(domain) }
+    end
+
+    protected
+
+    def make_token
+      self.token = Digest::SHA1.hexdigest(Time.now.to_s.split("").sort_by { rand }.join)
+    end
+  end
+end

data/app/models/masq/persona.rb

@@ -0,0 +1,61 @@
+module Masq
+  class Persona < ActiveRecord::Base
+    belongs_to :account
+    has_many :sites, dependent: :destroy
+
+    validates_presence_of :account
+    validates_presence_of :title
+    validates_uniqueness_of :title, scope: :account_id
+
+    before_destroy :check_deletable!
+
+    # attr_protected :account_id, :deletable
+
+    class << self
+      def properties
+        mappings.keys
+      end
+
+      def attribute_name_for_type_uri(type_uri)
+        prop = mappings.detect { |i| i[1].include?(type_uri) }
+        prop ? prop[0] : nil
+      end
+
+      # Mappings for SReg names and AX Type URIs to attributes
+      def mappings
+        Masq::Engine.config.masq["attribute_mappings"]
+      end
+    end
+
+    public
+
+    # Returns the personas attribute for the given SReg name or AX Type URI
+    def property(type)
+      prop = Persona.mappings.detect { |i| i[1].include?(type) }
+      prop ? send(prop[0]).to_s : nil
+    end
+
+    def date_of_birth
+      "#{dob_year? ? dob_year : "0000"}-#{dob_month? ? dob_month.to_s.rjust(2, "0") : "00"}-#{dob_day? ? dob_day.to_s.rjust(2, "0") : "00"}"
+    end
+
+    def fullname=(name)
+      self.firstname, self.surname = name.to_s.split(" ")
+      self.surname ||= firstname
+      self[:fullname] = name
+    end
+
+    def date_of_birth=(dob)
+      res = dob.split("-")
+      self.dob_year = res[0]
+      self.dob_month = res[1]
+      self.dob_day = res[2]
+    end
+
+    protected
+
+    def check_deletable!
+      raise ActiveRecord::RecordNotDestroyed unless deletable
+    end
+  end
+end

data/app/models/masq/release_policy.rb

@@ -0,0 +1,11 @@
+module Masq
+  class ReleasePolicy < ActiveRecord::Base
+    belongs_to :site
+
+    validates_presence_of :site
+    validates_presence_of :property
+    validates_uniqueness_of :property, scope: [:site_id, :type_identifier]
+
+    # attr_accessible :property, :type_identifier
+  end
+end

data/app/models/masq/site.rb

@@ -0,0 +1,68 @@
+module Masq
+  class Site < ActiveRecord::Base
+    belongs_to :account
+    belongs_to :persona
+    has_many :release_policies, dependent: :destroy
+
+    validates_presence_of :url, :persona, :account
+    validates_uniqueness_of :url, scope: :account_id
+    # attr_accessible :url, :persona_id, :properties, :ax_fetch, :sreg
+
+    # Sets the release policies by first deleting the old ones and
+    # then appending a new one for every given sreg and ax property.
+    # This setter is used to set the attributes received from the
+    # update site form, so it gets passed AX and SReg properties.
+    # To be backwards compatible (SReg seems to be obsolete now that
+    # there is AX), SReg properties get a type_identifier matching
+    # their property name so that they can be distinguished from AX
+    # properties (see the sreg_properties and ax_properties getters).
+    def properties=(props)
+      release_policies.destroy_all
+      props.each_pair do |property, details|
+        release_policies.build(property: property, type_identifier: details["type"]) if details["value"]
+      end
+    end
+
+    # Generates a release policy for each property that has a value.
+    # This setter is used in the server controllers complete action
+    # to set the attributes recieved from the decision form.
+    def ax_fetch=(props)
+      props.each_pair do |property, details|
+        release_policies.build(property: property, type_identifier: details["type"]) if details["value"]
+      end
+    end
+
+    # Generates a release policy for each SReg property.
+    # This setter is used in the server controllers complete action
+    # to set the attributes recieved from the decision form.
+    def sreg=(props)
+      props.each_key do |property|
+        release_policies.build(property: property, type_identifier: property)
+      end
+    end
+
+    # Returns a hash with all released SReg properties. SReg properties
+    # have a type_identifier matching their property name
+    def sreg_properties
+      props = {}
+      release_policies.each do |rp|
+        is_sreg = (rp.property == rp.type_identifier)
+        props[rp.property] = persona.property(rp.property) if is_sreg
+      end
+      props
+    end
+
+    # Returns a hash with all released AX properties.
+    # AX properties have a URL as type_identifier.
+    def ax_properties
+      props = {}
+      release_policies.each do |rp|
+        if rp.type_identifier.match?("://")
+          props["type.#{rp.property}"] = rp.type_identifier
+          props["value.#{rp.property}"] = persona.property(rp.type_identifier)
+        end
+      end
+      props
+    end
+  end
+end

data/app/views/layouts/masq/base.html.erb

@@ -0,0 +1,70 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title><%=h page_title %></title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <% if identity_page? %>
+    <meta http-equiv="X-XRDS-Location" content="<%= identity_url(:account => @account, :format => :xrds, :protocol => scheme) %>" />
+    <link rel="openid.server openid2.provider" href="<%= endpoint_url %>" />
+    <% elsif home_page? %>
+    <meta http-equiv="X-XRDS-Location" content="<%= server_url(:format => :xrds, :protocol => scheme) %>" />
+    <% end %>
+    <link rel="seatbelt.config" type="application/xml" href="<%= seatbelt_config_url(:format => :xml, :protocol => scheme) %>" />
+    <link rel="Shortcut Icon" href="/favicon.ico" type="image/x-icon" />
+    <link rel="icon" href="/favicon.ico" type="image/ico" />
+    <%= stylesheet_link_tag 'masq/application' %>
+    <%= csrf_meta_tags %>
+  </head>
+  <body>
+    <div id="head">
+      <div class="wrap">
+        <h1><%= link_to Masq::Engine.config.masq['name'], root_path %></h1>
+        <ul id="navi">
+        <% if logged_in? %>
+          <% unless checkid_request %>
+          <%= nav t(:nav_identity), identity_path(current_account), 'accounts' => ['show'] %>
+          <%= nav t(:nav_profile), edit_account_path, 'accounts' => ['edit', 'update'] %>
+          <%= nav t(:nav_personas), account_personas_path, 'personas' => [] %>
+          <%= nav t(:nav_trusted_sites), account_sites_path, 'sites' => [] %>
+          <% if not auth_type_used == :basic %>
+            <%= nav t(:logout), logout_path %>
+          <% end %>
+          <% else %>
+          <%= nav t(:current_verification_request), proceed_path, 'server' => [] %>
+          <% end %>
+        <% else %>
+          <%= nav t(:login_link), login_path, 'sessions' => ['new', 'create'] %>
+          <% unless Masq::Engine.config.masq['disable_registration'] %>
+            <%= nav t(:signup_link), new_account_path, 'accounts' => ['new', 'create'] %>
+          <% end %>
+          <%= nav t(:help), help_path, 'info' => ['help'] %>
+        <% end %>
+        </ul>
+      </div>
+    </div>
+    <div id="main">
+      <div class="wrap">
+        <% if flash[:notice] %><div class="notice"><%=simple_format h(flash[:notice]) %></div><% end %>
+        <% if flash[:alert] %>
+      <div class="error">
+        <%=simple_format h(flash[:alert]) %>
+
+        <% unless params[:resend_activation_for].blank? -%>
+          <%= button_to t(:resend_activation_email), resend_activation_email_path(:account => params[:resend_activation_for]) -%>
+        <%- end %>
+      </div>
+    <% end %>
+        <%= yield %>
+      </div>
+    </div>
+    <div id="foot">
+      <div class="wrap">
+        <span class="note">
+          powered by <%= link_to 'masq', 'https://github.com/oauth-xx/masq2' %>
+          and <%= link_to image_tag('masq/openid_symbol.png') + " OpenID", 'https://openid.net/' %> |
+          <%= link_to t(:get_help), help_path %>
+        </span>
+      </div>
+    </div>
+  </body>
+</html>