model_security_generator 0.0.1

data/templates/once.rb

@@ -0,0 +1,36 @@
+# Do something only once. Called this way:
+#
+#  once('variable-name') { block }
+#
+# *variable-name* is a string. The corresponding variable is referenced
+# within the block's binding using eval().
+#
+# If the variable doesn't exist, or if it's false or nil:
+#       The block is executed.
+#       The variable is set to true, within the block's binding.
+#       True is returned.
+#
+# If the variable is true:
+#
+#       False is returned.
+#
+# Although this will by default create a simple boolean, more complex
+# variables such as object.method calls, array and hash references work
+# fine. I've used it effectively with 2-dimensional hashes.
+#
+# Copyright (C) 2005 Bruce Perens <bruce@perens.com>
+# Distributable under the same license as Ruby.
+def once var, &block
+  begin
+    result = eval(var, block.binding)
+  rescue NameError
+    result = false
+  end
+  if not result
+    eval(var + " = true", block.binding)
+    yield
+    true
+  else
+    false
+  end
+end

data/templates/scaffold.css

@@ -0,0 +1,74 @@
+body { background-color: #fff; color: #333; }
+
+body, p, ol, ul, td {
+  font-family: verdana, arial, helvetica, sans-serif;
+  font-size:   13px;
+  line-height: 18px;
+}
+
+pre {
+  background-color: #eee;
+  padding: 10px;
+  font-size: 11px;
+}
+
+a { color: #000; }
+a:visited { color: #666; }
+a:hover { color: #fff; background-color:#000; }
+
+.fieldWithErrors {
+  padding: 2px;
+  background-color: red;
+  display: table;
+}
+
+#ErrorExplanation {
+  width: 400px;
+  border: 2px solid 'red';
+  padding: 7px;
+  padding-bottom: 12px;
+  margin-bottom: 20px;
+  background-color: #f0f0f0;
+}
+
+#ErrorExplanation h2 {
+  text-align: left;
+  font-weight: bold;
+  padding: 5px 5px 5px 15px;
+  font-size: 12px;
+  margin: -7px;
+  background-color: #c00;
+  color: #fff;
+}
+
+#ErrorExplanation p {
+  color: #333;
+  margin-bottom: 0;
+  padding: 5px;
+}
+
+#ErrorExplanation ul li {
+  font-size: 12px;
+  list-style: square;
+}
+
+div.uploadStatus {
+  margin: 5px;
+}
+
+div.progressBar {
+  margin: 5px;
+}
+
+div.progressBar div.border {
+  background-color: #fff;
+  border: 1px solid grey;
+  width: 100%;
+}
+
+div.progressBar div.background {
+  background-color: #333;
+  height: 18px;
+  width: 0%;
+}
+

data/templates/scaffold.rhtml

@@ -0,0 +1,11 @@
+<html>
+<head>
+  <title>: <%= controller.action_name %></title>
+  <%= stylesheet_link_tag 'scaffold' %>
+</head>
+<body>
+
+<%= @content_for_layout %>
+
+</body>
+</html>

data/templates/schema.sql

@@ -0,0 +1,4 @@
+create database model_security_demo;
+use model_security_demo;
+source users.sql;
+grant all on model_security_demo.* to 'm_s_demo'@'localhost';

data/templates/standard.css

@@ -0,0 +1,7 @@
+.flash {
+	text-align: center;
+	background-color: #C0C0FF;
+	border: medium double #FF0000;
+	margin: 4px;
+}
+

data/templates/standard.rhtml

@@ -0,0 +1,16 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+  <link href="/stylesheets/standard.css" rel="stylesheet" type="text/css" /> 
+</head>
+<body class="page">
+<% if flash['notice'] %>
+  <center>
+  <div class="flash">
+    <%=h flash['notice'] %>
+  </div>
+  </center>
+<% end %>
+<%= @content_for_layout %>
+</body>
+</html>

data/templates/user.rb

@@ -0,0 +1,328 @@
+require 'digest/sha2'
+require 'model_security'
+
+# A generic user login facility. Provides a user login, password
+# management, and administrative facilities. Logs users in via HTTP Basic
+# authentication, a login form, or a security token. Maintains the login
+# state using Session.
+#
+# I started out with the Salted Hash login generator, and essentially rewrote
+# the whole thing, learning a lot from the previous versions. This is not a
+# criticism of the previous work, my goals were different. So, it's fair to
+# say that this is derived from the work of Joe Hosteny and Tobias Leutke.
+#
+class User < ActiveRecord::Base
+  # This causes the security features to be added to the model.
+  include ModelSecurity
+
+private
+  attr_accessible :login, :name, :email, :password, :password_confirmation, \
+   :old_password
+
+  # Hash a given password with the salt. This method localizes the encryption
+  # function so that it can be easily changed.
+  def encypher(s)
+    Digest::SHA512.hexdigest(salt + s)
+  end
+
+  # Create a new user record.
+  #
+  # This is either used to create an ephemeral prototype object to initialize
+  # a form, or an object resulting from a form submission that will become a
+  # persistent record.
+  #
+  def initialize(attributes = nil)
+    super
+
+    if password
+      @password_is_new = true
+    end
+  end
+
+  # Returns true if it is intended that the password be replaced when this
+  # record is saved.
+  def password_new?
+    @password_is_new
+  end
+
+  Char64 = (('a'..'z').collect + ('A'..'Z').collect + ('0'..'9').collect + ['.','/']).freeze
+
+  # Create a security token for use in logging in a user who has forgotten
+  # his password or has just created his login.
+  def token_string(n)
+    s = ""
+    n.times { s << Char64[(Time.now.tv_usec * rand) % 64] }
+    s
+  end
+
+  # Validates that initialize() sets @password_is_new to true, so that
+  # password validation works correctly. This would fail only in the case 
+  # of a programming error.
+  def validate_on_create
+    password_new?
+  end
+
+  # Validates that if we're changing the password or email, the old password
+  # has been given and matches the record. This is a defense against
+  # cookie-capture attacks.
+  def validate_on_update
+    if not (id.nil? or User.admin?) and (password_new? or @email_is_new)
+      if encypher(old_password) != cypher
+        errors.add(:old_password, "The old password doesn't match.")
+        return false
+      end
+    end
+    true
+  end
+
+  before_save :prepare_save
+
+  validates_presence_of :login
+  validates_uniqueness_of :login
+  validates_uniqueness_of :email
+  validates_format_of :email, \
+   :with => /^([^@\s]+)@((?:[-a-z0-9]+\.)+[a-z]{2,})$/
+  validates_presence_of :password, :if => :password_new?
+  validates_presence_of :password_confirmation, :if => :password_new?
+  validates_length_of :login, :within => 3..80
+  validates_length_of :password, :within => 5..128, :if => :password_new?
+  validates_confirmation_of :password, :if => :password_new?
+
+  # Here are the new model security specifications. 
+
+  # These just control display.
+  let_display :all, :if => :never?
+  let_display :login, :name, :email
+
+  # These control both reading and writing.
+
+  # Let the administrator access all data. This implements a Unix-like
+  # super-user. Note that the coarse-grained override of the super-user
+  # is not a _necessary_ pattern for the ModelSecurity module, you can
+  # implement controls as fine-grained as you like.
+  let_access :all, :if => :admin?
+
+  # These control reading of model attributes.
+
+  # The controller before_filter require_admin tests if the current user
+  # is the administrator, thus we have to make the admin attribute readable
+  # by all. We would not have to make it readable were admin? only being
+  # used as a security test, as security tests can access all attributes
+  # with impunity. Login and name are public information.
+  #
+  # FIX: Reading "id" is necessary for Rails internals.
+  # Make it readable by default in the ModelSecurity module.
+  let_read :admin, :id, :login, :name
+
+  # If this is a new (never saved) record, or if this record corresponds to
+  # the currently-logged-in user, allow reading of the email address,
+  # timestamps and lock_version.
+  #
+  # FIX: Lock_version is read by rails internals when a record is saved, 
+  # make it readable by default in the ModelSecurity module. 
+  let_read :created_on, :email, :updated_on, :lock_version, :if => :new_or_me_or_logging_in?
+
+  # These attributes are concerned with login security, and can only be read
+  # while a user is logging in. We create a pseudo-user for the process of
+  # logging in and a security test :logging_in? that tests for that user.
+  let_read :activated, :cypher, :salt, :token, :token_expiry, \
+   :if => :logging_in?
+
+  # These control writing of model attributes.
+
+  # Only in the case of a new (never saved) record can these fields be written.
+  #
+  # FIX: Rails internals writes the ID and created_on. Make this test a
+  # default for :id and :created_on within the ModelSecurity module. Document
+  # it to the user.
+  let_write :id, :created_on, :login, :name, :if => :new_record?
+
+  # Only allow this information to be updated by the user who owns the record,
+  # unless this record is new (has never been saved).
+  #
+  # FIX: There should be a default write permission for updated_on and
+  # lock_version within the ModelSecurity module, as Rails internals
+  # write them.
+  let_write :cypher, :email, :salt, :if => :new_or_me?
+
+  # The security token can only be changed if we're the special "login" user.
+  let_write :activated, :token, :token_expiry, :if => :logging_in?
+
+  let_write :updated_on, :lock_version, :if => :new_or_me_or_logging_in?
+
+public
+  attr_accessor :password, :password_confirmation, :old_password
+
+  # Change the user's password. Confirm the old password while doing so.
+  def change_password(attributes)
+    @password_is_new = true
+    self.password = attributes['password']
+    self.password_confirmation = attributes['password_confirmation']
+    self.old_password = attributes['old_password']
+  end
+
+  # Change the user's email address.
+  # FIX: send confirmation email.
+  def change_email(attributes)
+    @email_is_new = true
+    self.email = attributes['email']
+    self.old_password = attributes['old_password']
+  end
+
+  # Return the currently-logged-in user.
+  def User.current
+    @current_user
+  end
+
+  # Set the currently-logged-in user.
+  def User.current=(u)
+    @current_user = u
+  end
+
+  # Return true if this record corresponds to the currently-logged-in user.
+  # This is used as a security test.
+  def me?
+    User.current and User.current.id == id
+  end
+
+  # Return true if the currently-logged-in user is the administrator.
+  # Class method. This is used as a pseudo-security test by let_display.
+  def User.admin?
+    return ((current != nil ) and (current.admin.to_i == 1))
+  end
+
+  # Return true if the currently-logged-in user is the administrator.
+  # Instance method. This is used as a security test.
+  def admin?
+    return User.admin?
+  end
+
+  # Return true if the user is currently logging in. This security test allows
+  # us to designate model fields to be visible *only* while a user is logging
+  # in.
+  def logging_in?
+    # FIX: create a real login user.
+    return User.current.nil?
+  end
+
+  def User.login_user
+    # FIX: create a real login user.
+    nil
+  end
+
+  # Return true if the user record is new (never been saved) or if it
+  # corresponds to the currently-logged-in user. This security test is
+  # a common pattern applied to a number of user record attributes.
+  def new_or_me?
+    new_record? or User.current == self
+  end
+
+  # Return true if the user record is new (never been saved) or if it
+  # corresponds to the currently-logged-in user, or if the current user
+  # is the special "login" user. This security test is a common pattern
+  # applied to a number of user record attributes.
+  def new_or_me_or_logging_in?
+    new_record? or User.current == self or logging_in?
+  end
+
+  # Create a new security token, or if the current one is not yet expired,
+  # return the current one. Should only be called with nobody logged in, it
+  # will log out the current user if one is logged in.
+  # Instance method.
+  def new_token
+    User.current = User.login_user
+    if token == '' or token_expiry < Time.now
+      self.token = token_string(10)
+      self.token_expiry = 7.days.from_now
+      result = save
+    end
+    User.current = nil
+    return token
+  end
+
+  # Create a new security token, or if the current one is not yet expired,
+  # return the current one. Should only be called with nobody logged in, it
+  # will log out the current user if one is logged in.
+  # Class method.
+  def User.new_token(address)
+    u = User.find_first(['email = ?', email])
+    u.new_token
+  end
+
+  # Encrypt the password before saving. Then wipe out the provided plaintext
+  # password, so that it won't trigger unnecessary security tests and
+  # validations the next time this record is saved. Wiping out the plaintext
+  # is more secure, anyway.
+  def prepare_save
+    # The salt is used to add a random factor to the plaintext. This might
+    # make some cryptographic attacks more difficult.
+    if password_new?
+      self.salt = token_string(40)
+      self.cypher = encypher(password)
+
+      self.password = nil
+      self.password_confirmation = nil
+      @password_is_new = nil
+    end
+    true
+  end
+
+  # Log off the current user.
+  def User.sign_off
+    User.current = nil
+  end
+
+  # Log on the user for this record, given a password. Instance method.
+  def sign_on(pass)
+    User.current = User.login_user
+    begin
+      if (activated == 1) and (pass != nil) and (encypher(pass) == cypher)
+        return (User.current = self)
+      end
+    rescue
+    end
+    User.current = nil
+  end
+
+  # Log on the user for this record, given a user name and password.
+  # Class method.
+  def User.sign_on(handle, pwd)
+    user = find_first(['login = ?', handle])
+    if user
+      user.sign_on(pwd)
+    else
+      nil
+    end
+  end
+
+  # Continue the current login, from the session data.
+  # This should be called by User.setup .
+  def User.sign_on_by_session(user_id)
+    begin
+      return (User.current = User.find(user_id))
+    rescue
+    end
+    return nil
+  end
+
+  # Sign on the user using a security token. Instance method.
+  def sign_on_by_token(t)
+    User.current = User.login_user
+    if t == token and (token_expiry >= Time.now)
+      self.token = ""
+      self.token_expiry = Time.now
+      self.activated = 1
+      save
+      User::current = self
+      return self;
+    end
+    return nil
+  end
+
+  # Sign on the user using an ID (record index) and security token.
+  # Class method.
+  def User.sign_on_by_token(id, token)
+    u = User.find(id)
+    return u.sign_on_by_token(token)
+  end
+end

data/templates/user_controller.rb

@@ -0,0 +1,178 @@
+# The HTTP authorization code is
+# derived from an example published by Maximillian Dornseif at
+# http://blogs.23.nu/c0re/stories/7409/
+# which was released for use under any license.
+#
+# I started out with the Salted Hash login generator, and essentially rewrote
+# the whole thing, learning a lot from the previous versions. This is not a
+# criticism of the previous work, my goals were different. So, it's fair to
+# say that this is derived from the work of Joe Hosteny and Tobias Leutke.
+#
+class UserController < ApplicationController
+  # helper ModelSecurity
+
+private
+  # Require_admin will require an administrative login before the action
+  # can be called. It uses Modal, so it will continue to the action if the 
+  # login is successful.
+  before_filter :require_admin, :only => [ :destroy ]
+
+  # Require_login will require a login before the action
+  # can be called. It uses Modal, so it will continue to the action if the 
+  # login is successful.
+  before_filter :require_login, :only => [ :list, :show ]
+
+  # Cause HTTP Basic validation.
+  # FIX: Basic is not secure. Change to Digest authentication.
+  def http_authorize(realm=@request.domain(2))
+    # This will cause the browser to send HTTP authorization information.
+    @response.headers["Status"] = "Unauthorized" 
+    @response.headers["WWW-Authenticate"] = "Basic realm=\"#{realm}\"" 
+    render :status => 401
+  end
+
+  def initialize
+  end
+
+public
+  scaffold :user
+
+private
+public
+
+  # Activate a new user, having logged in with a security token. All of the
+  # work goes on in user_support.
+  def activate
+  end
+
+  # Destroy a user object.
+  def destroy
+    user = User.find(@params[:id])
+    user.destroy
+    flash['notice'] = 'User destroyed.'
+    redirect_to :action => :list
+  end
+  
+  # Edit a user. Will only allow you to edit what your security clearance
+  # allows, due to the magic of model security.
+  def edit
+    case @request.method
+    when :get
+      @user = User.find(@params[:id])
+    when :post
+      @user = User.find(@params[:id])
+      @user.attributes = @params['user']
+      @user.save
+      redirect_to :action => :list
+    end
+  end
+  
+  # Send out a forgot-password email.
+  def forgot_password
+    case @request.method
+    when :get
+      @user = User.new
+    when :post
+      @user = User.find_first(['email = ?', @params['user']['email']])
+      if @user
+        url = url_for(:controller => 'user', :action => 'activate', :id => @user.id, :token => @user.new_token)
+        UserMailer.deliver_forgot_password(@user, url)
+        render :action => 'forgot_password_done'
+      else
+        flash['notice'] = "Can't find a user with email #{@params['email']}."
+	@user = User.new
+      end
+    end
+  end
+
+  # Tell the user the email's on the way.
+  def forgot_password_done
+  end
+
+  # List users.
+  # FIX: Get away from the scaffold here, and use the login instead of the ID
+  # to access a user record. Using an ID gives outsiders a way to enumerate
+  # the users, which has security implications.
+  def list
+    options = {
+      :per_page => 10,
+      :order_by => 'name, id'
+    }
+
+    @user_pages, @users = paginate(:user, options)
+  end
+
+  # Attempt HTTP authentication, and fall back on a login form.
+  # If this method is called login_admin (it's an alias), keep trying
+  # until an administrator logs in or the user pushes the "back" button.
+  def login
+    if User.current and (admin? or action_name != 'login_admin')
+      redirect_back_or_default :action => :success
+      return
+    end
+
+    @user = User.new
+    
+    http_authorize
+  end
+
+  # Log in an administrator. If a non-administrator logs in, keep trying
+  # until an administrator logs in or the user pushes the "back" button.
+  alias login_admin login
+
+  # Log out the current user, attempt HTTP authentication to log in a new
+  # user. The real reason we put up HTTP authentication here is to make
+  # the browser forget the old authentication data. Otherwise, the browser
+  # keeps sending it!
+  def logout
+    if User.current and @session[:new_login] != true
+      @session[:new_login] = true
+      User.sign_off
+      session[:user_id] = nil
+      @response.headers["Status"] = "Unauthorized" 
+      @response.headers["WWW-Authenticate"] = \
+       "Basic realm=\"#{@request.domain(2)}\"" 
+      @user = User.new
+      render :action => 'login', :status => 401
+    else
+      @session[:new_login] = false
+      if User.current
+        redirect_to :action => 'success'
+      else
+        redirect_to :action => 'login'
+      end
+    end
+  end
+
+  # Create a new user.
+  def new
+    case @request.method
+    when :get
+      @user = User.new
+    when :post
+      @user = User.new(@params['user'])
+      # FIX: Save may fail. Create the email before the record is saved,
+      # deliver it afterward.
+      url = url_for(:controller => 'user', :action => 'activate', :id => @user.id, :token => @user.new_token)
+      UserMailer.deliver_new_user(@user, url)
+      if @user.save
+        flash['notice'] = 'User created.'
+        redirect_to :action => 'success'
+      else
+        flash['notice'] = 'Creation of new user failed.'
+      end
+    end
+  end
+
+  # Display a user's information.
+  # FIX: Use the user's login instead of the record ID.
+  # Using the record ID provides an easy way for outsiders to enumerate the
+  # users, which has security implications.
+  def show
+    @user = User.find(@params[:id])
+  end
+
+  # Tell the user that an action succeeded.
+  def success
+  end
+end

data/templates/user_controller_test.rb

@@ -0,0 +1,20 @@
+require File.dirname(__FILE__) + '/../test_helper'
+require 'user_controller'
+
+# Raise errors beyond the default web-based presentation
+class UserController; def rescue_action(e) raise e end; end
+
+class UserControllerTest < Test::Unit::TestCase
+  fixtures :users
+  
+  def setup
+    @controller = UserController.new
+    @request, @response = ActionController::TestRequest.new, ActionController::TestResponse.new
+    @request.host = "localhost"
+  end
+
+  def test_true
+    true
+  end
+
+end