nitro-auth 0.2.0

data/lib/nitro/auth/controller.rb

@@ -0,0 +1,166 @@
+require 'uri'
+
+require 'glue/configuration'
+
+module Auth
+    # Include this class in any controller that you want to have
+    # authentication and/or authorization on.
+    module Controller
+        # The Auth::User object for the currently logged-in user.
+        # Will be +nil+ if no user is logged in.
+        def user
+            # If we don't have a user yet, see if we can get one via
+            # the session key cookie.
+            if not @user
+                session_key = request.cookies['login_session_key']
+                if session_key
+                    @user = User.find_one(:where => "session_key = '#{session_key}'")
+                end
+            end
+
+            # If we already had a user, or managed to find one above,
+            # check for session expiration.
+            if @user
+                if @user.session_key_expired?
+                    @expired_login = @user.login
+                    @user = nil
+                else
+                    @expired_login = nil
+                end
+            end
+
+            @user
+        end
+        @user = nil
+
+        # Is the current user an administrator?
+        def administrator?
+            user and user.has_role? Auth.admin_role
+        end
+
+        # Is the current user allowed to execute the current action?
+        def allowed?
+            required = required_roles[action_name.intern]
+            not required or (user and user.has_role? required)
+        end
+
+        # Checks the current user's permission to run the current action,
+        # and redirects to the appropriate auth action if a login is needed
+        # or if the current user doesn't have sufficient permissions.
+        def check_permissions
+            if not allowed?
+                store_location
+                redirect "/auth/access_denied" if user
+                redirect URI.escape("/auth/login?login=#{@expired_login}")
+                raise RenderExit
+            end
+        end
+
+        # Stores the current location, so that we can redirect the user
+        # to a login page but get back to where they originally wanted to go.
+        def store_location
+            session["prelogin_uri"] = request.uri
+            session["prelogin_referer"] = request.referer
+        end
+
+        # Spits out a link to the login page if there is no current user,
+        # or to the logout page if there is one.
+        def login_link
+            unless user
+                body.a "Login", :href => "/auth/login"
+            else
+                body.a "Logout", :href => "/auth/logout"
+            end
+        end
+
+        private
+            # If the user had an expired session key, this was their login
+            # name.  Allows being a little friendlier when redirecting and
+            # forcing a new login.
+            @expired_login = nil
+
+            def self.append_features(base)
+                base.module_eval {
+                    private
+                        # Make sure that @@required_roles is a class variable
+                        # on the controller class, and not on Auth::Controller.
+                        @@required_roles = Hash.new
+                        def self.required_roles
+                            @@required_roles
+                        end
+                        def required_roles
+                            @@required_roles
+                        end
+
+                        # @@protected_methods also needs to be a class variable
+                        # on the controller class.
+                        @@protected_methods = Array.new
+                        def self.protected_methods
+                            @@protected_methods
+                        end
+
+                        # Make sure that protected methods don't get included
+                        # in the list of action methods.
+                        def self.action_methods
+                            am = super
+                            am.reject { |method|
+                                @@protected_methods.include? method
+                            }
+                        end
+                }
+
+                super
+                base.extend(ClassMethods)
+            end
+
+            module ClassMethods
+                # Protects the given action.
+                # Any requests to call it will require login
+                # and will check permissions automatically.
+                # The original implementation will be "hidden"
+                # from Nitro so that it cannot be called directly.
+                #
+                # [+action+]  The action to protect.
+                # [+:role+]  The required role name.
+                #            (Defaults to Auth.user_role.)
+                #
+                # The default role is essentially equivalent to
+                # "must be authenticated", as all users have the
+                # user role by default.
+                def protect(action, options = {})
+                    role = options[:role] || Auth.user_role
+                    required_role action, role, options
+                end
+
+                # Protects the given action and requires
+                # administrative privileges to call it.
+                def administrative(action, options = {})
+                    required_role action, Auth.admin_role, options
+                end
+
+                # Sets the role required to run the given action,
+                # and makes the action protected, so that any requests
+                # to call it will require login and check permissions
+                # automatically.
+                #
+                # [+action+]  The action to protect.
+                # [+role+]  The required role name.
+                def required_role(action, role, options = {})
+                    action = action.intern if action.is_a? String
+                    role = role.to_s
+                    required_roles[action] = role
+
+                    unprot_action = "unprotected_" + action.to_s
+                    protected_methods << unprot_action
+
+                    alias_method unprot_action, action
+                    class_eval %{
+                        def #{action}
+                            check_permissions
+                            #{unprot_action}
+                        end
+                    }
+                end
+            end
+    end
+end

data/lib/nitro/auth/model/user.rb

@@ -0,0 +1,147 @@
+require 'og'
+require 'glue/logger'
+
+module Auth
+    # Represents a user or account.
+    # Has a many-to-many relationship with Auth::Role.
+    #
+    # This class can be either extended or related to in order to
+    # create application users.  This allows a 'user' to own other
+    # application objects, for example, without polluting the basic
+    # authentication/authorization code.
+    #
+    # Your application's user object's #create method should:
+    # * Have a signature like create(login, password, parameters = {})
+    #   Note that parameters is essentially request.parameters from the
+    #   registration form, and thus should be treated as tainted.
+    # * Call super(login, password, parameters) if it extends Auth::User
+    # * Call Auth::User.create(login, password, parameters) if it relates
+    #   to Auth::User rather than extending it.
+    class User
+        #--
+        # These are done as attrs and then as props, so that we
+        # can get them to show up in rdoc.  Ugly but it seems to work.
+        #++
+
+        # The user's login name.
+        attr :login
+        # The user's salted and hashed password.
+        attr :hashed_password
+        # The last salt used, for later password checks.
+        attr :salt
+        # The security session key, which can be stored in a browser cookie
+        # to allow later password-less login.
+        #
+        # Getting the session key will create a new session key if the
+        # old one has expired (and thus cookie checks will fail,
+        # as they should.)
+        attr :session_key
+        # Time when the session key expires.
+        attr :session_key_expires
+
+        prop_reader :login, String, :unique => true,
+            :sql => 'varchar(255) not null unique'
+        prop_reader :hashed_password, String,
+            :sql => 'char(40) null'
+        prop :session_key, String, :sql_index => true,
+            :sql => 'char(40) null',
+            :reader => false, :writer => false
+        prop_reader :session_key_expires, Time
+        prop :salt, String, :sql => 'char(40) null',
+            :reader => false, :writer => false
+
+        many_to_many Role
+
+        schema_inheritance
+
+        # Set the raw password.  Will appropriately hash it and store it
+        # in +hashed_password+.
+        def password=(new_password)
+            if not new_password
+                @salt = nil
+                @hashed_password = nil
+            else
+                @salt = Crypt.make_salt
+                @hashed_password = Crypt.salt_password @salt, new_password
+            end
+            update if @oid
+        end
+
+        def session_key # :nodoc:
+            if session_key_expired?
+                @session_key = Crypt.make_session_key hashed_password
+                @session_key_expires = Time.now + Auth.session_key_expiration
+                update if @oid
+            end
+            @session_key
+        end
+        # Has the session key expired?
+        def session_key_expired?
+            not @session_key or
+                (session_key_expires and Time.now > session_key_expires)
+        end
+
+        # Convenience method.  Does this user have this role?
+        #
+        # Can take either a Auth::Role object or a symbol/string role name.
+        def has_role?(role)
+            if role.is_a? Role
+                roles.include? role
+            else
+                # This is the canonical implementation
+                # roles.include? Role.find_one(:where => "name = '#{role.to_s}'")
+                # This is sort of a hack, but turns two queries into one.
+                not find_roles(:extra => "AND #{Role.table}.name = '#{role.to_s}'").empty?
+            end
+        end
+
+        # Creates a new user.  Login is required, password is optional.
+        # Currently, parameters is not used by this implementation.
+        # Auth::AuthController passes in request.params, though,
+        # so future implementations could get further information there.
+        # Subclasses can use it and should pass it along.
+        def initialize(login, password = nil, parameters = {})
+            @login = login
+            self.password = password
+        end
+    end
+
+    # Represents a (simple) security role.
+    #
+    # Many-to-many with Auth::User.  An Auth::User can have many
+    # +Roles+ and an Auth::Role can be had by many +Users+.
+    class Role
+        #--
+        # These are done as attrs and then as props, so that we
+        # can get them to show up in rdoc.  Ugly but it seems to work.
+        #++
+
+        # The role name.  (Must be unique.)
+        attr :name
+
+        property :name, String, :sql => 'varchar(255) not null unique',
+            :unique => true
+        many_to_many User
+
+        schema_inheritance
+
+        post "create_roles", :on => :og_create_schema
+
+        # Note that if you subclass Auth::Role, you need to allow just
+        # passing in a role name and nothing else in your initialize
+        # (and your schema), or you need to override the create_roles
+        # method.
+        def initialize(name)
+            @name = name
+        end
+
+        # Create the admin and user roles.
+        def create_roles
+            # I believe that because this is called in an advice,
+            # that self.class will be the right class for the entity
+            # that actually got created, even if it's not us.
+            self.class.create(Auth.admin_role) if 0 == self.class.count(:condition => "name = '#{Auth.admin_role}'")
+            self.class.create(Auth.user_role) if 0 == self.class.count(:condition => "name = '#{Auth.user_role}'")
+        end
+    end
+end

data/lib/nitro/auth/util/crypt.rb

@@ -0,0 +1,55 @@
+require 'digest/sha1'
+
+module Auth
+    # Cryptographic utilities used by the Auth module.
+    module Crypt
+        #--
+        # Ideally, I'd want the next bit to be settings, but they're not
+        # behaving quite like I wanted.  Ah, well.
+        # FIXME:  Figure out some way to get them into configs or something.
+        #
+        # setting :crypt_prefix, :default => '-CHANGE-ME-',
+        #     :doc => 'Prefix used when hashing any string.'
+        # setting :salt_prefix, :default => '-salt-',
+        #     :doc => 'Prefix used when generating the salt.'
+        #++
+        protected
+            @@crypt_prefix = "-CHANGE-ME-"
+            @@salt_prefix = "-salt-"
+            @@session_key_expiration = 60*60*24*30
+            def self.crypt_prefix
+                @@crypt_prefix
+            end
+            def self.salt_prefix
+                @@salt_prefix
+            end
+
+        public
+            # Creates a timestamp string for inclusion in hashed strings.
+            def self.timestamp
+                Time.now.strftime '%Y%m%d-%H%M%S'
+            end
+
+            # Hashes the provided string.  Returns a 40-character
+            # hex representation of the hashed value.
+            def self.make_hash(value)
+                Digest::SHA1.hexdigest "#{crypt_prefix}--#{value}--"
+            end
+
+            # Create a salt for mixing with hashed strings.
+            def self.make_salt
+                make_hash "#{salt_prefix}-#{timestamp}"
+            end
+
+            # Mix a salt into a password and return the hashed result.
+            def self.salt_password(salt, password)
+                make_hash salt + password
+            end
+
+            # Create a session key, given a password.
+            # Use the salted/hashed password here, not the raw one!
+            def self.make_session_key(hashed_password)
+                make_hash hashed_password + timestamp + rand.to_s
+            end
+    end
+end

data/lib/nitro/auth/view/access_denied.xhtml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Access Denied</title>
+  </head>
+  <body>
+    <h1>Access Denied</h1>
+    <p><a href="#{@backlink}">Go back</a>.</p>
+  </body>
+</html>

data/lib/nitro/auth/view/login.xhtml

@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Please log in.</title>
+  </head>
+  <body>
+    <h1>Please log in.</h1>
+    <form action = "#{try_login_url}" method = "POST">
+      <table>
+        <tr>
+          <td><label for="login">Login:</label></td>
+          <td>
+            <input id="login" name="login" type="text"
+              value="#{@login_name}"/>
+          </td>
+        </tr>
+        <tr>
+          <td><label for="password">Password:</label></td>
+          <td><input id="password" name="password" type="password"/></td>
+        </tr>
+        <tr>
+          <td colspan="2">
+            <button type="submit">Login!</button>
+          </td>
+        </tr>
+        <tr>
+          <td id="error" colspan="2">#{@error}</td>
+        </tr>
+      </table>
+    </form>
+    <p class="register_link">
+      <a href="#{register_url}">Register a new account</a>.
+    </p>
+  </body>
+</html>

data/lib/nitro/auth/view/logout.xhtml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Logged out.</title>
+  </head>
+  <body>
+    <h1>Logged out.</h1>
+    <p>Thanks!</p>
+    <p class="login_link">
+      <a href="#{login_url}">Log back in</a>.
+    </p>
+  </body>
+</html>

data/lib/nitro/auth/view/register.xhtml

@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE html
+    PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+  <head>
+    <title>Register a new account.</title>
+    <meta http-equiv="Content-Script-Type" content="text/javascript"/>
+    #{include_script "/js/behaviour.js"}
+  </head>
+  <body>
+    <h1>Register a new account.</h1>
+    <form id="new_user_form" action="#{new_user_url}" method="POST">
+      <table>
+        <tr>
+          <td><label for="login">Login:</label></td>
+          <td>
+            <input id="login" name="login" type="text"
+              value="#{@new_user.login}"/>
+          </td>
+        </tr>
+        <tr>
+          <td><label for="password">Password:</label></td>
+          <td><input id="password" name="password" type="password"/></td>
+        </tr>
+        <tr>
+          <td><label for="confirm_password">Confirm Password:</label></td>
+          <td>
+            <input id="confirm_password" name="confirm_password"
+              type="password"/>
+          </td>
+        </tr>
+        <tr>
+          <td colspan="2">
+            <button id="register_new_user" type="button">Register!</button>
+          </td>
+        </tr>
+        <tr>
+          <td id="error" colspan="2">#{@error}</td>
+        </tr>
+      </table>
+    </form>
+    <p class="login_link">
+      <a href="#{login_url}">Go back to the login page</a>.
+    </p>
+    <p class="back_link">
+      <a href="#{@backlink}">Go back to where I started</a>.
+    </p>
+    #{helper_script}
+  </body>
+</html>