nitro-auth 0.2.0

data/CHANGELOG

@@ -0,0 +1,12 @@
+<b>0.2.0</b> (2005-07-26)
+
+* Updated for Nitro 0.21.0.
+* Moved paths into 'nitro/auth' instead of just 'auth'.
+* Fixes for overriding Auth::User with an application version.
+* Got the basic example working.
+* Fixed a bug in access_denied.xhtml.
+* Actually got the license details set up.
+
+<b>0.1.0</b> (2005-07-21)
+
+* Initial implementation of nitro-auth.  Lots still to do.

data/LICENSE

@@ -0,0 +1,31 @@
+The BSD License
+
+Copyright (c) 2005, Deborah 'Ysabel' Hooker
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without 
+modification, are permitted provided that the following conditions are 
+met:
+
+* Redistributions of source code must retain the above copyright 
+notice, this list of conditions and the following disclaimer.
+  
+* Redistributions in binary form must reproduce the above copyright 
+notice, this list of conditions and the following disclaimer in the 
+documentation and/or other materials provided with the distribution.
+  
+* Ms. Hooker's name may not be used to endorse or promote products
+derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR 
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT 
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED 
+TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR 
+PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF 
+LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING 
+NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS 
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+

data/README

@@ -0,0 +1,115 @@
+= nitro-auth:  Authentication and Authorization for Nitro
+
+nitro-auth provides basic forms-based authentication and role-based
+authorization for applications built on the
+Nitro[http://www.nitrohq.com/] web engine.  It is designed
+to allow easy integration with an application, including declarative
+authorization rules and easy application-specific rendering of auth-related
+pages.
+
+nitro-auth is currently version 0.2.0 and is, as you might expect, far
+from feature-complete.  But even so, it hopefully has enough to get you
+started.
+
+== Features
+
+* Persistent Auth::User and Auth::Role objects.  nitro-auth only declares
+  the minimum fields necessary for doing authentication (fields like +login+,
+  +password+ and +session_key+) and lets the application extend them further.
+
+* Auth::Controller mixin which provides authentication information and
+  declarative role-based security to Nitro controllers::
+
+    require 'nitro'
+    require 'nitro/auth'
+
+    class MyController < Nitro::Controller
+      include Auth::Controller
+
+      def list_details
+        [...]
+      end
+      protect :list_details
+
+      def edit_details
+        [...]
+      end
+      required_role :edit_details, :manager
+
+      def edit_user
+        [...]
+      end
+      administrative :edit_user
+    end
+
+* Passwords are stored in a salted, hashed form using SHA1 hashes.
+
+* Cookie-based login session persistence.
+
+* Authentication controller uses Nitro templates for easy application
+  integration.
+
+== Coming soon
+
+* Challenge-response authentication, including JavaScript client-side
+  challenge-response validation.
+
+== Download
+
+See the Nitro Rubyforge Page (http://rubyforge.org/projects/nitro) for
+the latest nitro-auth package.
+
+== Documentation
+
+(TODO:  Get the rdoc up, probably at http://nitrohq.com/rdoc/nitro-auth)
+In the meantime, you can see it at http://www.ysabel.org/ruby/doc/nitro-auth
+if you'd like to browse.
+
+== Requirements
+
+nitro-auth requires Nitro, of course.  See NitroHQ[http://www.nitrohq.com/]
+(http://www.nitrohq.com) for current releases
+of Nitro.
+
+[Ruby 1.8.1 and greater]
+  http://www.ruby-lang.org
+  (Version 1.8.2 is recomended)
+
+== Installation
+
+= rubygem install (simplest, recommended):
+
+<tt>> gem install nitro-auth</tt>
+
+= zip/tgz install
+
+Unzip/untar and make sure the lib directory is in your path.
+(Use the gem, trust me, it's easier.)
+
+== Contents
+
+[examples/]
+        Examples of using nitro-auth.  (Well, really, example right now.)
+
+[lib/]
+        nitro-auth library source files.
+
+[test/]
+        nitro-auth tests.
+
+== Support
+
+The Nitro mailing list is nitro-general@rubyforge.org, and is a good place
+to start.  You can subscribe and/or browse archives at
+http://rubyforge.org/mailman/listinfo/nitro-general
+
+You may also drop the author an email at mailto:deb@ysabel.org.
+
+TBD:  Bug/feature request tracking 
+
+== License
+
+Copyright (c) 2005, Deborah 'Ysabel' Hooker
+
+nitro-auth is copyrighted free software released under the BSD license.
+For details consult the LICENSE file.

data/TODO

@@ -0,0 +1,7 @@
+= nitro-auth To Do List
+
+* Challenge-response authentication.
+* Examples.
+* Tests.  (Testing Nitro controllers?)
+* Extension via relation as well as inheritance.
+* FIXMEs.

data/examples/basic/public/error.xhtml

@@ -0,0 +1,81 @@
+<html>
+  <head>
+    <title>Error</title>
+    <style>
+      .path { 
+        padding: 5px;
+        font-size: 140%;
+        background: #ddd;
+      }
+      .error { 
+        padding: 5px;
+        padding-top: 15px;
+        font-size: 140%;
+        color: #f00;
+      }
+      .load {
+        padding: 5px;
+        color: #555;
+      }
+      .source {
+        border: 1px solid #ccc; 
+        padding: 10px;
+        margin-top: 10px; margin-bottom: 10px;
+      }
+      h2 {
+        padding-left: 5px;
+        background: #eee;
+      }
+    </style>
+  </head>
+  <body>
+    <h1>Error</h1>
+
+    <?r  for error, path in @context.rendering_errors ?>
+      <div class="path"><strong>Path:</strong> #{path}</div>
+      <div class="error"><strong>#{error.to_s}</strong></div>
+      <div class="load">Click here to <strong><a href="#{request.uri}">reload</a></strong>.</div>
+      <div class="load">Click here to go to the <strong><a href="#{request.referer}">referer</a></strong> or the <strong><a href="/">home page</a></strong>.</div>
+      <?r if error.respond_to?(:source_extract) ?>
+        <div class="source">
+        <?r 
+          extract = error.source_extract.split("\n")
+          extract.each_with_index do |line, idx|
+            line = Nitro::Markup.expand(line)
+            if 4 == idx
+        ?>
+            <div style="background: #eee">#{line}</div>
+        <?r  else ?>
+            <div>#{line}</div>
+        <?r  
+            end 
+          end
+        ?>
+        </div>
+      <?r end ?>
+      <h2><a href="#" onclick="document.getElementById('trace').style.display = 'block'; return false">Stack Trace</a></h2>
+      <p id="trace" style="display: none">#{error.backtrace.join('<br />')}</p>
+    <?r end ?>
+
+    <h2><a href="#" onclick="document.getElementById('request').style.display = 'block'; return false">Request</a></h2>
+    <div id="request" style="display: none">
+      <p><strong>Parameters:</strong> #{request.params.reject{ |k,v| k == :__RELOADED__ }.inspect}</p>  
+      <p><strong>Cookies:</strong> #{request.cookies.inspect}</p>  
+      <p><strong>Headers:</strong><br />#{request.headers.collect { |k, v| "#{k} => #{v}" }.join('<br />')}</p>  
+    </div>
+
+    <h2><a href="#" onclick="document.getElementById('response').style.display = 'block'; return false">Response</a></h2>
+    <div id="response" style="display: none">
+      <p><strong>Headers:</strong> #{request.response_headers.inspect}</p>  
+      <p><strong>Cookies:</strong> #{request.response_cookies.inspect}</p>  
+    </div>
+
+    <h2><a href="#" onclick="document.getElementById('session').style.display = 'block'; return false">Session</a></h2>
+    <div id="session" style="display: none">
+      <p><strong>Values:</strong> #{session.inspect}</p>  
+    </div>
+    
+    <br /><br />
+    Powered by <a href="http://www.nitrohq.com">Nitro</a> version #{Nitro::Version}
+  </body>
+</html>

data/examples/basic/public/js/behaviour.js

@@ -0,0 +1,254 @@
+/*
+   Behaviour v1.0 by Ben Nolan, June 2005. Based largely on the work
+   of Simon Willison (see comments by Simon below).
+
+   Description:
+     
+     Uses css selectors to apply javascript behaviours to enable
+     unobtrusive javascript in html documents.
+     
+   Usage:   
+   
+  var myrules = {
+    'b.someclass' : function(element){
+      element.onclick = function(){
+        alert(this.innerHTML);
+      }
+    },
+    '#someid u' : function(element){
+      element.onmouseover = function(){
+        this.innerHTML = "BLAH!";
+      }
+    }
+  );
+  
+  Behaviour.register(myrules);
+  
+  // Call Behaviour.apply() to re-apply the rules (if you
+  // update the dom, etc).
+
+   License:
+   
+     My stuff is BSD licensed. Not sure about Simon's.
+     
+   More information:
+     
+     http://ripcord.co.nz/behaviour/
+   
+*/   
+
+var Behaviour = {
+  list : new Array,
+  
+  register : function(sheet){
+    Behaviour.list.push(sheet);
+  },
+  
+  start : function(){
+    Behaviour.addLoadEvent(function(){
+      Behaviour.apply();
+    });
+  },
+  
+  apply : function(){
+    for (h=0;sheet=Behaviour.list[h];h++){
+      for (selector in sheet){
+        list = document.getElementsBySelector(selector);
+        
+        if (!list){
+          continue;
+        }
+
+        for (i=0;element=list[i];i++){
+          sheet[selector](element);
+        }
+      }
+    }
+  },
+  
+  addLoadEvent : function(func){
+    var oldonload = window.onload;
+    
+    if (typeof window.onload != 'function') {
+      window.onload = func;
+    } else {
+      window.onload = function() {
+        oldonload();
+        func();
+      }
+    }
+  }
+}
+
+Behaviour.start();
+
+/*
+   The following code is Copyright (C) Simon Willison 2004.
+
+   document.getElementsBySelector(selector)
+   - returns an array of element objects from the current document
+     matching the CSS selector. Selectors can contain element names, 
+     class names and ids and can be nested. For example:
+     
+       elements = document.getElementsBySelect('div#main p a.external')
+     
+     Will return an array of all 'a' elements with 'external' in their 
+     class attribute that are contained inside 'p' elements that are 
+     contained inside the 'div' element which has id="main"
+
+   New in version 0.4: Support for CSS2 and CSS3 attribute selectors:
+   See http://www.w3.org/TR/css3-selectors/#attribute-selectors
+
+   Version 0.4 - Simon Willison, March 25th 2003
+   -- Works in Phoenix 0.5, Mozilla 1.3, Opera 7, Internet Explorer 6, Internet Explorer 5 on Windows
+   -- Opera 7 fails 
+*/
+
+function getAllChildren(e) {
+  // Returns all children of element. Workaround required for IE5/Windows. Ugh.
+  return e.all ? e.all : e.getElementsByTagName('*');
+}
+
+document.getElementsBySelector = function(selector) {
+  // Attempt to fail gracefully in lesser browsers
+  if (!document.getElementsByTagName) {
+    return new Array();
+  }
+  // Split selector in to tokens
+  var tokens = selector.split(' ');
+  var currentContext = new Array(document);
+  for (var i = 0; i < tokens.length; i++) {
+    token = tokens[i].replace(/^\s+/,'').replace(/\s+$/,'');;
+    if (token.indexOf('#') > -1) {
+      // Token is an ID selector
+      var bits = token.split('#');
+      var tagName = bits[0];
+      var id = bits[1];
+      var element = document.getElementById(id);
+      if (tagName && element.nodeName.toLowerCase() != tagName) {
+        // tag with that ID not found, return false
+        return new Array();
+      }
+      // Set currentContext to contain just this element
+      currentContext = new Array(element);
+      continue; // Skip to next token
+    }
+    if (token.indexOf('.') > -1) {
+      // Token contains a class selector
+      var bits = token.split('.');
+      var tagName = bits[0];
+      var className = bits[1];
+      if (!tagName) {
+        tagName = '*';
+      }
+      // Get elements matching tag, filter them for class selector
+      var found = new Array;
+      var foundCount = 0;
+      for (var h = 0; h < currentContext.length; h++) {
+        var elements;
+        if (tagName == '*') {
+            elements = getAllChildren(currentContext[h]);
+        } else {
+            elements = currentContext[h].getElementsByTagName(tagName);
+        }
+        for (var j = 0; j < elements.length; j++) {
+          found[foundCount++] = elements[j];
+        }
+      }
+      currentContext = new Array;
+      var currentContextIndex = 0;
+      for (var k = 0; k < found.length; k++) {
+        if (found[k].className && found[k].className.match(new RegExp('\\b'+className+'\\b'))) {
+          currentContext[currentContextIndex++] = found[k];
+        }
+      }
+      continue; // Skip to next token
+    }
+    // Code to deal with attribute selectors
+    if (token.match(/^(\w*)\[(\w+)([=~\|\^\$\*]?)=?"?([^\]"]*)"?\]$/)) {
+      var tagName = RegExp.$1;
+      var attrName = RegExp.$2;
+      var attrOperator = RegExp.$3;
+      var attrValue = RegExp.$4;
+      if (!tagName) {
+        tagName = '*';
+      }
+      // Grab all of the tagName elements within current context
+      var found = new Array;
+      var foundCount = 0;
+      for (var h = 0; h < currentContext.length; h++) {
+        var elements;
+        if (tagName == '*') {
+            elements = getAllChildren(currentContext[h]);
+        } else {
+            elements = currentContext[h].getElementsByTagName(tagName);
+        }
+        for (var j = 0; j < elements.length; j++) {
+          found[foundCount++] = elements[j];
+        }
+      }
+      currentContext = new Array;
+      var currentContextIndex = 0;
+      var checkFunction; // This function will be used to filter the elements
+      switch (attrOperator) {
+        case '=': // Equality
+          checkFunction = function(e) { return (e.getAttribute(attrName) == attrValue); };
+          break;
+        case '~': // Match one of space seperated words 
+          checkFunction = function(e) { return (e.getAttribute(attrName).match(new RegExp('\\b'+attrValue+'\\b'))); };
+          break;
+        case '|': // Match start with value followed by optional hyphen
+          checkFunction = function(e) { return (e.getAttribute(attrName).match(new RegExp('^'+attrValue+'-?'))); };
+          break;
+        case '^': // Match starts with value
+          checkFunction = function(e) { return (e.getAttribute(attrName).indexOf(attrValue) == 0); };
+          break;
+        case '$': // Match ends with value - fails with "Warning" in Opera 7
+          checkFunction = function(e) { return (e.getAttribute(attrName).lastIndexOf(attrValue) == e.getAttribute(attrName).length - attrValue.length); };
+          break;
+        case '*': // Match ends with value
+          checkFunction = function(e) { return (e.getAttribute(attrName).indexOf(attrValue) > -1); };
+          break;
+        default :
+          // Just test for existence of attribute
+          checkFunction = function(e) { return e.getAttribute(attrName); };
+      }
+      currentContext = new Array;
+      var currentContextIndex = 0;
+      for (var k = 0; k < found.length; k++) {
+        if (checkFunction(found[k])) {
+          currentContext[currentContextIndex++] = found[k];
+        }
+      }
+      // alert('Attribute Selector: '+tagName+' '+attrName+' '+attrOperator+' '+attrValue);
+      continue; // Skip to next token
+    }
+    
+    if (!currentContext[0]){
+      return;
+    }
+    
+    // If we get here, token is JUST an element (not a class or ID selector)
+    tagName = token;
+    var found = new Array;
+    var foundCount = 0;
+    for (var h = 0; h < currentContext.length; h++) {
+      var elements = currentContext[h].getElementsByTagName(tagName);
+      for (var j = 0; j < elements.length; j++) {
+        found[foundCount++] = elements[j];
+      }
+    }
+    currentContext = found;
+  }
+  return currentContext;
+}
+
+/* That revolting regular expression explained 
+/^(\w+)\[(\w+)([=~\|\^\$\*]?)=?"?([^\]"]*)"?\]$/
+  \---/  \---/\-------------/    \-------/
+    |      |         |               |
+    |      |         |           The value
+    |      |    ~,|,^,$,* or =
+    |   Attribute 
+   Tag
+*/