padrino-auth 0.0.12

data/lib/padrino-auth.rb

@@ -0,0 +1,2 @@
+require 'padrino-auth/access'
+require 'padrino-auth/login'

data/lib/padrino-auth/access.rb

@@ -0,0 +1,148 @@
+require 'padrino-auth/permissions'
+
+module Padrino
+  ##
+  # Padrino authorization module.
+  #
+  # @example
+  #   class Nifty::Application < Padrino::Application
+  #     # optional settings
+  #     set :credentials_reader, :visitor # the name of getter method in helpers
+  #     # required statement
+  #     register Padrino::Access
+  #     # example persistance storage
+  #     enable :sessions
+  #   end
+  #
+  #   # optional helpers
+  #   Nifty::Application.helpers do
+  #     def visitor
+  #       session[:visitor] ||= Visitor.guest_account
+  #     end
+  #   end
+  #
+  #   # example visitor model
+  #   module Visitor
+  #     extend self
+  #     def guest_account
+  #       OpenStruct.new(:role => :guest, :id => 1)
+  #     end
+  #   end
+  #
+  #   # example controllers
+  #   Nifty::Application.controller :public_area do
+  #     set_access :*
+  #     get(:index){ 'public content' }
+  #   end
+  #   Nifty::Application.controller :members_area do
+  #     set_access :member
+  #     get(:index){ 'secret content' }
+  #   end
+  #   Nifty::Application.controller :login do
+  #     set_access :*
+  #     get(:index){ session[:visitor] = OpenStruct.new(:role => :guest, :id => 1) }
+  #   end
+  #
+  module Access
+    class << self
+      def registered(app)
+        included(app)
+        app.default(:credentials_reader, :credentials)
+        app.default(:access_errors, true)
+        app.send :attr_reader, app.credentials_reader unless app.instance_methods.include?(app.credentials_reader)
+        app.set :permissions, Permissions.new
+        app.login_permissions if app.respond_to?(:login_permissions)
+        app.before do
+          authorized? || error(403, '403 Forbidden')
+        end
+      end
+
+      def included(base)
+        base.send(:include, InstanceMethods)
+        base.extend(ClassMethods)
+      end
+    end
+
+    module ClassMethods
+      ##
+      # Empties the list of permission.
+      #
+      def reset_access!
+        permissions.clear!
+      end
+
+      ##
+      # Allows access to action with objects.
+      #
+      # @example
+      #   # in application
+      #   set_access :*, :with => :login # allows everyone to interact with :login controller
+      #   # in controller
+      #   App.controller :members_area do
+      #     set_access :member # allows all members to access :members_area controller
+      #   end
+      #
+      def set_access(*args)
+        options = args.extract_options!
+        options[:object] ||= Array(@_controller).first.to_s.singularize.to_sym if @_controller.present?
+        permissions.add(*args, options)
+      end
+    end
+
+    module InstanceMethods
+      ##
+      # Checks if current visitor has access to current action with current controller.
+      #
+      def authorized?
+        access_action?
+      end
+
+      ##
+      # Returns current visitor.
+      #
+      def access_subject
+        send settings.credentials_reader
+      end
+
+      ##
+      # Checks if current visitor is one of the specified roles. Can accept a block.
+      #
+      def access_role?(*roles, &block)
+        settings.permissions.check(access_subject, :have => roles, &block)
+      end
+
+      ##
+      # Checks if current visitor is allowed to to the action with object. Can accept a block.
+      #
+      def access_action?(action = nil, object = nil, &block)
+        return true if response.status/100 == 4 && settings.access_errors
+        if respond_to?(:request) && action.nil? && object.nil?
+          object = request.controller
+          action = request.action
+          if object.nil? && action.present? && action.to_s.index('/')
+            object, action = request.env['PATH_INFO'].to_s.scan(/\/([^\/]*)/).map(&:first)
+          end
+          object ||= :''
+          action ||= :index
+          object = object.to_sym
+          action = action.to_sym
+        end
+        settings.permissions.check(access_subject, :allow => action, :with => object, &block)
+      end
+
+      ##
+      # Check if current visitor is allowed to interact with object by action. Can accept a block.
+      #
+      def access_object?(object = nil, action = nil, &block)
+        allow_action action, object, &block
+      end
+
+      ##
+      # Populates the list of objects the current visitor is allowed to interact with.
+      #
+      def access_objects(subject = access_subject, action = nil)
+        settings.permissions.find_objects(subject, action)
+      end
+    end
+  end
+end

data/lib/padrino-auth/login.rb

@@ -0,0 +1,138 @@
+require 'padrino-auth/login/controller'
+
+module Padrino
+  ##
+  # Padrino authentication module.
+  #
+  # @example
+  #   class Nifty::Application < Padrino::Application
+  #     # optional settings
+  #     set :session_key, "visitor_id"       # visitor key name in session storage, defaults to "_login_#{app.app_name}")
+  #     set :login_model, :visitor          # model name for visitor storage, defaults to :account, must be constantizable
+  #     set :credentials_accessor, :visitor # the name of setter/getter method in helpers, defaults to :credentials
+  #     enable :login_bypass                # enables or disables login bypass in development mode, defaults to disable
+  #     set :login_url, '/sign/in'          # sets the utl to be redirected to if not logged in and in restricted area, defaults to '/login'
+  #     disable :login_permissions          # sets initial login permissions, defaults to { set_access(:*, :allow => :*, :with => :login) }
+  #     disable :login_controller           # disables default login controller to show an example of the custom one
+  #
+  #     # required statement
+  #     register Padrino::Login
+  #     # example persistance storage
+  #     enable :sessions
+  #   end
+  #
+  #   TODO: example controllers
+  #
+  module Login
+    class << self
+      def registered(app)
+        warn 'Padrino::Login must be registered before Padrino::Access' if app.respond_to?(:set_access)
+        included(app)
+        setup_storage(app)
+        setup_controller(app)
+        app.before do
+          log_in if authorization_required?
+        end
+      end
+
+      def included(base)
+        base.send(:include, InstanceMethods)
+      end
+
+      private
+
+      def setup_storage(app)
+        app.default(:session_key, "_login_#{app.app_name}")
+        app.default(:login_model, :account)
+        app.default(:credentials_accessor, :credentials)
+        app.send :attr_reader, app.credentials_accessor unless app.instance_methods.include?(app.credentials_accessor)
+        app.send :attr_writer, app.credentials_accessor unless app.instance_methods.include?(:"#{app.credentials_accessor}=")
+        app.default(:login_bypass, false)
+      end
+
+      def setup_controller(app)
+        app.default(:login_url, '/login')
+        app.default(:login_permissions) { set_access(:*, :allow => :*, :with => :login) }
+        app.default(:login_controller, true)
+        app.controller(:login) { include Controller } if app.login_controller
+      end
+    end
+
+    module InstanceMethods
+      # Returns the model used to authenticate visitors.
+      def login_model
+        @login_model ||= settings.login_model.to_s.classify.constantize
+      end
+
+      # Authenticates the visitor.
+      def authenticate
+        resource = login_model.authenticate(:email => params[:email], :password => params[:password])
+        resource ||= login_model.authenticate(:bypass => true) if settings.login_bypass && params[:bypass]
+        save_credentials(resource)
+      end
+
+      # Checks if the visitor is authenticated.
+      def logged_in?
+        !!(send(settings.credentials_accessor) || restore_credentials)
+      end
+
+      # Looks for authorization routine and calls it to check if the visitor is authorized.
+      def unauthorized?
+        respond_to?(:authorized?) && !authorized?
+      end
+
+      # Checks if the current location needs the visitor to be authorized.
+      def authorization_required?
+        if logged_in?
+          if unauthorized?
+            # 403 Forbidden, provided credentials were successfully
+            # authenticated but the credentials still do not grant
+            # the client permission to access the resource
+            error 403, '403 Forbidden'
+          else
+            false
+          end
+        else
+          unauthorized?
+        end
+      end
+
+      # Logs the visitor in using redirect to login page url.
+      def log_in
+        login_url = settings.login_url
+        if request.env['PATH_INFO'] != login_url
+          save_location
+          # 302 Found
+          redirect url(login_url) 
+          # 401 Unauthorized, authentication is required and
+          # has not yet been provided
+          error 401, '401 Unauthorized'
+        end
+      end
+
+      # Saves credentials in session.
+      def save_credentials(resource)
+        session[settings.session_key] = resource.respond_to?(:id) ? resource.id : resource
+        send(:"#{settings.credentials_accessor}=", resource)
+      end
+
+      # Restores credentials from session using visitor model.
+      def restore_credentials
+        resource = login_model.authenticate(:id => session[settings.session_key])
+        send(:"#{settings.credentials_accessor}=", resource)
+      end
+
+      # Redirects back to saved location or '/'
+      def restore_location
+        redirect session.delete(:return_to) || url('/')
+      end
+
+      # Saves location to session for following redirect in case of successful authentication.
+      def save_location
+        uri = env['REQUEST_URI'] || url(env['PATH_INFO'])
+        return if uri.blank? || uri.match(/\.css$|\.js$|\.png$/)
+        session[:return_to] = "#{ENV['RACK_BASE_URI']}#{uri}"
+      end
+    end
+  end
+end

data/lib/padrino-auth/login/controller.rb

@@ -0,0 +1,20 @@
+module Padrino
+  module Login
+    module Controller
+      def self.included(base)
+        base.get :index do
+          render :slim, :"new", :layout => "layout", :views => File.dirname(__FILE__)
+        end
+        base.post :index do
+          if authenticate
+            restore_location
+          else
+            params.delete 'password'
+            flash.now[:error] = 'Wrong password'
+            render :slim, :"new", :layout => "layout", :views => File.dirname(__FILE__)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/padrino-auth/login/layouts/layout.slim

@@ -0,0 +1,10 @@
+doctype html
+html
+  head
+    meta charset="utf-8"
+    meta name="robots" content="noindex"
+    title Padrino::Login
+    link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/2.3.2/css/bootstrap.min.css"
+  body
+    .container.login style='width: 287px'
+      = yield

data/lib/padrino-auth/login/new.slim

@@ -0,0 +1,35 @@
+h3
+  | Login
+  br
+  small= link_to request.env['HTTP_HOST'], url('/')
+
+= form_tag( '', :class => 'form-horizontal well' ) do
+  - [:error, :warning, :success, :notice].each do |type|
+    - next  if flash[type].blank?
+    .alert.alert-message class=('alert-' + (type == :notice ? :info : type).to_s) data-alert=true
+      = flash[type]
+
+  legend Social
+  .control-group
+    = link_to image_tag('/images/social/google.png'), url('/oauth/google')
+
+  legend Obsolete
+  .control-group
+    .input-prepend
+      span.add-on
+        i.icon-envelope
+      = text_field_tag :email, :value => params[:email], :placeholder => "email"
+  .control-group
+    .input-prepend
+      span.add-on
+        i.icon-lock
+      = password_field_tag :password, :value => params[:password], :placeholder => "password"
+  .control-group
+    = submit_tag('Log in', :class => 'btn btn-primary pull-right')
+    - if settings.login_bypass
+      label.checkbox
+        | Bypass
+        = check_box_tag :bypass, :value => 'Bypass'
+
+small
+  = link_to 'Forgot password?', url('/login/reset_password')

data/lib/padrino-auth/permissions.rb

@@ -0,0 +1,180 @@
+module Padrino
+  ##
+  # Class to store and check permissions used in Padrino::Access.
+  #
+  class Permissions
+    ##
+    # Initializes new permissions storage.
+    #
+    # @example
+    #   permissions = Permissions.new
+    #
+    def initialize
+      clear!
+    end
+
+    ##
+    # Clears permit records and action cache.
+    #
+    # @example
+    #   permissions.clear!
+    #
+    def clear!
+      @permits = {}
+      @actions = {}
+    end
+
+    ##
+    # Adds a permission record to storage.
+    #
+    # @param [Symbol || Object] subject
+    #   permit subject
+    # @param [Hash] options
+    #   permit attributes
+    # @param [Symbol] options[:allow] || options[:action]
+    #   what action to allow with objects
+    # @param [Symbol] options[:with] || options[:object]
+    #   with what objects allow specified action
+    #
+    # @example
+    #   permissions.add :robots, :allow => :protect, :object => :humans
+    #   permissions.add @bender, :allow => :kill, :object => :humans
+    #
+    def add(*args)
+      @actions = {}
+      options = args.extract_options!
+      action, object = action_and_object(options)
+      object_type = detect_type(object)
+      args.each{ |subject| merge(subject, action, object_type) }
+    end
+
+    ##
+    # Checks if permission record exists. Returns a boolean or yield a block.
+    #
+    # @param [Object] subject
+    #   performer of an action
+    # @param [Hash] options
+    #   attributes to check
+    # @param [Symbol] options[:have]
+    #   check if the subject has a role
+    # @param [Symbol] options[:allow] || options[:action]
+    #   check if the subject is allowed to perform the action
+    # @param [Symbol] options[:with] || options[:object]
+    #   check if the subject is allowed to interact with the subject
+    # @param [Proc]
+    #   optional block to yield if the action is allowed
+    #
+    # @example
+    #   # check if @bender have role :robots
+    #   permissions.check @bender, :have => :robots # => true
+    #   # check if @bender is allowed to kill :humans
+    #   permissions.check @bender, :allow => :kill, :object => :humans # => true
+    #   # check if @bender is allowed to kill :humans and yield a block
+    #   permissions.check @bender, :allow => :kill, :object => :humans do
+    #     @bender.kill_all! :humans
+    #   end
+    #
+    def check(subject, options)
+      case
+      when options[:have]
+        check_role(subject, options[:have])
+      else
+        check_action(subject, *action_and_object(options))
+      end && (block_given? ? yield : true)
+    end
+
+    ##
+    # Populates and returns the list of objects available to the subject.
+    #
+    # @param [Object] subject
+    #   the subject to be checked for actions
+    #
+    def find_objects(subject, target_action=nil)
+      find_actions(subject).inject([]) do |all,(action,objects)|
+        all |= objects if target_action.nil? || action == target_action || action == :*
+        all
+      end
+    end
+
+    private
+
+    # Merges a list of new permits into permissions storage.
+    def merge(subject, actions, object_type)
+      subject_id = detect_id(subject)
+      @permits[subject_id] ||= {}
+      Array(actions).each do |action|
+        @permits[subject_id][action] ||= []
+        @permits[subject_id][action] |= [object_type]
+      end
+    end
+
+    # Checks if the subject has the role.
+    def check_role(subject, roles)
+      if subject.respond_to?(:role)
+        Array(roles).include?(subject.role)
+      else
+        false
+      end
+    end
+
+    # Checks if the subject is allowed to perform the action with the object.
+    def check_action(subject, action, object)
+      actions = find_actions(subject)
+      objects = actions && (Array(actions[action]) | Array(actions[:*]))
+      objects && (objects & [:*, detect_type(object)]).any?
+    end
+
+    # Finds all permits for the subject. Caches the permits in @actions.
+    #   find_actions(@bender) # => { :kill => { :humans }, :drink => { :booze }, :* => { :login } }
+    def find_actions(subject)
+      subject_id = detect_id(subject)
+      return @actions[subject_id] if @actions[subject_id]
+      actions = @permits[subject_id] || {}
+      if subject.respond_to?(:role) && (role_actions = @permits[subject.role.to_sym])
+        actions.merge!(role_actions){ |_,left,right| Array(left)|Array(right) }
+      end
+      if public_actions = @permits[:*]
+        actions.merge!(public_actions){ |_,left,right| Array(left)|Array(right) }
+      end
+      @actions[subject_id] = actions
+    end
+
+    # Returns object type.
+    #   detect_type :humans # => :human
+    #   detect_type 'foobar' # => 'foobar'
+    def detect_type(object)
+      case object
+      when Symbol
+        object.to_s.singularize.to_sym
+      else
+        object
+      end
+    end
+
+    # Returns parametrized subject.
+    #   detect_id :robots               # => :robots
+    #   detect_id sluggable_ar_resource # => 'Sluggable-resource-slug'
+    #   detect_id some_resource_with_id # => '4'
+    #   detect_id generic_object        # => "<Object:0x00001234>"
+    def detect_id(subject)
+      case
+      when Symbol === subject
+        subject
+      when subject.respond_to?(:to_param)
+        subject.to_param
+      when subject.respond_to?(:id)
+        subject.id.to_s
+      else
+        "#{subject}"
+      end
+    end
+
+    # Utility function to extract action and object from options. Defaults to [:*, :*]
+    #   action_and_object(:allow => :kill, :object => :humans)    # => [:kill, :humans]
+    #   action_and_object(:action => :romance, :with => :mutants) # => [:romance, :mutants]
+    #   action_and_object({})                                     # => [:*, :*]
+    def action_and_object(options)
+      [options[:allow] || options[:action] || :*, options[:with] || options[:object] || :*]
+    end
+  end
+end