pasaporte 0.0.1

data/History.txt

@@ -0,0 +1,2 @@
+=== HEAD
+* Initial rollout

data/Manifest.txt

@@ -0,0 +1,41 @@
+History.txt
+Manifest.txt
+README.txt
+Rakefile
+TODO.txt
+bin/pasaporte-fcgi.rb
+lib/pasaporte.rb
+lib/pasaporte/.DS_Store
+lib/pasaporte/assets/.DS_Store
+lib/pasaporte/assets/bgbar.png
+lib/pasaporte/assets/lock.png
+lib/pasaporte/assets/mainbg_green.gif
+lib/pasaporte/assets/mainbg_red.gif
+lib/pasaporte/assets/openid.png
+lib/pasaporte/assets/pasaporte.css
+lib/pasaporte/assets/pasaporte.js
+lib/pasaporte/assets/user.png
+lib/pasaporte/auth/cascade.rb
+lib/pasaporte/auth/remote_web_workplace.rb
+lib/pasaporte/auth/yaml_digest_table.rb
+lib/pasaporte/auth/yaml_table.rb
+lib/pasaporte/faster_openid.rb
+lib/pasaporte/iso_countries.yml
+lib/pasaporte/julik_state.rb
+lib/pasaporte/markaby_ext.rb
+lib/pasaporte/pasaporte_store.rb
+lib/pasaporte/timezones.yml
+test/fixtures/pasaporte_approvals.yml
+test/fixtures/pasaporte_profiles.yml
+test/fixtures/pasaporte_throttles.yml
+test/helper.rb
+test/mosquito.rb
+test/test_throttle.rb
+test/testable_openid_fetcher.rb
+test/test_approval.rb
+test/test_auth_backends.rb
+test/test_openid.rb
+test/test_pasaporte.rb
+test/test_profile.rb
+test/test_settings.rb
+test/test_throttle.rb

data/README.txt

@@ -0,0 +1,72 @@
+= Onde está seu pasaporte?
+
+This is Pasaporte, a small identity server with a colored bar on top. It's in the style
+of Crowd (but smaller). Will act as a mediator between OpenID and arbitary services where
+users are distinguished by their nickname (login), their password and a domain name.
+
+==The idea
+
+Pasaporte brings OpenID to the traditional simplicity of
+
+ is_a_villain = check_password(login, password, domain)
+
+The only thing you WILL need to change is the AUTH constant. It should contain the proc
+that, when called, will return true or false. Yes, it's that simple. All the negotiation
+smorgasbord, profile editing, encryptodecryption and other electrabombastic niceties are
+going to be taken care of.
+
+Should the password become stale or should the authentication backend say that it no
+longer has the user in question the authorization tokens are immediately revoked, and any
+authorization requests will be denied.
+
+==Configuration
+
+The adventurous among us can override the defaults (Pasaporte constants) by placing a
+hash-formatted YAML file called "config.yml" in the pasaporte dir. And don't ask me what
+a "hash-formatted YAML file" is, because if you do you are not adventurous.
+
+==A word of warning
+
+Considering the clear-text passwords issue, we strongly recommend running Pasaporte under
+SSL and under SSL only. But of course this might be prohibitive especially if you cannot
+be self-signed or don't have an extra IP at hand. When you run Pasaporte under HTTPS all
+URLs are going to be rewritten automatically to redirect and link to the HTTPS site.
+
+==Profiles
+
+Pasaporte allows the user to have a simple passport page, where some info can be placed
+for people who follow the OpenID profile URL. Sharing the information  is entirelly optional.
+
+==The all-id
+
+The login that you use is ultimately the nickname that comes in the URL. For that reason
+no other login name can be entered in the form. However the user still can verify that
+it's his nickname and change it should he need to (or if he mistyped).
+
+In essence, Pasaporte offers a page for any nickname and shows an identitifer in this
+page that allows the OpenID consumer to find the server endpoint. However if this user
+does not exist, never logged in or has hidden his profile that's the only thing that will
+be shown - a blank page with some OpenID metadata for basic interop.
+
+It's important to understand that a Profile record is a helper for metadata and not
+something authoritative - it's the auth routine that takes the actual decision about the
+user's state.
+
+==Persistence
+
+We store some data that the user might find useful to store and maybe display on his user
+page. No sites that the user authorizes are stored. No sessions of the exchange are kept
+except of the standard OpenID shared secrets (there are not linked to user records in any
+way).
+
+==SREG data sharing
+
+There is currently no provision for fetching SREG data (like email, date of birth and such)
+from the autorizing routine. We might consider this in the future, for now the user has to
+fill it in himself.
+
+==Sharding
+
+The users in Pasaporte are segregated by the domain name of Pasaporte server. That is, if
+you have two domains pointed at +one+ Pasaporte, you will not have name clashes between
+the two domain names - the users are going to be split.

data/Rakefile

@@ -0,0 +1,111 @@
+$:.reject! { |e| e.include? 'TextMate' }
+require 'rubygems'
+require 'hoe'
+require File.dirname(__FILE__) + '/lib/pasaporte'
+$KCODE = 'u'
+
+class KolkHoe < Hoe
+  def define_tasks
+    extra_deps.reject! {|e| e[0] == 'hoe' }
+    super
+  end
+end
+
+# Disable spurious warnings when running tests, ActiveMagic cannot stand -w
+Hoe::RUBY_FLAGS.replace ENV['RUBY_FLAGS'] || "-I#{%w(lib test).join(File::PATH_SEPARATOR)}" + 
+  (Hoe::RUBY_DEBUG ? " #{RUBY_DEBUG}" : '')
+
+KolkHoe.new('Pasaporte', Pasaporte::VERSION) do |p|
+  p.name = "pasaporte"
+  p.author = "Julik Tarkhanov"
+  p.description = "An OpenID server with a colored bar on top"
+  p.email = 'me@julik.nl'
+  p.summary = "Downgrades the OpenID providing business to the usual login-password stupidity."
+  p.url = "http://pasaporte.rubyforge.org"
+  p.rdoc_pattern = /README.txt|CHANGELOG.txt|lib/
+  p.test_globs = 'test/test_*.rb'
+  p.need_zip = true
+  p.extra_deps = ['activerecord', 'camping', ['ruby-openid', '>=2.1.0'], 'flexmock']
+end
+
+desc "Generate the proper list of country codes from the ISO list"
+task :build_country_list do
+  ISO_LIST = 'http://www.iso.org/iso/iso3166_en_code_lists.txt'
+  require 'open-uri'
+  require 'iconv'
+  
+  # By a twist of faith ISO provides the list in, uhm, ISO encoding AND with \\r \\n.
+  # line endings. I bet if they could have it formatted it would be Troglodyte Bold.
+  # Convert the whole shebang to UTF straight away!
+  iso_in_latin1 = open(ISO_LIST).read
+
+  c = Iconv.new('UTF-8', 'ISO-8859-1')
+  iso = c.iconv(iso_in_latin1)
+
+  # Remove the bad line breaks
+  iso.gsub!(/\r\n/, "\n")
+  
+  # Throw away the header declaration
+  iso = iso.split(/\n\n/).pop.split(/\n/)
+  
+  # Split ito something machine-readable
+  iso.map!{ | line | line.split(/;/) }
+  
+  # If you use the raw ISO data you ARE SHOUTING IN ALL CAPS which makes everyone feel like an idiot.
+  # We have to do something about that.
+  iso.map! do | country, code |
+    country_for_humans = country.split(/\s/).map do | word |
+      # Prevent some abbrevs like U.S. from being casefolded
+      if (word.scan(/\./).length == word.scan(/\w/).length)
+        word
+      elsif %w( OF AND THE).include?(word)
+        word.downcase
+      else
+        word.chars.downcase.capitalize
+      end
+    end.join(" ")
+    
+    [code.chars.downcase, country_for_humans].map(&:to_s)
+  end
+  
+  # Assemble the resulting hash and flush it
+  outfile = File.dirname(__FILE__) + '/lib/pasaporte/iso_countries.yml'
+  File.open(outfile, 'w') do | out |
+    out << "# This has been autogenerated from #{ISO_LIST} on #{Time.now}. See Rakefile for details.\n"
+    out << "# This file is bonafide UTF-8 for YAML but do not edit it manually!\n"
+    out << Hash[*iso.flatten].to_yaml
+  end
+end
+
+desc "Generate the proper ist of world timezones from the tzinfo database"
+task :build_timezone_list do
+  require 'open-uri'
+  # TODO - this should not be hardcoded because versions change
+  TZ_DATA = "ftp://elsie.nci.nih.gov/pub/tzdata2007g.tar.gz"
+  
+  begin
+    FileUtils.mkdir_p(File.dirname(__FILE__) + '/tmp')
+    File.open("tmp/tzd.tar.gz", "w") {|f| f << open("ftp://elsie.nci.nih.gov/pub/tzdata2007g.tar.gz").read }
+    `cd tmp; tar xfz tzd.tar.gz`
+    zone_names = []
+    File.open(File.dirname(__FILE__) + '/tmp/zone.tab') do | f |
+      f.each_line do | l |
+        next if l =~ /#/
+        name = l.split(/\t/)[2..-1].join(" ").strip
+        next if name.blank?
+        # The formal value that is required per sreg' specs comes first.
+        # The humanized variant is everything before the first tab, with underscores
+        # replaced by spaces
+        zone_names << [name, name.split(/\s/).shift.gsub(/_/, ' ')]
+      end
+    end
+    outfile = File.dirname(__FILE__) + '/lib/pasaporte/timezones.yml'
+    File.open(outfile, 'w') do | out |
+      out << "# This has been autogenerated from #{TZ_DATA} on #{Time.now}. See Rakefile for details.\n"
+      out << "# This file is bonafide UTF-8 for YAML but do not edit it manually!\n"
+      out << zone_names.to_yaml
+    end
+  ensure
+    FileUtils.rm_rf(File.dirname(__FILE__) + '/tmp')
+  end
+end

data/TODO.txt

@@ -0,0 +1,2 @@
+* Proper flow when the user logs in but has no site to go to
+* Fast-track whitelist for intranets (no "Decide" screen) 

data/bin/pasaporte-fcgi.rb

@@ -0,0 +1,17 @@
+#!/usr/bin/env ruby
+require 'rubygems'
+require 'camping'
+require 'camping/fastcgi'
+require File.dirname(__FILE__) + '/../lib/pasaporte'
+
+Camping::Models::Base.establish_connection(
+        :adapter => 'sqlite3',
+        :database => ENV['HOME'] + '/pasaporte.sqlitedb'
+)
+
+Pasaporte.create
+Pasaporte::LOGGER = Logger.new(ENV['HOME'] + "/pasaporte.log")
+
+serv = Camping::FastCGI.new
+serv.mount('/', Pasaporte)
+serv.start

data/lib/pasaporte/assets/pasaporte.css

@@ -0,0 +1,192 @@
+/* Superresetthemall */
+* { margin: 0; padding: 0; }
+html { 
+  background: rgb(136, 138, 140) url("bgbar.png") top left repeat-x;
+  /* Force scrollbar */
+  height: 100%; margin-bottom: 1px;
+  /* I know trying myriad is stupid but I hope folks that have Adobe CS installed will appreciate */
+  font-family: "Myriad Pro", "Helvetica", "Lucida Grande", "Lucida Sans Unicode", "Helvetica", "Arial", sans-serif;
+}
+
+#toolbar, #work {
+  margin-top: 1em;
+  margin-left: auto;
+  margin-right: auto;
+  width: 19em;
+  background: rgb(215, 215, 215);
+  padding-left: 20px;
+  padding-right: 20px;
+}
+
+#toolbar {
+  height: 32px;
+  line-height: 32px;
+  background: rgb(222,222,222);
+  position: relative;
+  /* Graceful */
+  -webkit-border-radius: 6px;
+  -moz-border-radius: 6px;
+}
+#toolbar * {
+  color: rgb(80, 80, 80);
+}
+/* OpenID logo */
+#toolbar img {
+  position: absolute;
+  top: -6px;
+  right: 0px;
+}
+
+#toolbar #loginBtn {
+  display: block;
+  background: url("lock.png") 0px -40px no-repeat;
+  padding-left: 32px;
+  margin-left: -16px;
+  padding-right: 10px;
+  float: left;
+}
+/* When signed in */
+#toolbar a#loginBtn {
+  background-position: 0px -39px;
+}
+
+/* When not signed in */
+#toolbar b#loginBtn {
+  background-position: 0px -5px;
+}
+
+#toolbar #profBtn {
+  display: block;
+  float: left;
+  background: url("user.png") 0px 0px no-repeat;
+  padding-left: 28px;
+  padding-right: 20px;
+}
+
+#work {
+  padding-top: .2em;
+  padding-bottom: .5em;
+  background: white url("mainbg_green.gif") top left repeat-x;
+  padding: .2em 20px .5em 20px;
+  color: rgb(102,102,102);
+  /* kinda shadyw */
+  border: 3px solid rgb(50,50,50);
+  border-top: none;
+  border-left: none;
+}
+
+.ProfilePage #work {
+  background-position: 0px -5px;
+}
+/* Show a red bar until the user is authed */
+#work.notAuth { background-image: url("mainbg_red.gif"); }
+
+h1, h2, h3 { line-height: 1.2em; font-weight: normal; margin-top: .5em; margin-bottom: .1em;}
+h1 { font-size: 2em; }
+h1 { font-size: 2em; }
+
+/* Only the important stuff is true black 
+  We also avoid the bolds of lucida */
+b, strong { color: rgb(20, 20, 20); font-weight: normal; }
+
+/* make the input bigger and swoosh the wacom around */
+input { font-size: inherit; }
+
+form#signon {
+  margin-top: .5em;
+}
+/* big center-aligned form */
+form#signon label {
+  font-size: 1.2em;
+  display: block;
+  position: relative;
+  margin-bottom: 4px;
+  margin-top: 4px;
+  clear: both;
+  text-align: left;
+}
+
+form#signon input.bigb {
+  margin-top: 10px;
+}
+
+form#signon label * {
+  width: 50%;
+  display: block;
+  position: absolute;
+  top: 0;
+  left: 43%;
+}
+
+div#msg {
+  margin: 1.1em 0 0.5em 0;
+  padding: 5px 4px 4px 16px;
+  color: rgb(20,20,20);
+  font-size: small;
+  background: rgb(167, 207, 137);
+}
+
+div#msg.e {
+  background: rgb(250, 154, 132);
+}
+
+form { margin-bottom: .4em; }
+p { margin: .2em 0 .6em 0; }
+textarea { letter-spacing: .04em; margin-top: 1em; width: 100%;  border-width: 1px;}
+
+/* Here we have to be careful to keep Aqua widgets in Safari 3. The magic property is background. 
+http://particletree.com/notebook/design-friendly-select-elements-in-safari-3 */
+input, textarea, option { font-family: inherit; margin-top: 1px; font-size: inherit;}
+hr { visibility: hidden; margin-top: 7px; margin-bottom: 3px; }
+input[type=submit] { padding: .1em; }
+.fb {
+  padding-top: 3px; display: block; height: 1.3em; 
+  margin-bottom: .3em;  position: relative;
+}
+.sel {
+  padding-top: 3px; display: block; height: 3em; 
+  margin-bottom: .3em; position: relative;
+}
+.sel select {
+  width: 100%;
+  margin-top: 3px;
+  margin-bottom: 7px;
+}
+.fb input {
+  display: block; position: absolute; width: 60%;
+  height: inherit; font-size: inherit; right: 0; top: 0;
+}
+.rad {
+  padding-top: 3px; margin-bottom: 6px; display: block; 
+}
+.rad input {
+  font-size: x-small;
+}
+
+.inlineSelects {
+  display: block;
+}
+
+.inlineSelects select {
+  width: auto;
+}
+
+#work ul li {
+  margin-left: 1.2em;
+}
+/* Checkbox labels need some indent */
+label.cblabel {
+  display: block;
+  padding-left: 1em;
+  text-indent: -1.3em;
+  padding-bottom: .5em;
+}
+.smaller {
+  font-size: .9em;
+  line-height: 1.1em;
+}
+a { color: #3258B8; }
+a:hover { color: #24459C; }
+a:active { color: blue ; }
+/* Some think that if a label is clickable the link inside should be shadowed (lookin' at you safari 3). */
+label a { z-index: 300; cursor: pointer;}

data/lib/pasaporte/assets/pasaporte.js

@@ -0,0 +1,10 @@
+function cboxToggle(checkBox, depItem) {
+  if (checkBox.checked) { document.getElementById(depItem).style.display = "block";
+  } else { document.getElementById(depItem).style.display = "none"; }
+}
+
+function attachCheckbox(cBox, depItem) {
+  var cbox = document.getElementById(cBox);
+  cbox.onchange = function(the) { cboxToggle((the.target || the.srcElement), depItem); }
+  cboxToggle(cbox, depItem);
+}

data/lib/pasaporte/auth/cascade.rb

@@ -0,0 +1,16 @@
+# Make an array of backends and try to authenticate against them all until true is returned.
+# Otherwise deny.
+class Pasaporte::Auth::Cascade
+  attr_reader :backends
+  def initialize
+    @backends = []
+  end
+  
+  def call(u, p, d)
+    @backends.each do | b | 
+      Pasaporte::LOGGER.info("Running cascade auth against #{b}")
+      b.call(u,p,d) || next
+    end
+    false
+  end
+end

data/lib/pasaporte/auth/remote_web_workplace.rb

@@ -0,0 +1,61 @@
+# =begin
+# ActiveDirectory-Exchange-Blaggh authentication guerilla-style. Will take the give username and password and try to authenticate
+# them against the given Remote Web Workplace server. This assumes that the user on a domain also has an email address
+# with OWA of course. If the user is found RWW will give us a specific response. No credentials or user information is
+# retrieved.
+# =end
+class RemoteWebWorkplace
+  attr_accessor :use_ssl
+
+  VIEW_STATE_PAT =  /name="__VIEWSTATE" value="([^"]+)"/
+  LOGIN_URL = "/Remote/logon.aspx"
+  BASE_LOGIN_URL = '/Remote/logon.aspx?ReturnUrl=%2fRemote%2fDefault.aspx'
+  
+  def initialize(server)
+    @server = server
+    require 'net/http'
+    require 'net/https'
+  end
+  
+  # Will run the auth
+  def logs_in?(user, password)
+    
+    @http = (@use_ssl? ? Net::HTTPS : Net::HTTP).new(@server, (@use_ssl ? 443 : 80))
+    
+    with_viewstate_and_connection(@http) do | payload |
+      login_form_values  = {
+        "txtUserName" => user.to_s,
+        "txtUserPass" => password.to_s,
+        "cmdLogin" => "cmdLogin",
+        "listSpeed" => "Broadband",
+        "__VIEWSTATE" => payload,
+      }
+      
+      begin
+        @http.start do |http|
+          form_post = Net::HTTP::Post.new(LOGIN_URL)
+          form_post.set_form_data(login_form_values, '&')
+          response = http.request(form_post); response.value
+        end
+      rescue Net::HTTPRetriableError => e
+        if e.message =~ /302/ # RWW will return a redirect if the user is found
+          return true
+        end
+      end
+      return false
+    end
+  end
+  
+  private
+    def with_viewstate_and_connection(conn)
+      begin
+        viewstate_payload = conn.start do |http|
+          response = http.get(@base_login_url); response.value
+          response.body.scan(VIEW_STATE_PAT).pop.pop
+        end
+        yield viewstate_payload
+      rescue SocketError => e
+        raise "Cannot connect to Outlook Web Access at #{@server}: #{e.message}"
+      end
+    end
+end

data/lib/pasaporte/auth/yaml_digest_table.rb

@@ -0,0 +1,23 @@
+# Authenticate agains a simple YAML table of logins-passwords per domain. Don't forget
+# the dash to begin a new entry!
+#
+#   google.com: 
+#   - :login: george
+#     :pass_md5: acbd18db4cc2f85cedef654fccc4a4d8
+#   - :login: james
+#     :pass_md5: ceba333c1d30a6dd94a57f9d34d73ff7
+#
+# Place the table in 'pasaporte/users_per_domain.yml'   
+require File.dirname(__FILE__) + '/yaml_table'
+require 'digest/md5'
+
+class Pasaporte::Auth::YamlDigestTable < Pasaporte::Auth::YamlTable
+  def call(login, pass, domain)
+    refresh
+    d = @table[domain]
+    return false unless d.is_a?(Array)
+    d.find do | user |
+      (user["login"] == login) && (user["pass_md5"] == Digest::MD5.hexdigest(pass))
+    end
+  end
+end

data/lib/pasaporte/auth/yaml_table.rb

@@ -0,0 +1,43 @@
+# Authenticate agains a simple YAML table of logins-passwords per domain. Don't forget
+# the dash to begin a new entry!
+#
+#   google.com: 
+#   - :login: george
+#     :pass: foo
+#   - :login: james
+#     :pass: trinkle
+#
+# Place the table in 'pasaporte/users_per_domain.yml'   
+class Pasaporte::Auth::YamlTable
+  YAML_TABLE = File.dirname(Pasaporte::PATH) + '/pasaporte/users_per_domain.yml'
+  attr_accessor :table_path
+  
+  def table_path
+    @table_path || YAML_TABLE
+  end
+  
+  def initialize
+    refresh
+  end
+  
+  def call(login, pass, domain)
+    refresh
+    d = @table[domain]
+    return false unless d.is_a?(Array)
+    u = d.find do | user |
+      (user["login"] == login) && (user["pass"] == pass)
+    end
+    !!u
+  end
+  
+  private
+    def refresh
+      mt = File.stat(table_path).mtime.to_i
+      if @modtime && (@modtime == mt)
+        return
+      else
+        f, @modtime = File.read(table_path), mt
+        @table = YAML::load(f)
+      end
+    end
+end

data/lib/pasaporte/faster_openid.rb

@@ -0,0 +1,39 @@
+# This is something the JanRain folks omitted. The test suite for OpenID that
+# is in Pasaporte takes 26 seconds to run with the standard library and
+# 19 seconds with this. Lo and behold.
+begin
+  require 'openssl'
+  module ::OpenID::CryptUtil
+    def self.hmac_sha1(key, text)
+      OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('SHA1'), key, text).to_s
+    end
+    def self.sha1(s)
+      OpenSSL::Digest::SHA1.new(s).digest.to_s
+    end
+  end
+  
+  class OpenID::DiffieHellman
+    # Convert any number of ints to OpenSSL bignums
+    def self._bignos(*args)
+      # The trick here is that Integer#to_bn does not work because you need to feed strings
+      args.map do |a| 
+        raise ArgumentError, "Cannot convert nil to OpenSSL bignum!" if a.nil?
+        OpenSSL::BN.new(a.to_s)
+      end
+    end
+    
+    def self.powermod(base, power, mod)
+      base, power, mod = _bignos(base, power, mod)
+      base.mod_exp(power, mod).to_i
+    end
+  end
+rescue LoadError
+  $stderr.puts "Pasaporte will use slow ruby crypto. Please consider installing OpenSSL for Ruby."
+end
+
+# Redirect the logging to Pasaporte
+# module ::OpenID::Util
+#  def self.log(message)
+#    Pasaporte::LOGGER.info('OpenID: ' + message)
+#  end
+# end