puavo_authentication 0.2.0 → 0.2.1

data/app/controllers/sessions_controller.rb

@@ -1,26 +1,20 @@
 class SessionsController < ApplicationController
   layout 'sessions'
-  before_filter :login_required, :only => [:destroy, :show]
+  skip_before_filter :require_puavo_authorization, :only => [:new, :create]
+  skip_before_filter :require_login, :only => [:new, :create]
 
   def new
   end
 
   def create
-    if user_dn = User.authenticate( params[:user][:uid], params[:user][:password] ) # REST/OAuth?
-      flash[:notice] = t('flash.session.login_successful')
-      session[:dn] = user_dn
-      session[:password_plaintext] = params[:user][:password]
-
-      #redirect_back_or_default schools_url
-      redirect_back_or_default root_path
-    else
-      flash[:notice] = t('flash.session.failed')
-      render :action => :new
-    end
+    session[:uid] = params[:user][:uid]
+    session[:password_plaintext] = params[:user][:password]
+    session[:login_flash] = t('flash.session.login_successful')
+    redirect_back_or_default root_path
   end
 
   def show
-    @user = User.find(session[:dn])
+    @user = current_user
     respond_to do |format|
       format.json  { render :json => @user.to_json(:methods => :managed_schools) }
     end
@@ -29,7 +23,7 @@ class SessionsController < ApplicationController
   def destroy
     # Remove dn and plaintext password values from session
     session.delete :password_plaintext
-    session.delete :dn
+    session.delete :uid
     flash[:notice] = t('flash.session.logout_successful')
     redirect_to login_path
   end

data/app/views/sessions/new.html.erb

@@ -1,3 +1,7 @@
+<% if RAILS_ENV == "development" && session[:return_to] -%>
+  You must be logged in to access <%= session[:return_to] %>
+<% end -%>
+
 <% form_tag sessions_path do %>
 <table>
   <tr>

data/lib/puavo/authentication.rb

@@ -1,93 +1,260 @@
 module Puavo
-  module Authentication
-    def self.included(base)
-      base.send :extend, ClassMethods
+  mattr_accessor :available_languages
+
+  class AuthenticationError < UserError
+    def code
+      "authentication_error"
     end
+  end
+
+  class AuthenticationFailed < AuthenticationError
+    def code
+      "bad_credentials"
+    end
+  end
 
+  class AuthorizationFailed < AuthenticationError
+    def code
+      "no_permissions"
+    end
+  end
 
-    module ClassMethods
 
-      def dn_cache_key(login_uid)
-        "user_dn:#{ login_uid }"
-      end
+  # For User model
+  module AuthenticationMixin
+    # FIXME Observer?
+    def delete_dn_cache
+      organisation_key = LdapOrganisation.first.cn.to_s
+      Rails.cache.delete Puavo::Authentication.dn_cache_key organisation_key, uid
+    end
+  end
 
-      def delete_caches(login_uid)
-        Rails.cache.delete dn_cache_key login_uid
+  class Authentication
+
+    attr_accessor :authenticated, :authorized
+
+    def self.dn_cache_key(organisation_key, uid)
+      "user_dn:#{ organisation_key }:#{ uid }"
+    end
+
+    def initialize
+      @credentials = {}
+    end
+
+    [:dn, :organisation_key, :scope].each do |attr|
+      define_method attr do
+        @credentials[attr]
       end
+    end
+
+    def puavo_configuration
+      ActiveLdap::Base.ensure_configuration
+    end
+
+    def base
+      return current_organisation.ldap_base
+    end
 
-      # Authenticate user with login username and password.
-      # Returns user dn string on successful login or false on invalid login
-      def authenticate(login, password)
+    def ldap_host
+      @credentials[:ldap_host] || puavo_configuration["host"]
+    end
 
-        # To authenticate an user we need to make a LDAP bind with user's dn
-        # and password. Lets look it up from cache:
-        user_dn = Rails.cache.fetch dn_cache_key(login) do
-          # On cache miss we need to use the Puavo credentials from config/ldap.yml
-          # to fetch the user object which contains the user dn.
+    def self.remove_connection
+      ActiveLdap::Base.active_connections.keys.each do |connection_name|
+        ActiveLdap::Base.remove_connection(connection_name)
+      end
+    end
 
-          # This find call actually initializes the LDAP connection under the
-          # hood with Puavo credentials.
-          user = self.find(:first, :attribute => "uid", :value => login)
+    def configure_ldap_connection(credentials)
 
-          # Remove connection made with Puavo credentials
-          self.remove_connection
+      @credentials = credentials
 
-          if user.nil?
-            return nil
-          end
+      if current_organisation.nil?
+        raise Puavo::AuthenticationError, "Bad organisation"
+      end
 
-          user.dn
+      if uid = @credentials[:uid]
+        if uid.nil? || uid.empty?
+          raise AuthenticationFailed, "Cannot get dn from empty or nil uid"
         end
 
-        if user_dn.nil?
-          logger.info "Login failed for #{ login }: Unknown username"
-          return false
+        if uid.match(/^service\//)
+          uid = uid.match(/^service\/(.*)/)[1]
+          user_class = ExternalService
+        else
+          user_class = User
         end
 
-        # Setup new ActiveLdap connections to use user's credentials
-        LdapBase.ldap_setup_connection(
-          LdapBase.configuration[:host],
-          LdapBase.base.to_s,
-          user_dn,
-          password)
-
-        # Do not never ever allow anonymous connections in Puavo. Should be
-        # false in config/ldap.yml, but we just make sure here.
-        self.connection.instance_variable_set :@allow_anonymous, false
-
-        # This is the first time when LDAP connection is used with the user's
-        # credentials. So this search call will initialize the connection and
-        # will raise ActiveLdap::AuthenticationError if user supplied a
-        # bad password.
-        begin
-          admin_permissions = School.search(
-            :filter => "(puavoSchoolAdmin=#{user_dn})",
-            :scope => :one, :attributes => ["puavoId"],
-            :limit => 1 )
-        rescue ActiveLdap::AuthenticationError
-          logger.info "Login failed for #{ login } (#{ user_dn }): Bad password"
-          return false
+        user_dn = Rails.cache.fetch self.class.dn_cache_key(organisation_key, uid) do
+          # Remove previous connection
+          self.class.remove_connection
+          LdapBase.ldap_setup_connection( ldap_host,
+                                          base.to_s,
+                                          puavo_configuration["bind_dn"],
+                                          puavo_configuration["password"] )
+          
+          user = user_class.find(:first, :attribute => "uid", :value => uid)
+          
+          if user
+            user.dn.to_s
+          else
+            nil
+          end
         end
+        
+        raise AuthenticationFailed, "Cannot get dn for UID '#{ uid }'" if not user_dn
+        logger.debug "Found #{ dn } for #{ uid }"
+        @credentials[:dn] = ActiveLdap::DistinguishedName.parse user_dn
+      end
 
-        # Allow authentication if user is  a school admin in the some school.
-        if not admin_permissions.empty?
-          return user_dn
-        end
+      # Reset attributes on new configuration
+      @current_user = nil
+      @authenticated = false
+      @authorized = false
 
-        # Allow authentication if user is an organisation owner
-        organisation = LdapOrganisation.first
-        if organisation && organisation.owner.include?(user_dn)
-          return user_dn
-        end
+      # Remove previous connection
+      self.class.remove_connection
 
-        # Allow authentication always if logged in user an external service
-        if user_dn.rdns[1]["ou"] == "System Accounts"
-          return user_dn
-        end
 
-        logger.info "Login failed for #{ login } (#{ user_dn }): Not school admin or organisation owner"
-        return false
+
+      logger.info "Configuring ActiveLdap to use #{ @credentials.map { |k,v| "#{ k }: #{ v }" }.join ", " }"
+      logger.debug "PW: #{ @credentials[:password] }" if ENV["LOG_LDAP_PASSWORD"]
+      # Setup new ActiveLdap connections to use user's credentials
+      LdapBase.ldap_setup_connection ldap_host, base.to_s, @credentials[:dn], @credentials[:password]
+
+      # Do not never ever allow anonymous connections in Puavo. Should be
+      # false in config/ldap.yml, but we just make sure here.
+      LdapBase.connection.instance_variable_set :@allow_anonymous, false
+
+    end
+
+    # Test dn&password bind to LDAP without actually configuring ActiveLdap to
+    # use them
+    def test_bind(dn, password)
+      ldap = Net::LDAP.new(
+        :host => ldap_host,
+        :port => 389,
+        :encryption => {
+          :method => :start_tls
+        },
+        :auth => {
+          :method => :simple,
+          :username => dn.to_s,
+          :password => password
+      })
+
+      if not ldap.bind
+        raise AuthenticationFailed, "Test bind failed: Bad dn or password"
+      end
+    end
+
+    # Authenticate configured connection to LDAP.
+    #
+    # Raises AuthenticationFailed if connection could not be made.
+    # Returns possible admin permissions on successful connect
+    def authenticate
+
+      # This is the first time when LDAP connection is used with the user's
+      # credentials. So this search call will initialize the connection and
+      # will raise ActiveLdap::AuthenticationError if user supplied a
+      # bad password.
+      begin
+
+        @admin_permissions = School.search(
+          :filter => "(puavoSchoolAdmin=#{ dn })",
+          :scope => :one, :attributes => ["puavoId"],
+          :limit => 1 )
+
+        AccessToken.validate @credentials if oauth_access_token?
+
+      rescue ActiveLdap::AuthenticationError
+        raise AuthenticationFailed, "Bad dn or password"
+      rescue AccessToken::Expired
+        raise AuthenticationFailed, "OAuth Access Token expired"
+      end
+
+
+      @authenticated = true
+
+    end
+
+    def external_service?
+      dn.rdns[1]["ou"] == "System Accounts"
+    end
+
+    def oauth_client_server?
+      dn.rdns.first.keys.first == "puavoOAuthClientId"
+    end
+
+    def oauth_access_token?
+      dn.rdns.first.keys.first == "puavoOAuthTokenId"
+    end
+
+    # User is authenticated with real password
+    def user_password?
+      return false if oauth_access_token?
+      current_user.classes.include? "puavoEduPerson"
+    end
+
+    # Authorize that user has permissions to use Puavo
+    def authorize
+
+      raise AuthorizationFailed, "Cannot authorize before authenticating" unless @authenticated
+
+      # Authorize school admins
+      if not @admin_permissions.empty?
+        logger.info "Authorization ok: Admin #{ dn }"
+        return @authorized = true
       end
+
+      # Authorize External Services
+      if external_service?
+        logger.info "Authorization ok: External Service #{ dn }"
+        return @authorized = true
+      end
+
+      # Authorize OAuth Access Tokens
+      if oauth_access_token?
+        return @authorized = true
+      end
+
+      # Authorize organisation owners
+      organisation = LdapOrganisation.first
+      if organisation && organisation.owner && organisation.owner.include?(dn)
+        logger.info "Authorization ok: Organisation owner #{ dn }"
+        return @authorized = true
+      end
+
+      raise AuthorizationFailed, "Unauthorized access for #{ dn }"
+    end
+
+    def current_user
+
+      raise "Cannot get current user before authentication" if not @authenticated
+
+      return @current_user if @current_user
+
+
+      if external_service?
+        @current_user = ExternalService.find dn
+      elsif oauth_access_token?
+        access_token = AccessToken.find dn
+        @current_user = User.find access_token.puavoOAuthEduPerson
+      else
+        @current_user = User.find dn
+      end
+
+      raise "Failed get User object for #{ dn }" if @current_user.nil?
+      return @current_user
     end
+
+    def current_organisation
+      Puavo::Organisation.find organisation_key
+    end
+
+    def logger
+      RAILS_DEFAULT_LOGGER
+    end
+
   end
 end

data/lib/puavo/organisation.rb

@@ -0,0 +1,72 @@
+module Puavo
+  mattr_accessor :available_languages
+
+  class Organisation
+    @@configurations = YAML.load_file("#{RAILS_ROOT}/config/organisations.yml")
+    @@key_by_host = {}
+
+    @@configurations.each do |key, value|
+      @@key_by_host[ value["host"] ] = key
+    end
+
+    cattr_accessor :configurations, :key_by_host
+    attr_accessor :organisation_key
+
+
+    def locale
+      @@configurations[organisation_key]["locale"] || :en
+    end
+
+    def schools(user)
+      School.all_with_permissions user
+    end
+
+    def value_by_key(key)
+      @@configurations[organisation_key][key]
+    end
+
+    def method_missing(method, *args)
+      if @@configurations[organisation_key].has_key?(method.to_s)
+        @@configurations[organisation_key][method.to_s]
+      else
+        super
+      end
+    end
+
+    class << self
+      def find(key)
+        if self.configurations.has_key?(key)
+          organisation = Organisation.new
+          organisation.organisation_key = key
+          organisation
+        else
+          logger.info "Can not find configuration key: #{key}"
+          false
+        end
+      end
+
+      def key_by_host(host)
+        @@key_by_host[host]
+      end
+
+      def find_by_host(host)
+        if @@key_by_host.has_key?(host)
+          organisation = Organisation.new
+          organisation.organisation_key = @@key_by_host[host]
+          organisation
+        else
+          logger.info "Can not find organisation by host: #{host}"
+          false
+        end
+      end
+
+      def all
+        @@configurations
+      end
+
+      def logger
+        RAILS_DEFAULT_LOGGER
+      end
+    end
+  end
+end

data/lib/puavo_authentication/controllers/helpers.rb

@@ -1,52 +1,166 @@
 module PuavoAuthentication
   module Controllers
     module Helpers
+
+      attr_accessor :authentication
+
       def current_user
-        unless session[:dn].nil?
-          unless @current_user.nil?
-            return @current_user
-          else
-            begin
-              return @current_user = User.find(session[:dn]) # REST/OAuth?
-            rescue
-              logger.info "Session's user not found! User is removed from ldap server."
-              logger.info "session[:dn]: #{session[:dn]}"
-              # Delete ldap connection informations from session.
-              session.delete :password_plaintext
-              session.delete :dn
-            end
-          end
+
+        if @authentication.nil?
+          raise "Cannot call 'current_user' before 'setup_authentication'"
         end
-        return nil
+
+        @authentication.current_user
+
       end
 
-      def login_required
-        case request.format
-        when !current_user && Mime::JSON
-          logger.debug "Using HTTP basic authentication"
-          password = ""
-
-          user_dn = authenticate_with_http_basic do |login, password|
-            if login.match(/^service\//)
-              ExternalService.authenticate(login.match(/^service\/(.*)/)[1], password)
-            else
-              User.authenticate(login, password)
-            end
+      def current_organisation
+        if @authentication.nil?
+          raise "Cannot call 'current_organisation' before 'setup_authentication'"
+        end
+
+        @authentication.current_organisation
+
+      end
+
+
+      # Returns user dn/uid and password for some available login mean
+      def acquire_credentials
+
+        # OAuth Access Token
+        if auth_header = request.headers["HTTP_AUTHORIZATION"]
+          type, data = auth_header.split
+          if type.downcase == "bearer"
+            return AccessToken.decrypt_token data
           end
-          if user_dn
-            session[:dn] = user_dn
-            session[:password_plaintext] = password
-            logger.debug "Logged in with http basic authentication"
-          else
-            request_http_basic_authentication
+        end
+
+        # Basic Auth
+        #  * OAuth Client Server ID & Secrect
+        #  * External Service UID & password
+        #  * User UID & password
+        authenticate_with_http_basic do |username, password|
+          logger.debug "Using basic authentication with #{ username }"
+
+          # FIXME: move to Puavo::Authentication class (configure_ldap_connection)
+          if match = username.match(/^oauth_client_id\/(.*)\/(.*)$/)
+
+            org_key = match[1]
+            oauth_client_id = match[2]
+
+            @authentication.configure_ldap_connection(
+              :organisation_key => org_key
+            )
+
+            oauth_client_server = OauthClient.find(:first,
+              :attribute => "puavoOAuthClientId",
+              :value => oauth_client_id)
+
+            return {
+              :dn => oauth_client_server.dn,
+              :organisation_key => org_key,
+              :password => password,
+              :scope => oauth_client_server.puavoOAuthScope
+            }
+
           end
+
+          return {
+            :uid => username,
+            :organisation_key => organisation_key_from_host,
+            :password => password
+          }
+        end
+
+        # Puavo Session (User UID & password)
+        if uid = session[:uid]
+          logger.debug "Using session authentication with #{ uid }"
+          return {
+            :uid => uid,
+            :organisation_key => organisation_key_from_host,
+            :password => session[:password_plaintext]
+          }
+        end
+
+      end
+
+      # Before filter
+      # Setup authentication object with default credentials from
+      # config/ldap.yml
+      def setup_authentication
+
+        @authentication = Puavo::Authentication.new
+
+      end
+
+
+      def perform_login(credentials)
+
+        if credentials.nil?
+          raise Puavo::AuthenticationFailed, "No credentials supplied"
+        end
+
+        # Configure ActiveLdap to use the credentials
+        @authentication.configure_ldap_connection credentials
+
+        # Authenticate above credentials
+        @authentication.authenticate
+
+        # Set locale from user's organisation
+        I18n.locale = current_organisation.locale
+
+        return true
+      end
+
+      # Before filter
+      # Require user login credentials
+      def require_login
+
+        begin
+          perform_login(acquire_credentials)
+        rescue Puavo::AuthenticationError => e
+          logger.info "Login failed for: #{ e }"
+          show_authentication_error e.code, t('flash.session.failed')
+          return false
+        end
+
+        if session[:login_flash]
+          flash[:notice] = session[:login_flash]
+          session.delete :login_flash
+        end
+
+        return true
+      end
+
+      # Before filter
+      # Require Puavo access rights
+      def require_puavo_authorization
+
+        # Unauthorized always when not authenticated
+        return false unless @authentication
+
+        begin
+          @authentication.authorize
+        rescue Puavo::AuthorizationFailed => e
+          logger.info "Authorization  failed: #{ e }"
+          show_authentication_error "unauthorized", t('flash.session.failed')
+          return false
+        end
+      end
+
+      def show_authentication_error(code, message)
+        session.delete :password_plaintext
+        session.delete :uid
+        if request.format == Mime::JSON
+          render(:json => {
+            :error => code,
+            :message => message,
+          }.to_json,
+          :status => 401)
         else
-          unless current_user
-            store_location
-            flash[:notice] = t('must_be_logged_in')
-            redirect_to login_path
-            return false
-          end
+          store_location
+          flash[:notice] = message
+          redirect_to login_path
         end
       end
 
@@ -59,43 +173,44 @@ module PuavoAuthentication
         session[:return_to] = nil
       end
 
-      def ldap_setup_connection
-        host = ""
-        base = ""
-        default_ldap_configuration = ActiveLdap::Base.ensure_configuration
-        unless session[:organisation].nil?
-          host = session[:organisation].ldap_host
-          base = session[:organisation].ldap_base
-        end
-        if session[:dn]
-          dn = session[:dn]
-          password = session[:password_plaintext]
-          logger.debug "Using user's credentials for LDAP connection"
-        else
-          logger.debug "Using Puavo credentials for LDAP connection"
-          dn =  default_ldap_configuration["bind_dn"]
-          password = default_ldap_configuration["password"]
+      def organisation_key_from_host(host=nil)
+        organisation_key = Puavo::Organisation.key_by_host(request.host)
+        unless organisation_key
+          organisation_key = Puavo::Organisation.key_by_host("*")
         end
-        logger.debug "Set host, bind_dn, base and password by user:"
-        logger.debug "host: #{host}"
-        logger.debug "base: #{base}"
-        logger.debug "dn: #{dn}"
-        LdapBase.ldap_setup_connection(host, base, dn, password)
+        return organisation_key
       end
 
-      def remove_ldap_connection
-        ActiveLdap::Base.active_connections.keys.each do |connection_name|
-          ActiveLdap::Base.remove_connection(connection_name)
+
+      def set_organisation_to_session
+        session[:organisation] = current_organisation if current_organisation
+      end
+
+      def set_initial_locale
+        # Default to English
+        I18n.locale = "en"
+
+        # TODO: set from user agent
+
+        # Set from hostname if it is a known organisation
+        if organisation = Puavo::Organisation.find_by_host(request.host)
+          I18n.locale = organisation.locale
         end
+
       end
 
-      def organisation_owner?
-        Puavo::Authorization.organisation_owner?
+      def remove_ldap_connection
+        Puavo::Authentication.remove_connection
       end
 
-      def set_authorization_user
-        Puavo::Authorization.current_user = current_user if current_user
+      def theme
+        if current_organisation
+          theme = current_organisation.value_by_key('theme')
+        end
+
+        return theme || "breathe"
       end
+
     end
   end
 end

data/rails/init.rb

@@ -7,7 +7,15 @@ end
 
 require 'puavo/authentication'
 require 'puavo/connection'
+require 'puavo/organisation'
 
 require 'puavo_authentication/controllers/helpers'
 
 ActionController::Base.send :include, PuavoAuthentication::Controllers::Helpers
+
+begin
+  Puavo::OAUTH_CONFIG = YAML.load_file("#{ RAILS_ROOT }/config/oauth.yml")
+rescue Errno::ENOENT => e
+  Puavo::OAUTH_CONFIG = nil
+  puts "WARNING: " + e.to_s
+end

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: puavo_authentication
 version: !ruby/object:Gem::Version 
-  hash: 23
-  prerelease: 
+  hash: 21
+  prerelease: false
   segments: 
   - 0
   - 2
-  - 0
-  version: 0.2.0
+  - 1
+  version: 0.2.1
 platform: ruby
 authors: 
 - Jouni Korhonen
@@ -15,7 +15,8 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2012-05-22 00:00:00 Z
+date: 2012-10-16 00:00:00 +02:00
+default_executable: 
 dependencies: []
 
 description: Authentication solution for Puavo applications
@@ -36,13 +37,14 @@ files:
 - app/views/sessions/new.html.erb
 - init.rb
 - lib/puavo/authentication.rb
-- lib/puavo/authorization.rb
 - lib/puavo/connection.rb
+- lib/puavo/organisation.rb
 - lib/puavo_authentication.rb
 - lib/puavo_authentication/controllers/helpers.rb
 - lib/tasks/puavo_ldap_auth.rake
 - lib/user_error.rb
 - rails/init.rb
+has_rdoc: true
 homepage: http://github.com/opinsys/puavo_authentication
 licenses: []
 
@@ -72,7 +74,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.24
+rubygems_version: 1.3.7
 signing_key: 
 specification_version: 3
 summary: Authentication solution for Puavo applications

data/lib/puavo/authorization.rb

@@ -1,20 +0,0 @@
-module Puavo
-  module Authorization
-    def self.current_user
-      Thread.current["current_user"]
-    end
-    
-    def self.current_user=(user)
-      Thread.current["current_user"] = user
-      # Update owners list
-      Thread.current["owners"] = LdapOrganisation.current.owner
-    end
-
-    def self.organisation_owner?
-      if Puavo::Authorization.current_user && Thread.current["owners"]
-        return Thread.current["owners"].include?(Puavo::Authorization.current_user.dn)
-      end
-      return false
-    end
-  end
-end