roadforest 0.5 → 0.7

data/lib/roadforest/authorization/auth-entity.rb

@@ -0,0 +1,26 @@
+module RoadForest
+  module Authorization
+    class AuthEntity
+      def initialize
+        @authenticated = false
+      end
+      attr_accessor :username, :password, :token
+
+      def authenticated?
+        !!@authenticated
+      end
+
+      def authenticate_by_password(password)
+        @authenticated = (!password.nil? and password == @password)
+      end
+
+      def authenticate_by_token(token)
+        @authenticated = (!token.nil? and token == @token)
+      end
+
+      def authenticate!
+        @authenticated = true
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/authentication-chain.rb

@@ -0,0 +1,79 @@
+require 'base64'
+require 'roadforest/utility/class-registry'
+module RoadForest
+  module Authorization
+    class AuthenticationChain
+      class Scheme
+        def self.registry_purpose; "authentication scheme"; end
+        extend Utility::ClassRegistry::Registrar
+
+        def self.register(name)
+          registrar.registry.add(name, self.new)
+        end
+
+        def authenticated_entity(credentials, store)
+          nil
+        end
+      end
+
+      class Basic < Scheme
+        register "Basic"
+
+        def challenge(options)
+          "Basic realm=\"#{options.fetch(:realm, "Roadforest App")}\""
+        end
+
+        def authenticated_entity(credentials, store)
+          username, password = Base64.decode64(credentials).split(':',2)
+
+          entity = store.by_username(username)
+          entity.authenticate_by_password(password)
+          entity
+        end
+      end
+
+      def initialize(store)
+        @store = store
+      end
+      attr_reader :store
+
+      def handler_for(scheme)
+        Scheme.get(scheme)
+      rescue
+        nil
+      end
+
+      def challenge(options)
+        (Scheme.registry.names.map do |scheme_name|
+          handler_for(scheme_name).challenge(options)
+        end).join(", ")
+      end
+
+      def add_account(user,password,token)
+        @store.add_account(user,password,token)
+      end
+
+      def authenticate(request)
+        if request.respond_to?(:client_cert)
+          subject = request.client_cert.subject
+          name = subject.to_a.find{|entry| entry[0] == "CN"}[1]
+          entity = @store.by_username(name)
+          entity.authenticate!
+          return entity
+        end
+
+        header = request.headers["Authorization"]
+        return nil if header.nil?
+        scheme, credentials = header.split(/\s+/, 2)
+
+        handler = handler_for(scheme)
+        return nil if handler.nil?
+
+        entity = handler.authenticated_entity(credentials, store)
+        return nil if entity.nil?
+        return nil unless entity.authenticated?
+        return entity
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/default-authentication-store.rb

@@ -0,0 +1,33 @@
+require 'roadforest/authorization/auth-entity'
+module RoadForest
+  module Authorization
+    class DefaultAuthenticationStore
+      def initialize
+        @accounts = []
+      end
+
+      def build_entity(account)
+        return nil if account.nil?
+        AuthEntity.new.tap do |entity|
+          entity.username = account[0]
+          entity.password = account[1]
+          entity.token = account[2]
+        end
+      end
+
+      def add_account(user, password, token)
+        @accounts << [user, password, token]
+      end
+
+      def by_username(username)
+        account = @accounts.find{|account| account[0] == username }
+        build_entity(account)
+      end
+
+      def by_token(token)
+        account = @accounts.find{|account| account[2] == token }
+        build_entity(account)
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/grant-builder.rb

@@ -0,0 +1,23 @@
+module RoadForest
+  module Authorization
+    class GrantBuilder
+      def initialize(cache)
+        @cache = cache
+        @list = []
+      end
+      attr_reader :list
+
+      def add(name, params=nil)
+        canonical =
+          if params.nil?
+            [name]
+          else
+            [name, params.keys.sort.map do |key|
+              [key, params[key]]
+            end]
+          end
+        @list << @cache[canonical]
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/grants-holder.rb

@@ -0,0 +1,58 @@
+require 'roadforest/authorization/grant-builder'
+module RoadForest
+  module Authorization
+    # Caches the obfuscated tokens used to identify permission grants
+    class GrantsHolder
+      def initialize(salt, hash_function)
+        digester = OpenSSL::HMAC.new(salt, hash_function)
+        @conceal = true
+        @grants_cache = Hash.new do |h, k| #XXX potential resource exhaustion here - only accumulate auth'd results
+          if conceal
+            digester.reset
+            digester << token_for(k)
+            h[k] = digester.hexdigest
+          else
+            token_for(k)
+          end
+        end
+      end
+      attr_accessor :conceal
+
+      #For use in URIs, per RFC3986:
+      #Cannot use: ":/?#[]@!$&'()*+;="
+      #Percent encoding uses %
+      #Can use: ".,$^*_-|<>~`"
+      #Grants are of the form [:name, [:key, value]*]
+      def token_for(grant)
+        name, attrs = *grant
+        attrs = (attrs || []).map{|pair| group(pair, "_", "~")}
+        percent_encode(group([name] + attrs, ".", "-"))
+      end
+
+      def group(list, sep, replace)
+        list.map{|part| part.to_s.gsub(sep, replace)}.join(sep)
+      end
+
+      PERCENT_ENCODINGS = Hash.new do |h,k|
+        h[k] = k.force_encoding("US-ASCII").getbyte(0).to_s(16)
+      end
+
+      def percent_encode(string)
+        string.gsub(%r|[\[\]:/?#@!$&'()*+;=]|) do |match|
+          PERCENT_ENCODINGS[match]
+        end
+      end
+
+      def get(key)
+        @grants_cache[key]
+      end
+      alias [] get
+
+      def build_grants
+        builder = GrantBuilder.new(self)
+        yield builder
+        return builder.list
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/manager.rb

@@ -0,0 +1,85 @@
+require 'roadforest/authorization/authentication-chain'
+require 'roadforest/authorization/grants-holder'
+require 'roadforest/authorization/default-authentication-store'
+require 'roadforest/authorization/policy'
+
+module RoadForest
+  module Authorization
+    # The root of the RoadForest authorization scheme.
+
+    # Resources describe a set of permissions that are allowed to access them,
+    # on a per-method case.
+    #
+    # An overall Policy object provides permission grants to authenticated
+    # entities (typically users, but could be e.g. applications acting on their
+    # behalf)
+    #
+    # The ultimate grant/refuse decision comes down to: is there a shared
+    # permission in the list required by the resource and those granted to the
+    # entity.
+    #
+    # Permissions have a name and an optional set of parameters, and can be
+    # referred to as such within the application on the server. They're stored
+    # as digests of those names, which should be safe to communicate to the
+    # user application, which can make interaction decisions based on the
+    # permissions presented.
+    #
+    # The default ServicesHost exposes a Manager as #authz
+    class Manager
+      attr_accessor :authenticator
+      attr_accessor :policy
+      attr_reader :grants
+
+      HASH_FUNCTION = "SHA256".freeze
+
+      def initialize(salt = nil, authenticator = nil, policy = nil)
+        #XXX consider launch-time randomized salt
+        @grants = GrantsHolder.new(salt || "roadforest-insecure", HASH_FUNCTION)
+
+        @store = DefaultAuthenticationStore.new
+        @authenticator = authenticator || AuthenticationChain.new(@store)
+        @policy = policy || Policy.new
+        @policy.grants_holder = @grants
+      end
+
+      def cleartext_grants!
+        @grants.conceal = false
+      end
+
+      def build_grants(&block)
+        @grants.build_grants(&block)
+      end
+
+      def challenge(options)
+        @authenticator.challenge(options)
+      end
+
+      # @returns [:public|:granted|:refused]
+      #
+      # :public means the request doesn't need authorization
+      # :granted means that it does need authz but the credentials passed are
+      #   allowed to access the resource
+      # :refused means that the credentials passed are not allowed to access
+      #   the resource
+      #
+      # TODO: Resource needs to add s-maxage=0 for :granted requests or public
+      # for :public requests to the CacheControl header
+      def authorization(request, required_grants)
+        entity = nil
+        if entity.nil?
+          entity = authenticator.authenticate(request)
+        end
+
+        return :refused if entity.nil?
+
+        available_grants = policy.grants_for(entity)
+
+        if required_grants.any?{|required| available_grants.include?(required)}
+          return :granted
+        else
+          return :refused
+        end
+      end
+    end
+  end
+end

data/lib/roadforest/authorization/policy.rb

@@ -0,0 +1,19 @@
+module RoadForest
+  module Authorization
+    # Responsible to assigning particular permission grants to entities. There
+    # should be one subclass of Policy per application, ideally.
+    class Policy
+      attr_accessor :grants_holder
+
+      def build_grants(&block)
+        grants_holder.build_grants(&block)
+      end
+
+      def grants_for(entity)
+        build_grants do |builder|
+          builder.add(:admin)
+        end
+      end
+    end
+  end
+end

data/lib/roadforest/graph/access-manager.rb

@@ -14,6 +14,9 @@ module RoadForest::Graph
       @resource = normalize_context(resource)
     end
 
+    def reset
+    end
+
     def dup
       other = self.class.allocate
       other.resource = self.resource
@@ -29,6 +32,10 @@ module RoadForest::Graph
       relevant_prefixes_for_graph(origin_graph)
     end
 
+    def each_statement(&block)
+      origin_graph.each_statement(&block)
+    end
+
     def each(&block)
       origin_graph.each(&block)
     end
@@ -53,14 +60,18 @@ module RoadForest::Graph
   end
 
   class WriteManager < ReadOnlyManager
+    include ::RDF::Writable
+
     def insert(statement)
-      statement[3] = resource
+      destination_graph.insert(statement)
+    end
+
+    def insert_statement(statement)
       destination_graph.insert(statement)
     end
 
     def delete(statement)
       statement = RDF::Query::Pattern.from(statement)
-      statement.context = resource
       destination_graph.delete(statement)
     end
   end
@@ -70,6 +81,11 @@ module RoadForest::Graph
 
     alias destination_graph target_graph
 
+    def reset
+      @target_graph ||= ::RDF::Repository.new
+      @target_graph.clear
+    end
+
     def dup
       other = super
       other.target_graph = self.target_graph
@@ -79,6 +95,13 @@ module RoadForest::Graph
     def relevant_prefixes
       super.merge(relevant_prefixes_for_graph(destination_graph))
     end
+
+    def each_target
+      destination_graph.each_context do |context|
+        graph = ::RDF::Graph.new(context, :data => target_graph)
+        yield(context, graph)
+      end
+    end
   end
 
   class CopyManager < SplitManager

data/lib/roadforest/graph/focus-list.rb

@@ -44,6 +44,10 @@ module RoadForest::Graph
     alias << append
 
     def append_node(subject=nil)
+      if empty? and self.subject == RDF.nil
+        raise "Attempted to append #{subject} to an empty list (remove the list and replace it)"
+      end
+
       base_node.create_node(subject) do |node|
         append(node.subject)
         yield node if block_given?

data/lib/roadforest/graph/graph-focus.rb

@@ -45,15 +45,8 @@ module RoadForest::Graph
   end
 
   class GraphFocus
-    #XXX Any changes to this class heirarchy or to ContextFascade should start
-    #with a refactor like:
-    #  Reduce this to the single-node API ([] []=)
-    #  Change the ContextFascade into a family of classes (RO, RW, Update)
     include Normalization
 
-    #attr_accessor :source_graph, :target_graph, :subject, :root_url,
-    #:source_rigor
-
     attr_accessor :subject, :access_manager
 
     alias rdf subject
@@ -63,6 +56,10 @@ module RoadForest::Graph
       self.subject = subject unless subject.nil?
     end
 
+    def reset
+      access_manager.reset
+    end
+
     def root_url
       @access_manager.resource
     end
@@ -111,6 +108,14 @@ module RoadForest::Graph
       return value
     end
 
+    def <<(data)
+      case data
+      when Array
+        data = normalize_statement(*data)
+      end
+      access_manager << data
+    end
+
     def delete(property, extra=nil)
       access_manager.delete(:subject => subject, :predicate => normalize_property(property, extra))
     end
@@ -148,11 +153,25 @@ module RoadForest::Graph
       node
     end
 
+    def empty_list(property, extra=nil)
+      unless extra.nil?
+        property = normalize_property([property, extra])
+      end
+      list
+    end
+
     def add_list(property, extra=nil)
-      list = FocusList.new(::RDF::Node.new, access_manager)
-      access_manager.insert([subject, normalize_property(property, extra), list.subject])
-      yield list if block_given?
-      return list
+      unless extra.nil?
+        property = normalize_property([property, extra])
+      end
+      if block_given?
+        list = add_node(property).as_list
+        yield list
+      else
+        list = FocusList.new
+        add(property, list.subject)
+      end
+      list
     end
     #### End of old GraphFocus
 
@@ -171,8 +190,6 @@ module RoadForest::Graph
       return nil if value.nil?
       if RDF::Literal === value
         value.object
-      elsif value == RDF.nil
-        nil
       else
         wrap_node(value)
       end