rom-auth 0.0.4

data/lib/rom/auth/plugins/authentication_events_plugin.rb

@@ -0,0 +1,92 @@
+module ROM::Auth
+  module Plugins
+    class AuthenticationEventsPlugin < Plugin
+
+      class Configuration
+        include Virtus.model
+
+        attribute :table_name, Symbol, default: :authentication_events
+      end
+
+      def install
+        system.extend(CallbackOverrides)
+
+        config = configuration
+
+        @mapper = Class.new(ROM::Mapper) do
+          relation(config.table_name)
+          model(AuthenticationEvent)
+          register_as :rom_auth_event
+        end
+
+        @relation = Class.new(ROM::Relation[:sql]) do
+          dataset(config.table_name)
+        end
+
+        @command = Class.new(ROM::Commands::Create[:sql]) do
+          register_as :create
+          relation(config.table_name)
+          result :one
+        end
+      end
+
+      def migrate(setup)
+        AuthenticationEventsMigration.new(system, setup, configuration).run
+      end
+
+      class AuthenticationEvent
+        include Virtus.value_object(coerce: false)
+
+        values do
+          attribute :user_id, Integer # FIXME should be dynamic and could be account_id
+          attribute :success, Boolean
+          attribute :started_at, DateTime
+          attribute :ended_at, DateTime
+          attribute :identifier, String
+          attribute :type, String
+          attribute :authenticated, Boolean
+          attribute :data, String
+        end
+      end
+
+      class AuthenticationEventsMigration < Migration
+        def run
+          auth_config = system.configuration
+          config = self.config
+          user_fk_name = auth_config.user_fk_name
+
+          database.create_table(config.table_name) do
+            primary_key :id
+            foreign_key(user_fk_name, auth_config.users_table_name.to_sym)
+            DateTime  :started_at
+            DateTime  :ended_at
+            String    :identifier
+            String    :type
+            Boolean   :authenticated
+            Boolean   :success
+            String    :data
+            # TODO login_ip, failure reason
+          end
+        end
+      end
+
+      module CallbackOverrides
+        def on_authentication_completed(data)
+          super
+
+          # ROM.env.command(plugins[AuthenticationEventsPlugin].configuration.table_name).try{
+          #   create(data)
+          # }
+          ROM.env.command(plugins[AuthenticationEventsPlugin].configuration.table_name).create.call(data)
+
+          # TODO
+          # - log origin/details & warn user
+          # - compute failed logins per minute and alert if above threshold
+          # - throttling
+          #
+        end
+      end
+
+    end
+  end
+end

data/lib/rom/auth/plugins/lockdown_plugin.rb

@@ -0,0 +1,114 @@
+module ROM::Auth
+  module Plugins
+    class LockdownPlugin < Plugin
+
+      class Configuration
+        include Virtus.model
+
+        attribute :table_name, Symbol, default: nil
+        attribute :lock_strategy, Object
+        attribute :unlock_strategy, Object
+      end
+
+      def initialize(*args)
+        super
+
+        # FIXME move to configuration?
+        configuration.table_name ||= system.configuration.users_table_name
+      end
+
+      def install
+        system.extend(CallbackOverrides)
+
+        config = configuration
+
+        @relation = Class.new(ROM::Relation[:sql]) do
+          register_as :rom_auth_lockdowns
+          dataset(config.table_name)
+
+          def by_user_id(user_id)
+            where(id: user_id)
+          end
+        end
+
+        @mapper = Class.new(ROM::Mapper) do
+          relation(:rom_auth_lockdowns)
+          model(Lockdown)
+          register_as :rom_auth_lockdown
+        end
+
+        @command = Class.new(ROM::Commands::Update[:sql]) do
+          register_as :update
+          relation(:rom_auth_lockdowns)
+          result :one
+        end
+      end
+
+      def migrate(setup)
+        LockdownMigration.new(system, setup, configuration).run
+      end
+
+      def lock_strategy
+        configuration.lock_strategy
+      end
+
+      def unlock_strategy
+        configuration.unlock_strategy
+      end
+
+      def is_locked?(user_id)
+        #user.locked_at.present?
+        ROM.env.relation(:rom_auth_lockdowns).by_user_id(user_id).as(:rom_auth_lockdown).first.try(:locked_at).present?
+      end
+
+      def lock(user_id, reason)
+        raise ArgumentError unless user_id.is_a?(Integer)
+        ROM.env.command(:rom_auth_lockdowns).update.where(id: user_id).call(locked_at: Time.now, lock_reason: reason)
+      end
+
+      def unlock(user_id)
+        ROM.env.command(:rom_auth_lockdowns).update.where(id: user_id).call(locked_at: nil, lock_reason: nil)
+      end
+
+      class LockdownMigration < Migration
+        def run
+          config = self.config
+          auth_config = system.configuration
+
+          database.alter_table(config.table_name) do
+            add_column :locked_at, DateTime, default: nil, null: true
+            add_column :lock_reason, String, null: true
+          end
+        end
+      end
+
+      class Lockdown
+        include Virtus.value_object(coerce: false)
+
+        values do
+          attribute :id, Integer
+          attribute :locked_at, DateTime
+          attribute :lock_reason, String
+        end
+      end
+
+      module CallbackOverrides
+        def authentication_authorized?(user, credentials)
+          plugin = plugins[LockdownPlugin]
+
+          plugin.unlock_strategy.call(plugin, user, credentials) if plugin.unlock_strategy
+          super && !plugin.is_locked?(user[:id])
+        end
+
+        def on_authentication_completed(data)
+          super
+
+          plugin = plugins[LockdownPlugin]
+
+          plugin.lock_strategy.call(plugin, data[:user_id], data) if plugin.lock_strategy
+        end
+      end
+
+    end
+  end
+end

data/lib/rom/auth/plugins/plugin.rb

@@ -0,0 +1,22 @@
+module ROM::Auth
+  module Plugins
+    class Plugin
+
+      attr_reader :system, :configuration
+
+      def initialize(system, config)
+        raise ArgumentError unless system.kind_of?(System)
+        @system = system
+        @configuration = config
+      end
+
+      def migrate(*args)
+      end
+
+      def install(*args)
+        raise NotImplementedError
+      end
+
+    end
+  end
+end

data/lib/rom/auth/support/shorthand_symbol.rb

@@ -0,0 +1,22 @@
+module ROM::Auth
+  module Support
+    module ShorthandSymbol
+
+      def self.strip(suffix)
+        mod = Module.new
+
+        mod.instance_eval <<-RUBY
+          def included(cls)
+            def cls.shorthand_symbol
+              #name.split('::').last.gsub(/#{suffix.source}/,'').underscore.to_sym
+              name.demodulize.gsub(/#{suffix.source}/,'').underscore.to_sym
+            end
+          end
+        RUBY
+
+        mod
+      end
+
+    end
+  end
+end

data/lib/rom/auth/system.rb

@@ -0,0 +1,146 @@
+module ROM
+  module Auth
+    class System
+
+      attr_reader :configuration, :plugins
+
+      def initialize(config)
+        raise ArgumentError unless config.is_a?(Configuration)
+        @configuration = config
+
+        load_plugins!
+      end
+
+      def migrate!(setup)
+        plugins.each do |_type, plugin|
+          plugin.migrate(setup)
+        end
+      end
+
+      # def authenticators
+      #   Authenticators::Authenticator.descendants.inject({}) do |acc, desc|
+      #     acc.merge(desc.shorthand_symbol => desc)
+      #   end
+      # end
+
+      def authenticate(credentials)
+        raise ArgumentError unless credentials
+
+        success = false
+        now = Time.now
+        user = identify_user(credentials)
+
+        on_authentication_attempt(credentials)
+
+        if user
+          authenticated = run_authentication_check(credentials)
+
+          if authenticated
+            on_authentication_success(credentials)
+
+            if authentication_authorized?(user, credentials)
+              on_authorized_authentication(credentials)
+              success = true
+            else
+              on_unauthorized_authentication(credentials)
+            end
+          else
+            on_authentication_failure(credentials)
+          end
+        else
+          on_identification_failure(credentials)
+        end
+
+        on_authentication_completed(
+          identifier: credentials.identifier,
+          user_id: (user[:id] if user),
+          started_at: now,
+          ended_at: Time.now,
+          type: credentials.type,
+          authenticated: authenticated,
+          success: success
+        )
+
+        user if success
+      end
+
+      def logger
+        configuration.logger
+      end
+
+      def inspect
+        "#<ROM::Auth::AuthenticationSystem plugins: #{plugins.keys}>"
+      end
+
+    private
+
+      def load_plugins!
+        @plugins = configuration.plugins.inject({}) do |acc, (plugin, args)|
+          acc.merge(plugin => plugin.new(self, *args))
+        end
+
+        @plugins.each do |_type, plugin|
+          plugin.install
+        end
+      end
+
+      def identify_user(credentials)
+        raise NotImplementedError
+      end
+
+      def run_authentication_check(credentials)
+        #authenticators[type].new.authenticate(user, data)
+        raise NotImplementedError
+      end
+
+      def authentication_authorized?(user, credentials)
+        true # FIXME
+      end
+
+      def on_authentication_attempt(credentials)
+        logger.info("Attempt: #{credentials.identifier}")
+      end
+
+      def on_identification_failure(credentials)
+        logger.info("Identification failed: #{credentials.identifier}")
+      end
+
+      def on_authentication_completed(data)
+        raise ArgumentError unless data.is_a?(Hash)
+        #raise ArgumentError unless data.keys.to_set == [:identifier, :user_id, :started_at, :ended_at, :authenticated, :authenticator, :success].to_set
+        # TODO :reason ?
+
+        instrument_authentication_event(data)
+
+        # TODO
+        # - log origin/details & warn user
+        # - compute failed logins per minute and alert if above threshold
+        # - throttling
+        #
+      end
+
+      def on_authentication_failure(credentials)
+        logger.info("Authentication failed: #{credentials.identifier}")
+      end
+
+      def on_authentication_success(credentials)
+        logger.info("Authentication succeeded: #{credentials.identifier}")
+      end
+
+      def on_unauthorized_authentication(credentials)
+        logger.info("Unauthorized: #{credentials.identifier}")
+      end
+
+      def on_authorized_authentication(credentials)
+        logger.info("Authorized: #{credentials.identifier}")
+      end
+
+      def instrument_authentication_event(auth_data)
+        configuration.instrumentation.instrument(
+          'rom:auth:authentication_attempt',
+          auth_data
+        )
+      end
+    end
+  end
+end

data/lib/rom/auth/version.rb

@@ -0,0 +1,5 @@
+module ROM
+  module Auth
+    VERSION = "0.0.4"
+  end
+end

data/spec/integration/common_plugins_spec.rb

@@ -0,0 +1,162 @@
+describe 'CommonPlugins' do
+  let(:setup)       { ROM.setup(:sql, "sqlite::memory") }
+  let(:connection)  { setup.default.connection }
+
+  def password
+    'somepassword'
+  end
+
+  def password_verifier
+    ROM::Auth::PasswordVerifiers::PBKDF2Verifier.for_password(password)
+  end
+
+  before do
+    connection.create_table(:users) do
+      primary_key :id
+    end
+
+    class User
+      include Virtus.value_object(coerce: false)
+
+      values do
+        attribute :id, Integer
+      end
+    end
+
+    @users = Class.new(ROM::Relation[:sql]) do
+      register_as :users
+      dataset :users
+
+      def by_id(id)
+        where(id: id)
+      end
+    end
+
+    @mapper = Class.new(ROM::Mapper) do
+      relation(:users)
+      model(User) # FIXME
+    end
+  end
+
+  it '#authenticate with AuthenticationCredentialsPlugin' do
+    config = ROM::Auth::Configuration.new do |c|
+      c.plugin(ROM::Auth::Plugins::AuthenticationCredentialsPlugin) do
+      end
+
+      c.plugin(ROM::Auth::Plugins::AuthenticationEventsPlugin) do
+      end
+    end
+
+    system = ROM::Auth::System.new(config)
+
+    system.migrate!(setup)
+
+    rom = ROM.finalize.env
+
+    connection[:users].insert(id: 1)
+    connection[:authentication_credentials].insert(
+      user_id: 1,
+      type: 'email',
+      identifier: 'a@b.c.de',
+      verifier_data: password_verifier.to_s
+    )
+
+    credentials = double(type: 'email', identifier: 'a@b.c.de', password: password)
+    user = rom.relation(:users).first
+
+    assert{ system.authenticate(credentials) == user }
+  end
+
+  it '#authenticate with AuthenticationEventsPlugin' do
+    config = ROM::Auth::Configuration.new do |c|
+      c.plugin(ROM::Auth::Plugins::AuthenticationCredentialsPlugin) do
+      end
+
+      c.plugin(ROM::Auth::Plugins::AuthenticationEventsPlugin) do
+      end
+
+      c.plugin(ROM::Auth::Plugins::LockdownPlugin) do
+      end
+    end
+
+    system = ROM::Auth::System.new(config)
+
+    system.migrate!(setup)
+
+    rom = ROM.finalize.env
+
+    connection[:users].insert(id: 1)
+    connection[:authentication_credentials].insert(
+      user_id: 1,
+      type: 'email',
+      identifier: 'a@b.c.de',
+      verifier_data: password_verifier.to_s
+    )
+
+    credentials = double(type: 'email', identifier: 'a@b.c.de', password: password)
+    user = rom.relation(:users).first
+
+    auths = rom.relation(:authentication_events)
+
+    assert{ system.authenticate(credentials) == user }
+    assert{ auths.relation.count == 1 }
+
+    event = auths.as(:rom_auth_event).first
+    assert{ event.type == 'email' }
+    assert{ event.authenticated == true }
+    assert{ event.success == true }
+    assert{ event.user_id == 1 }
+  end
+
+  it '#authenticate with LockdownPlugin' do
+    config = ROM::Auth::Configuration.new do |c|
+      c.plugin(ROM::Auth::Plugins::AuthenticationCredentialsPlugin) do
+      end
+
+      c.plugin(ROM::Auth::Plugins::AuthenticationEventsPlugin) do
+      end
+
+      c.plugin(ROM::Auth::Plugins::LockdownPlugin) do |c|
+        c.lock_strategy  = ->(plugin, user_id, credentials){
+          #plugin.system.logger.info('LOCKING')
+          plugin.lock(user_id, 'Login failed')
+        }
+      end
+    end
+
+    system = ROM::Auth::System.new(config)
+
+    system.migrate!(setup)
+
+    rom = ROM.finalize.env
+
+    connection[:users].insert(id: 1)
+    connection[:authentication_credentials].insert(
+      user_id: 1,
+      type: 'email',
+      identifier: 'a@b.c.de',
+      verifier_data: password_verifier.to_s
+    )
+
+    credentials = double(type: 'email', identifier: 'a@b.c.de', password: 'incorrect')
+
+    user = rom.relation(:users).first
+
+    assert{ system.authenticate(credentials) == nil }
+
+    lock = rom.relation(:rom_auth_lockdowns).as(:rom_auth_lockdown).first
+
+    assert{ lock.locked_at.close_to?(Time.now, 1) }
+    assert{ lock.lock_reason == 'Login failed' }
+
+    plugin = system.plugins[ROM::Auth::Plugins::LockdownPlugin]
+    assert{ plugin.is_locked?(lock.id) == true }
+
+    plugin.unlock(lock.id)
+    assert{ plugin.is_locked?(lock.id) == false }
+
+    lock = rom.relation(:rom_auth_lockdowns).as(:rom_auth_lockdown).first
+    assert{ lock.locked_at == nil }
+    assert{ lock.lock_reason == nil }
+  end
+end