RubyGems - shibbolite - Versions diffs - 0.0.1 → 1.1.0 - Mend

shibbolite 0.0.1 → 1.1.0

Files changed (38) hide show

checksums.yaml ADDED Viewed

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: f736be4c42d9b6feef36b94647b8fbf3bf4ce8c4
+  data.tar.gz: bb91bf1108e56142cf9ef106139d54c8313e579a
+SHA512:
+  metadata.gz: 08bbe01087d289f772581b2ce7ad1bf243155c3d1291f931b72f47f446ebc57207bb2d6b55e95765df8d9e2f9c977fb40a9a604fb8bd1c09bd9eb9278a7df75c
+  data.tar.gz: 1ab7667eaee8c9e3200512dc379e9ecf221d26d5d2d5960f1a5701b236674d234202ca815cecca0aac7edabc542bea0853a513a2ae0263a4e86c1bbc9ba7582b

data/README.rdoc CHANGED Viewed

@@ -48,47 +48,45 @@ Shibbolite::Filters gives you a gaggle of before filters to enable access contro
 === Filters
   before_action :require_login
-In your ApplicationController will require that users have a valid Shibboleth session before they can launch any action
+...in your ApplicationController will require that users have a valid Shibboleth session before they can launch any action
   before_action { |c| c.require_group :admin }
-will require that the user belong to the admin group
+...will require that the user belong to the admin group
   before_action { |c| c.require_group :admin, :user }
-will allow anyone who has the admin or the user group
+...will allow anyone who has the admin or the user group
   before_action { |c| c.require_group_or_id :admin, some_user.id }
-is useful for things like profile pages that are accessible to both an owner and anyone in the admin group
+...is useful for things like profile pages that are accessible to both an owner and anyone in the admin group
   before_action :use_attributes_if_available, only: :public
-will attempt to load a Shibboleth session if one is available but do nothing otherwise. Use this if you have a public page but still want to make use of attributes for users that have logged in.
+...will attempt to load a Shibboleth session if one is available but do nothing otherwise. Use this if you have a public page but still want to make use of attributes for users that have logged in.
 === Helpers
 These helpers will be available to views of any controllers that include Shibbolite::Filters. See the source for a complete list.
   current_user
-will return the User object of the Shibboleth authenticated user or nil if no one is authenticated, or the user isn't registered in the database. NOTE: current_user can still return nil after the user authenticates if one of the above filters isn't used before the controller action.
+...will return the User object of the Shibboleth authenticated user or nil if no one is authenticated, or the user isn't registered in the database. NOTE: current_user can still return nil after the user authenticates if one of the above filters isn't used before the controller action.
 Since current_user relies on a database lookup, you'll have to register (ie persist) your users before they can interact with most of the features of Shibbolite. How you want to handle user registration is left up to you.
   logged_in?
-checks to see that a username is set in the session
+...checks to see that a username is set in the session
   user_in_group? (:admin)
-will return true if the current user has the admin group
+...will return true if the current user has the admin group
 === Actions
 A couple of actions are available from Shibbolite::ShibbolethController
-  shibbolite.login_path #=> '/shibbolite/login'
+  shibbolite.login_path #=> 'shibbolite/login'
 will attempt to load a Shibboleth session, or redirect to the Shibbolite.session_initiator for authentication if there is none. After authentication the user is brought back to the root_path.

data/app/concerns/shibbolite/filters.rb CHANGED Viewed

@@ -6,21 +6,21 @@ module Shibbolite
     include Shibbolite::Helpers
     def require_login
-      redirect_to login_or_access_denied unless logged_in?
+      authenticate_request unless logged_in?
     end
     def require_registered
-      redirect_to login_or_access_denied unless registered_user?
+      authenticate_request unless registered_user?
     end
     def require_group(*groups)
       in_group = false
       groups.flatten.each { |group| in_group ||= user_in_group?(group) }
-      redirect_to login_or_access_denied unless in_group
+      authenticate_request unless in_group
     end
     def require_id(id)
-      redirect_to login_or_access_denied unless user_has_id?(id)
+      authenticate_request unless user_has_id?(id)
     end
     def require_group_or_id(*groups, id)
@@ -29,16 +29,34 @@ module Shibbolite
       end
     end
+    def require_attribute(attr, value)
+      authenticate_request unless user_has_matching_attribute?(attr, value)
+    end
+    def require_group_or_attribute(*groups, attr, value)
+      unless user_has_matching_attribute?(attr, value)
+        require_group(groups)
+      end
+    end
     def use_attributes_if_available
       if request.env[Shibbolite.pid.to_s] and not logged_in?
-        redirect_to login_or_access_denied
+        authenticate_request
       end
     end
-    # a handy redirect target
-    def login_or_access_denied
+    # redirects the user to (re)authenticate with
+    # the Idp or a 403 forbidden page
+    def authenticate_request
       session[:requested_url] = request.fullpath
-      logged_in? ? shibbolite.access_denied_url : shibbolite.login_url
+      url = logged_in? ? shibbolite.access_denied_url : shibbolite.login_url
+      # redirect to the selected url
+      respond_to do |format|
+        format.html { redirect_to url }
+        format.js   { render js: "window.location.assign('#{url}');"}
+      end
     end
   end
 end

data/app/concerns/shibbolite/helpers.rb CHANGED Viewed

@@ -44,5 +44,11 @@ module Shibbolite
       return false unless user
       user.id == id
     end
+    #  this method matches against the raw environment variables
+    #  instead of the database attributes
+    def user_has_matching_attribute?(attr, value)
+      request.env[attr.to_s] == value
+    end
   end
 end

data/app/controllers/shibbolite/shibboleth_controller.rb CHANGED Viewed

@@ -9,8 +9,18 @@ module Shibbolite
     def login
       session[:requested_url] ||= main_app.root_path
+      # attempt to load existing sp session data
       load_session
-      redirect_to logged_in? ? session.delete(:requested_url) : sp_login_url
+      # redirect to Idp for authentication if
+      # sp session data is not present
+      url = (logged_in? ? session.delete(:requested_url) : sp_login_url)
+      respond_to do |format|
+        format.html { redirect_to url }
+        format.js   { render js: "window.location.assign('#{url}');"}
+      end
     end
     def logout

data/lib/shibbolite/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module Shibbolite
-  VERSION = "0.0.1"
+  VERSION = "1.1.0"
 end

data/spec/controllers/filters_test_controller_spec.rb CHANGED Viewed

@@ -4,6 +4,8 @@ require 'spec_helper'
 describe FiltersTestController do
+  include_context 'auth_helpers'
   # presume the session has been loaded
   before { allow(subject).to receive(:load_session) }
@@ -15,15 +17,21 @@ describe FiltersTestController do
         get :_require_login
         expect(response).to render_template(:dummy)
       end
     end
     context 'when not logged in' do
+      before { allow(subject).to receive(:logged_in?).and_return(false) }
       it 'redirects' do
-        allow(subject).to receive(:logged_in?).and_return(false)
         get :_require_login
         expect(response).to redirect_to('/shibbolite/login')
       end
+      # see feature spec for complete test
+      it 'responds to ajax requests' do
+        xhr :get, :_require_login
+        expect(response.body).to include('window.location')
+      end
     end
   end
@@ -48,7 +56,7 @@ describe FiltersTestController do
   describe '#use_attributes_if_available' do
-    context 'when the user authenticated but login isn\'t required' do
+    context 'when the user authenticated but login is not required' do
       it 'redirects to login to load the session' do
         allow(subject).to receive(:logged_in?).and_return(false)
         request.env[Shibbolite.pid.to_s] = 'not nil'
@@ -65,6 +73,26 @@ describe FiltersTestController do
     end
   end
+  describe '#require_attribute' do
+    it 'executes action when user has the attribute' do
+      set_env_attribute(:department, '9th Circle')
+      get :_require_attribute, attr: :department, value: '9th Circle'
+      expect(response).to render_template(:dummy)
+    end
+    it 'redirects when user does not have the attribute' do
+      get :_require_attribute, attr: :dragon, value: 'Smaug'
+      expect(response).to redirect_to('/shibbolite/login')
+    end
+    it 'redirects when user has an incorrect value for the attribute' do
+      set_env_attribute(:department, 'Complaints')
+      get :_require_attribute, attr: :department, value: '9th Circle'
+      expect(response).to redirect_to('/shibbolite/login')
+    end
+  end
   context 'filters that require a user object' do
     let!(:user_id)  { 17 }
@@ -142,5 +170,36 @@ describe FiltersTestController do
         end
       end
     end
+    describe '#require_group_or_attribute' do
+      context 'happy paths' do
+        it 'executes action when user has the attribute' do
+          set_env_attribute(:department, '9th Circle')
+          get :_require_group_or_attribute, groups: 'admin', attr: :department, value: '9th Circle'
+          expect(response).to render_template(:dummy)
+        end
+        it 'allows action with matching group' do
+          allow(subject).to receive(:current_user).and_return(admin)
+          get :_require_group_or_id, groups: 'admin', attr: :department, value: '9th Circle'
+          expect(response).to render_template(:dummy)
+        end
+        it 'allows action with both attribute and group matching' do
+          set_env_attribute(:department, '9th Circle')
+          allow(subject).to receive(:current_user).and_return(admin)
+          get :_require_group_or_id, groups: 'admin', attr: :department, value: '9th Circle'
+          expect(response).to render_template(:dummy)
+        end
+      end
+      context 'with no matching criteria' do
+        it 'redirects' do
+          get :_require_attribute, attr: :wizard, value: 'Gandalf'
+          expect(response).to redirect_to('/shibbolite/login')
+        end
+      end
+    end
   end
 end

data/spec/controllers/helpers_test_controller_spec.rb CHANGED Viewed

@@ -4,6 +4,8 @@ require 'spec_helper'
 # the Shibbolite::Helpers concern
 describe HelpersTestController do
+  include_context 'auth_helpers'
   # helper methods
   #
@@ -38,7 +40,7 @@ describe HelpersTestController do
       it 'is false' do
         session[Shibbolite.pid] = nil
         get :_logged_in?
-        expect(assigns(:logged_in)).to be_false
+        expect(assigns(:logged_in)).to be_falsey
       end
     end
@@ -46,7 +48,7 @@ describe HelpersTestController do
       it 'is true' do
         session[Shibbolite.pid] = 'SSO authenticated'
         get :_logged_in?
-        expect(assigns(:logged_in)).to be_true
+        expect(assigns(:logged_in)).to be_truthy
       end
     end
   end
@@ -57,7 +59,7 @@ describe HelpersTestController do
       it 'is true' do
         session[Shibbolite.pid] = nil
         get :_anonymous_user?
-        expect(assigns(:anonymous)).to be_true
+        expect(assigns(:anonymous)).to be_truthy
       end
     end
@@ -65,7 +67,7 @@ describe HelpersTestController do
       it 'is false' do
         session[Shibbolite.pid] = 'SSO authenticated'
         get :_anonymous_user?
-        expect(assigns(:anonymous)).to be_false
+        expect(assigns(:anonymous)).to be_falsey
       end
     end
   end
@@ -77,7 +79,7 @@ describe HelpersTestController do
         session[Shibbolite.pid] = 'SSO authenticated'
         allow(subject).to receive(:current_user).and_return(nil)
         get :_guest_user?
-        expect(assigns(:guest)).to be_true
+        expect(assigns(:guest)).to be_truthy
       end
     end
@@ -86,7 +88,7 @@ describe HelpersTestController do
         session[Shibbolite.pid] = nil
         allow(subject).to receive(:current_user).and_return(nil)
         get :_guest_user?
-        expect(assigns(:guest)).to be_false
+        expect(assigns(:guest)).to be_falsey
       end
     end
   end
@@ -97,7 +99,7 @@ describe HelpersTestController do
       it 'is true' do
         allow(subject).to receive(:current_user).and_return('A valid user')
         get :_registered_user?
-        expect(assigns(:registered)).to be_true
+        expect(assigns(:registered)).to be_truthy
       end
     end
@@ -105,7 +107,7 @@ describe HelpersTestController do
       it 'is false' do
         allow(subject).to receive(:current_user).and_return(nil)
         get :_registered_user?
-        expect(assigns(:registered)).to be_false
+        expect(assigns(:registered)).to be_falsey
       end
     end
   end
@@ -118,12 +120,12 @@ describe HelpersTestController do
     it 'is true when user is in group' do
       get :_user_in_group?, group: 'jedi'
-      expect(assigns(:result)).to be_true
+      expect(assigns(:result)).to be_truthy
     end
     it 'is false when user is not in group' do
       get :_user_in_group?, group: 'sith'
-      expect(assigns(:result)).to be_false
+      expect(assigns(:result)).to be_falsey
     end
   end
@@ -135,12 +137,27 @@ describe HelpersTestController do
     it 'is true when user has the id' do
       get :_user_has_id?, id: '17'
-      expect(assigns(:result)).to be_true
+      expect(assigns(:result)).to be_truthy
     end
     it 'is false when user does not have the id' do
       get :_user_has_id?, id: '23'
-      expect(assigns(:result)).to be_false
+      expect(assigns(:result)).to be_falsey
+    end
+  end
+  describe '#user_has_attribute?' do
+    before { set_env_attribute(:department, 'HR') }
+    it 'is true when the user has the attribute and value' do
+      get :_user_has_attribute?, attr: :department, value: 'HR'
+      expect(assigns(:result)).to be_truthy
+    end
+    it 'is false when the user doesnt have the attribute and/or value' do
+      get :_user_has_attribute?, attr: :department, value: 'QA'
+      expect(assigns(:result)).to be_falsey
     end
   end
 end

data/spec/dummy/app/controllers/filters_test_controller.rb CHANGED Viewed

@@ -10,6 +10,8 @@ class FiltersTestController < ApplicationController
   before_action(only: :_require_id)           { |c| c.require_id params[:id].to_i }
   before_action(only: :_require_group_or_id)  { |c| c.require_group_or_id params[:groups], params[:id].to_i }
   before_action :use_attributes_if_available, only: :_use_attributes_if_available
+  before_action(only: :_require_attribute)          { |c| c.require_attribute params[:attr], params[:value] }
+  before_action(only: :_require_group_or_attribute) { |c| c.require_group_or_attribute params[:groups], params[:attr], params[:value] }
   def _require_login
     render :dummy
@@ -34,4 +36,12 @@ class FiltersTestController < ApplicationController
   def _use_attributes_if_available
     render :dummy
   end
+  def _require_attribute
+    render :dummy
+  end
+  def _require_group_or_attribute
+    render :dummy
+  end
 end

data/spec/dummy/app/controllers/helpers_test_controller.rb CHANGED Viewed

@@ -41,4 +41,9 @@ class HelpersTestController < ApplicationController
     @result = user_has_id?(params[:id].to_i)
     render :dummy
   end
+  def _user_has_attribute?
+    @result = user_has_matching_attribute?(params[:attr], params[:value])
+    render :dummy
+  end
 end

data/spec/dummy/app/views/static/home.html.erb CHANGED Viewed

@@ -32,4 +32,6 @@
   <%= link_to 'Logout', shibbolite.logout_path %>
 </p>
+<p>
+  <%= link_to 'AJAX link', controller: :static, action: :admin_resource, remote: true %>
+</p>

data/spec/dummy/config/environments/test.rb CHANGED Viewed

@@ -13,7 +13,7 @@ Dummy::Application.configure do
   config.eager_load = false
   # Configure static asset server for tests with Cache-Control for performance.
-  config.serve_static_assets  = true
+  config.serve_static_files  = true
   config.static_cache_control = "public, max-age=3600"
   # Show full error reports and disable caching.

data/spec/dummy/db/test.sqlite3 CHANGED Viewed

Binary file