sso-auth 0.0.1

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2012 YOURNAME
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.rdoc

@@ -0,0 +1,28 @@
+= SsoAuth
+
+== Usage
+
+Gemfile
+
+  gem 'sso-auth'
+
+Layout
+
+  <body>
+    <%= render :partial => "sso_auth/shared/header" %>
+    ...
+    <%= yield %>
+    ...
+    <%= render :partial => "sso_auth/shared/footer" %>
+  </body>
+
+Stylesheet
+
+  *= require ...
+  *= require sso_auth/shared // common styles
+  *= require custom_sso_auth // customize styles
+  */
+
+== License
+
+This project rocks and uses MIT-LICENSE.

data/Rakefile

@@ -0,0 +1,33 @@
+#!/usr/bin/env rake
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+begin
+  require 'rdoc/task'
+rescue LoadError
+  require 'rdoc/rdoc'
+  require 'rake/rdoctask'
+  RDoc::Task = Rake::RDocTask
+end
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'SsoAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+APP_RAKEFILE = File.expand_path("../spec/dummy/Rakefile", __FILE__)
+load 'rails/tasks/engine.rake'
+
+
+Bundler::GemHelper.install_tasks
+
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec

data/app/controllers/sso_auth/omniauth_callbacks_controller.rb

@@ -0,0 +1,24 @@
+# encoding: utf-8
+
+class SsoAuth::OmniauthCallbacksController < Devise::OmniauthCallbacksController
+  def identity
+    user = User.find_or_initialize_by_uid(request.env['omniauth.auth']['uid']).tap do |user|
+      attributes = request.env['omniauth.auth']['extra']['raw_info']['user']
+      attributes = attributes.merge(request.env['omniauth.auth']['info'])
+      attributes.each do |attribute, value|
+        user.send("#{attribute}=", value) if user.respond_to?("#{attribute}=")
+      end
+      user.save(:validate => false)
+    end
+
+    flash[:notice] = I18n.t "devise.omniauth_callbacks.success", :kind => "системы аутентификации"
+    sign_in user, :event => :authentication
+    redirect_to stored_location_for(:user) || main_app.root_path
+  end
+
+  private
+
+  def after_omniauth_failure_path_for(model)
+    main_app.root_path
+  end
+end

data/app/controllers/sso_auth/sessions_controller.rb

@@ -0,0 +1,16 @@
+class SsoAuth::SessionsController < ApplicationController
+  def destroy
+    reset_session
+    redirect_to "#{Settings['sso.url']}/users/sign_out?redirect_uri=#{CGI.escape(redirect_uri)}"
+  end
+
+  protected
+
+    def redirect_uri
+      URI.parse(request.url).tap do | uri |
+        uri.path = main_app.root_path
+        uri.query = nil
+      end.to_s
+    end
+
+end

data/app/controllers/sso_auth/users_controller.rb

@@ -0,0 +1,11 @@
+require 'open-uri'
+
+class SsoAuth::UsersController < ApplicationController
+  respond_to :json
+
+  def index
+    authorize! :manage, :permissions
+    response = open("#{Settings['sso.url']}/users.json?user_search[keywords]=#{URI.escape(params[:term])}")
+    render :json => JSON.parse(response.read)
+  end
+end

data/app/views/sso-auth/shared/_user_box.html.erb

@@ -0,0 +1,6 @@
+<% if current_user %>
+  <span class='current_user'><%= current_user.sso_auth_name %></span>
+  <%= link_to('Выход', sso_auth.destroy_user_session_path) %>
+<% else %>
+  <%= link_to 'Вход в систему', user_omniauth_authorize_path(:identity)  %>
+<% end %>

data/config/initializers/devise.rb

@@ -0,0 +1,216 @@
+# Use this hook to configure devise mailer, warden hooks and so forth.
+# Many of these configuration options can be set straight in your model.
+Devise.setup do |config|
+  # ==> Mailer Configuration
+  # Configure the e-mail address which will be shown in Devise::Mailer,
+  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
+  # config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
+
+  # Configure the class responsible to send e-mails.
+  # config.mailer = "Devise::Mailer"
+
+  # ==> ORM configuration
+  # Load and configure the ORM. Supports :active_record (default) and
+  # :mongoid (bson_ext recommended) by default. Other ORMs may be
+  # available as additional gems.
+  require 'devise/orm/active_record'
+
+  # ==> Configuration for any authentication mechanism
+  # Configure which keys are used when authenticating a user. The default is
+  # just :email. You can configure it to use [:username, :subdomain], so for
+  # authenticating a user, both parameters are required. Remember that those
+  # parameters are used only when authenticating and not when retrieving from
+  # session. If you need permissions, you should implement that in a before filter.
+  # You can also supply a hash where the value is a boolean determining whether
+  # or not authentication should be aborted when the value is not present.
+  # config.authentication_keys = [ :email ]
+
+  # Configure parameters from the request object used for authentication. Each entry
+  # given should be a request method and it will automatically be passed to the
+  # find_for_authentication method and considered in your model lookup. For instance,
+  # if you set :request_keys to [:subdomain], :subdomain will be used on authentication.
+  # The same considerations mentioned for authentication_keys also apply to request_keys.
+  # config.request_keys = []
+
+  # Configure which authentication keys should be case-insensitive.
+  # These keys will be downcased upon creating or modifying a user and when used
+  # to authenticate or find a user. Default is :email.
+  config.case_insensitive_keys = []
+
+  # Configure which authentication keys should have whitespace stripped.
+  # These keys will have whitespace before and after removed upon creating or
+  # modifying a user and when used to authenticate or find a user. Default is :email.
+  config.strip_whitespace_keys = []
+
+  # Tell if authentication through request.params is enabled. True by default.
+  # It can be set to an array that will enable params authentication only for the
+  # given strategies, for example, `config.params_authenticatable = [:database]` will
+  # enable it only for database (email + password) authentication.
+  # config.params_authenticatable = true
+
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # It can be set to an array that will enable http authentication only for the
+  # given strategies, for example, `config.http_authenticatable = [:token]` will
+  # enable it only for token authentication.
+  # config.http_authenticatable = false
+
+  # If http headers should be returned for AJAX requests. True by default.
+  # config.http_authenticatable_on_xhr = true
+
+  # The realm used in Http Basic Authentication. "Application" by default.
+  # config.http_authentication_realm = "Application"
+
+  # It will change confirmation, password recovery and other workflows
+  # to behave the same regardless if the e-mail provided was right or wrong.
+  # Does not affect registerable.
+  # config.paranoid = true
+
+  # By default Devise will store the user in session. You can skip storage for
+  # :http_auth and :token_auth by adding those symbols to the array below.
+  # Notice that if you are skipping storage for all authentication paths, you
+  # may want to disable generating routes to Devise's sessions controller by
+  # passing :skip => :sessions to `devise_for` in your config/routes.rb
+  config.skip_session_storage = [:http_auth]
+
+  # ==> Configuration for :database_authenticatable
+  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
+  # using other encryptors, it sets how many times you want the password re-encrypted.
+  #
+  # Limiting the stretches to just one in testing will increase the performance of
+  # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
+  # a value less than 10 in other environments.
+  config.stretches = Rails.env.test? ? 1 : 10
+
+  # Setup a pepper to generate the encrypted password.
+  # config.pepper = "d38daf1ff1526d1a6df451bc2a0cea2e2eb02dafa36d59b4852177ad91e8e3e5948a04c6f68302740e2187fc75cb84c5cf8a1aceaef6b9278df7b407546ddea1"
+
+  # ==> Configuration for :confirmable
+  # A period that the user is allowed to access the website even without
+  # confirming his account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming his account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming his account.
+  # config.allow_unconfirmed_access_for = 2.days
+
+  # If true, requires any email changes to be confirmed (exactly the same way as
+  # initial account confirmation) to be applied. Requires additional unconfirmed_email
+  # db field (see migrations). Until confirmed new email is stored in
+  # unconfirmed email column, and copied to email column on successful confirmation.
+  config.reconfirmable = true
+
+  # Defines which key will be used when confirming an account
+  # config.confirmation_keys = [ :email ]
+
+  # ==> Configuration for :rememberable
+  # The time the user will be remembered without asking for credentials again.
+  # config.remember_for = 2.weeks
+
+  # If true, extends the user's remember period when remembered via cookie.
+  # config.extend_remember_period = false
+
+  # Options to be passed to the created cookie. For instance, you can set
+  # :secure => true in order to force SSL only cookies.
+  # config.rememberable_options = {}
+
+  # ==> Configuration for :validatable
+  # Range for password length. Default is 6..128.
+  # config.password_length = 6..128
+
+  # Email regex used to validate email formats. It simply asserts that
+  # an one (and only one) @ exists in the given string. This is mainly
+  # to give user feedback and not to assert the e-mail validity.
+  # config.email_regexp = /\A[^@]+@[^@]+\z/
+
+  # ==> Configuration for :timeoutable
+  # The time you want to timeout the user session without activity. After this
+  # time the user will be asked for credentials again. Default is 30 minutes.
+  # config.timeout_in = 30.minutes
+
+  # ==> Configuration for :lockable
+  # Defines which strategy will be used to lock an account.
+  # :failed_attempts = Locks an account after a number of failed attempts to sign in.
+  # :none            = No lock strategy. You should handle locking by yourself.
+  # config.lock_strategy = :failed_attempts
+
+  # Defines which key will be used when locking and unlocking an account
+  # config.unlock_keys = [ :email ]
+
+  # Defines which strategy will be used to unlock an account.
+  # :email = Sends an unlock link to the user email
+  # :time  = Re-enables login after a certain amount of time (see :unlock_in below)
+  # :both  = Enables both strategies
+  # :none  = No unlock strategy. You should handle unlocking by yourself.
+  # config.unlock_strategy = :both
+
+  # Number of authentication tries before locking an account if lock_strategy
+  # is failed attempts.
+  # config.maximum_attempts = 20
+
+  # Time interval to unlock the account if :time is enabled as unlock_strategy.
+  # config.unlock_in = 1.hour
+
+  # ==> Configuration for :recoverable
+  #
+  # Defines which key will be used when recovering the password for an account
+  # config.reset_password_keys = [ :email ]
+
+  # Time interval you can reset your password with a reset password key.
+  # Don't put a too small interval or your users won't have the time to
+  # change their passwords.
+  config.reset_password_within = 6.hours
+
+  # ==> Configuration for :encryptable
+  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
+  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
+  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
+  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
+  # REST_AUTH_SITE_KEY to pepper)
+  # config.encryptor = :sha512
+
+  # ==> Configuration for :token_authenticatable
+  # Defines name of the authentication token params key
+  # config.token_authentication_key = :auth_token
+
+  # ==> Scopes configuration
+  # Turn scoped views on. Before rendering "sessions/new", it will first check for
+  # "users/sessions/new". It's turned off by default because it's slower if you
+  # are using only default views.
+  # config.scoped_views = false
+
+  # Configure the default scope given to Warden. By default it's the first
+  # devise role declared in your routes (usually :user).
+  # config.default_scope = :user
+
+  # Configure sign_out behavior.
+  # Sign_out action can be scoped (i.e. /users/sign_out affects only :user scope).
+  # The default is true, which means any logout action will sign out all active scopes.
+  # config.sign_out_all_scopes = true
+
+  # ==> Navigation configuration
+  # Lists the formats that should be treated as navigational. Formats like
+  # :html, should redirect to the sign in page when the user does not have
+  # access, but formats like :xml or :json, should return 401.
+  #
+  # If you have any extra navigational formats, like :iphone or :mobile, you
+  # should add them to the navigational formats lists.
+  #
+  # The "*/*" below is required to match Internet Explorer requests.
+  # config.navigational_formats = ["*/*", :html]
+
+  # The default HTTP method used to sign out a resource. Default is :delete.
+  config.sign_out_via = :delete
+
+  # ==> OmniAuth
+  # Add a new OmniAuth provider. Check the wiki for more information on setting
+  # up on your models and hooks.
+  # config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
+
+  # ==> Warden configuration
+  # If you want to use other strategies, that are not supported by Devise, or
+  # change the failure app, you can configure them inside the config.warden block.
+  #
+  # config.warden do |manager|
+  #   manager.intercept_401 = false
+  #   manager.default_strategies(:scope => :user).unshift :some_external_strategy
+  # end
+end

data/config/locales/en.yml

@@ -0,0 +1,11 @@
+ru:
+  activerecord:
+    attributes:
+      permission:
+        context:              Context
+        role:                 Role
+        user:                 User
+
+    models:
+      permission:             Permission
+

data/config/locales/ru.yml

@@ -0,0 +1,11 @@
+ru:
+  activerecord:
+    attributes:
+      permission:
+        context:              Контекст
+        role:                 Роль
+        user:                 Пользователь
+
+    models:
+      permission:             Право доступа
+

data/config/routes.rb

@@ -0,0 +1,17 @@
+SsoAuth::Engine.routes.draw do
+  resources :users, :only => :index
+  get 'sign_out' => 'sessions#destroy', :as => :destroy_user_session
+end
+
+Rails.application.routes.draw do
+  devise_for :users, :path => 'auth',
+                     :controllers => {:omniauth_callbacks => 'sso_auth/omniauth_callbacks'},
+                     :skip => [:sessions]
+
+  devise_scope :users do
+    get 'sign_in' => redirect('/auth/auth/identity'), :as => :new_user_session
+  end
+
+  mount SsoAuth::Engine => '/auth'
+end
+

data/lib/generators/sso-auth/install/install_generator.rb

@@ -0,0 +1,40 @@
+require 'rails/generators/migration'
+
+module SsoAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      include Rails::Generators::Migration
+
+      source_root File.expand_path('../templates', __FILE__)
+
+      def self.next_migration_number(dirname)
+        @number ||= Time.now.strftime('%Y%m%d%H%M%S').to_i
+        @number += 1
+      end
+
+      def create_models
+        template 'app/models/ability.rb'
+        template 'app/models/user.rb'
+        template 'app/models/permission.rb'
+      end
+
+      def create_controllers
+        template 'app/controllers/manage/application_controller.rb'
+      end
+
+      def create_seeds
+        template 'db/seeds.rb'
+      end
+
+      def create_specs
+        template 'spec/models/ability_spec.rb'
+      end
+
+      def create_migrations
+        migration_template 'db/migrate/create_users.rb'
+        migration_template 'db/migrate/create_permissions.rb'
+      end
+
+    end
+  end
+end

data/lib/generators/sso-auth/install/templates/app/controllers/manage/application_controller.rb

@@ -0,0 +1,3 @@
+class Manage::ApplicationController < ApplicationController
+  sso_load_and_authorize_resource
+end

data/lib/generators/sso-auth/install/templates/app/models/ability.rb

@@ -0,0 +1,17 @@
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    return unless user
+
+    can :manage, :application do
+      user.permissions.any?
+    end
+
+    can :manage, :permissions do
+      user.manager?
+    end
+
+    # TODO: insert app specific rules here
+  end
+end

data/lib/generators/sso-auth/install/templates/app/models/permission.rb

@@ -0,0 +1,16 @@
+# == Schema Information
+#
+# Table name: permissions
+#
+#  id           :integer          not null, primary key
+#  user_id      :integer
+#  context_id   :integer
+#  context_type :string(255)
+#  role         :string(255)
+#  created_at   :datetime         not null
+#  updated_at   :datetime         not null
+#
+
+class Permission < ActiveRecord::Base
+  sso_auth_permission :roles => [:manager, :operator]
+end

data/lib/generators/sso-auth/install/templates/app/models/user.rb

@@ -0,0 +1,21 @@
+# == Schema Information
+#
+# Table name: users
+#
+#  id                 :integer          not null, primary key
+#  uid                :string(255)
+#  name               :text
+#  email              :text
+#  raw_info           :text
+#  sign_in_count      :integer
+#  current_sign_in_at :datetime
+#  last_sign_in_at    :datetime
+#  current_sign_in_ip :string(255)
+#  last_sign_in_ip    :string(255)
+#  created_at         :datetime         not null
+#  updated_at         :datetime         not null
+#
+
+class User < ActiveRecord::Base
+  sso_auth_user
+end

data/lib/generators/sso-auth/install/templates/db/migrate/create_permissions.rb

@@ -0,0 +1,11 @@
+class CreatePermissions < ActiveRecord::Migration
+  def change
+    create_table :permissions do |t|
+      t.references :user
+      t.references :context, :polymorphic => true
+      t.string :role
+      t.timestamps
+    end
+    add_index :permissions, [:user_id, :role, :context_id, :context_type], :name => 'by_user_and_role_and_context'
+  end
+end

data/lib/generators/sso-auth/install/templates/db/migrate/create_users.rb

@@ -0,0 +1,20 @@
+class CreateUsers < ActiveRecord::Migration
+  def change
+    create_table :users do | t |
+      t.string  :uid                    # omniauth[:uid]
+      t.text    :name, :email           # omniauth[:info]
+      t.text    :raw_info               # omniauth[:extra]
+
+      # Devise trackable fields
+      t.integer  :sign_in_count
+      t.datetime :current_sign_in_at
+      t.datetime :last_sign_in_at
+      t.string   :current_sign_in_ip
+      t.string   :last_sign_in_ip
+
+      t.timestamps
+    end
+
+    add_index :users, :uid
+  end
+end

data/lib/generators/sso-auth/install/templates/db/seeds.rb

@@ -0,0 +1,4 @@
+User.find_or_initialize_by_uid('1').tap do | user |
+  user.save(:validate => false)
+  user.permissions.create! :role => :manager if user.permissions.empty?
+end

data/lib/generators/sso-auth/install/templates/spec/models/ability_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe Ability do
+  context 'manager' do
+    subject { ability_for(manager) }
+    it { should     be_able_to(:manage, :application) }
+    it { should     be_able_to(:manage, :permissions) }
+  end
+  context 'operator' do
+    subject { ability_for(operator) }
+    it { should     be_able_to(:manage, :application) }
+    it { should_not be_able_to(:manage, :permissions) }
+  end
+end

data/lib/omniauth/strategies/identity.rb

@@ -0,0 +1,15 @@
+require 'omniauth/strategies/oauth2'
+
+module OmniAuth
+  module Strategies
+    class Identity < OmniAuth::Strategies::OAuth2
+      uid { raw_info['uid'] }
+      info { raw_info['info'] }
+      extra { {:raw_info => raw_info} }
+
+      def raw_info
+        @raw_info ||= access_token.get("/oauth/user.json?oauth_token=#{access_token.token}").parsed
+      end
+    end
+  end
+end

data/lib/sso-auth.rb

@@ -0,0 +1,7 @@
+require "sso-auth/engine"
+
+require 'cancan'
+require 'devise'
+
+module SsoAuth
+end

data/lib/sso-auth/engine.rb

@@ -0,0 +1,79 @@
+module SsoAuth
+  class Engine < ::Rails::Engine
+    isolate_namespace SsoAuth
+
+    config.after_initialize do
+      begin
+        Settings.define 'sso.url',     :env_var => 'SSO_URL',     :require => true
+        Settings.define 'sso.key',     :env_var => 'SSO_KEY',     :require => true
+        Settings.define 'sso.secret',  :env_var => 'SSO_SECRET',  :require => true
+
+        Settings.resolve!
+      rescue => e
+        puts "WARNING! #{e.message}"
+      end
+    end
+
+    initializer "sso_client.devise", :before => 'devise.omniauth' do |app|
+      require File.expand_path("../../../lib/omniauth/strategies/identity", __FILE__)
+      Devise.setup do |config|
+        config.omniauth :identity, Settings['sso.key'], Settings['sso.secret'], :client_options => { :site => Settings['sso.url'] }
+      end
+    end
+
+    config.to_prepare do
+      ActionController::Base.class_eval do
+        define_singleton_method :sso_load_and_authorize_resource do
+          before_filter :authenticate_user!
+          before_filter :authorize_user_can_manage_application!
+          load_and_authorize_resource
+          rescue_from CanCan::AccessDenied do |exception|
+            render :file => "#{Rails.root}/public/403", :formats => [:html], :status => 403, :layout => false
+          end
+        end
+
+        protected
+
+        define_method :authorize_user_can_manage_application! do
+          authorize! :manage, :application
+        end
+      end
+      ActiveRecord::Base.class_eval do
+        def self.sso_auth_user
+          has_many :permissions, :dependent => :destroy
+
+          devise :omniauthable, :trackable, :timeoutable
+
+          Permission.available_roles.each do |role|
+            define_method "#{role}_of?" do |context|
+              permissions.for_role(role).for_context(context).exists?
+            end
+            define_method "#{role}?" do
+              permissions.for_role(role).exists?
+            end
+          end
+
+          define_method :sso_auth_name do
+            email? ? "#{name} <#{email}>" : name
+          end
+        end
+
+        def self.sso_auth_permission(options)
+          define_singleton_method :available_roles do
+            options[:roles].map(&:to_s)
+          end
+
+          belongs_to :context, :polymorphic => true
+          belongs_to :user
+
+          validates_inclusion_of  :role, :in => available_roles
+          validates_presence_of   :role, :user
+          validates_uniqueness_of :role, :scope => [:user_id, :context_id, :context_type]
+
+          scope :for_role,    ->(role)    { where(:role => role) }
+          scope :for_context, ->(context) { where(:context_id => context.try(:id), :context_type => context.try(:class)) }
+        end
+      end
+    end
+  end
+end

data/lib/sso-auth/spec_helper.rb

@@ -0,0 +1,45 @@
+module SsoAuth
+  module SpecHelper
+
+    def ability_for(user)
+      Ability.new(user)
+    end
+
+    def create_user
+      @sequence ||= 0
+      @sequence += 1
+      User.create! :uid => @sequence, :name => "user #{@sequence}"
+    end
+
+    def user_with_role(role, context=nil, prefix=nil)
+      @roles ||= {}
+      @roles["#{prefix}_#{role}"] ||= {}
+      @roles["#{prefix}_#{role}"][context] ||= create_user.tap do |user|
+        user.permissions.create! :context => context, :role => role
+      end
+    end
+
+    def user
+      @user ||= create_user
+    end
+
+    def another_user
+      @another_user ||= create_user
+    end
+
+    Permission.available_roles.each do | role |
+      define_method "#{role}_of" do |context|
+        user_with_role role, context
+      end
+      define_method "#{role}" do
+        self.send("#{role}_of", nil)
+      end
+      define_method "another_#{role}_of" do |context|
+        user_with_role role, context, "another"
+      end
+      define_method "another_#{role}" do
+        self.send("another_#{role}_of", nil)
+      end
+    end
+  end
+end

data/lib/sso-auth/version.rb

@@ -0,0 +1,3 @@
+module SsoAuth
+  VERSION = "0.0.1"
+end

metadata

@@ -0,0 +1,236 @@
+--- !ruby/object:Gem::Specification
+name: sso-auth
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+  prerelease: 
+platform: ruby
+authors:
+- http://openteam.ru
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-11-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cancan
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: configliere
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: annotate
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: shoulda-matchers
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Description of SsoAuth.
+email:
+- mail@openteam.ru
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- app/controllers/sso_auth/omniauth_callbacks_controller.rb
+- app/controllers/sso_auth/sessions_controller.rb
+- app/controllers/sso_auth/users_controller.rb
+- app/views/sso-auth/shared/_user_box.html.erb
+- config/initializers/devise.rb
+- config/locales/en.yml
+- config/locales/ru.yml
+- config/routes.rb
+- lib/generators/sso-auth/install/install_generator.rb
+- lib/generators/sso-auth/install/templates/app/controllers/manage/application_controller.rb
+- lib/generators/sso-auth/install/templates/app/models/ability.rb
+- lib/generators/sso-auth/install/templates/app/models/permission.rb
+- lib/generators/sso-auth/install/templates/app/models/user.rb
+- lib/generators/sso-auth/install/templates/db/migrate/create_permissions.rb
+- lib/generators/sso-auth/install/templates/db/migrate/create_users.rb
+- lib/generators/sso-auth/install/templates/db/seeds.rb
+- lib/generators/sso-auth/install/templates/spec/models/ability_spec.rb
+- lib/omniauth/strategies/identity.rb
+- lib/sso-auth/engine.rb
+- lib/sso-auth/spec_helper.rb
+- lib/sso-auth/version.rb
+- lib/sso-auth.rb
+- MIT-LICENSE
+- Rakefile
+- README.rdoc
+homepage: 
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 4589756721612764360
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+      segments:
+      - 0
+      hash: 4589756721612764360
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Summary of SsoAuth.
+test_files: []