technomancy-rack 0.3.0

data/lib/rack/adapter/camping.rb

@@ -0,0 +1,22 @@
+module Rack
+  module Adapter
+    class Camping
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        env["PATH_INFO"] ||= ""
+        env["SCRIPT_NAME"] ||= ""
+        controller = @app.run(env['rack.input'], env)
+        h = controller.headers
+        h.each_pair do |k,v|
+          if v.kind_of? URI
+            h[k] = v.to_s
+          end
+        end
+        [controller.status, controller.headers, controller.body]
+      end
+    end
+  end
+end

data/lib/rack/auth/abstract/handler.rb

@@ -0,0 +1,28 @@
+module Rack
+  module Auth
+    # Rack::Auth::AbstractHandler implements common authentication functionality.
+    #
+    # +realm+ should be set for all handlers.
+
+    class AbstractHandler
+
+      attr_accessor :realm
+
+      def initialize(app, &authenticator)
+        @app, @authenticator = app, authenticator
+      end
+
+
+      private
+
+      def unauthorized(www_authenticate = challenge)
+        return [ 401, { 'WWW-Authenticate' => www_authenticate.to_s }, [] ]
+      end
+
+      def bad_request
+        [ 400, {}, [] ]
+      end
+
+    end
+  end
+end

data/lib/rack/auth/abstract/request.rb

@@ -0,0 +1,37 @@
+module Rack
+  module Auth
+    class AbstractRequest
+
+      def initialize(env)
+        @env = env
+      end
+
+      def provided?
+        !authorization_key.nil?
+      end
+
+      def parts
+        @parts ||= @env[authorization_key].split(' ', 2)
+      end
+
+      def scheme
+        @scheme ||= parts.first.downcase.to_sym
+      end
+
+      def params
+        @params ||= parts.last
+      end
+
+
+      private
+
+      AUTHORIZATION_KEYS = ['HTTP_AUTHORIZATION', 'X-HTTP_AUTHORIZATION', 'X_HTTP_AUTHORIZATION']
+
+      def authorization_key
+        @authorization_key ||= AUTHORIZATION_KEYS.detect { |key| @env.has_key?(key) }
+      end
+
+    end
+
+  end
+end

data/lib/rack/auth/basic.rb

@@ -0,0 +1,58 @@
+require 'rack/auth/abstract/handler'
+require 'rack/auth/abstract/request'
+
+module Rack
+  module Auth
+    # Rack::Auth::Basic implements HTTP Basic Authentication, as per RFC 2617.
+    #
+    # Initialize with the Rack application that you want protecting,
+    # and a block that checks if a username and password pair are valid.
+    #
+    # See also: <tt>example/protectedlobster.rb</tt>
+
+    class Basic < AbstractHandler
+
+      def call(env)
+        auth = Basic::Request.new(env)
+
+        return unauthorized unless auth.provided?
+
+        return bad_request unless auth.basic?
+
+        if valid?(auth)
+          env['REMOTE_USER'] = auth.username
+
+          return @app.call(env)
+        end
+
+        unauthorized
+      end
+
+
+      private
+
+      def challenge
+        'Basic realm="%s"' % realm
+      end
+
+      def valid?(auth)
+        @authenticator.call(*auth.credentials)
+      end
+
+      class Request < Auth::AbstractRequest
+        def basic?
+          :basic == scheme
+        end
+
+        def credentials
+          @credentials ||= params.unpack("m*").first.split(/:/, 2)
+        end
+
+        def username
+          credentials.first
+        end
+      end
+
+    end
+  end
+end

data/lib/rack/auth/digest/md5.rb

@@ -0,0 +1,124 @@
+require 'rack/auth/abstract/handler'
+require 'rack/auth/digest/request'
+require 'rack/auth/digest/params'
+require 'rack/auth/digest/nonce'
+require 'digest/md5'
+
+module Rack
+  module Auth
+    module Digest
+      # Rack::Auth::Digest::MD5 implements the MD5 algorithm version of
+      # HTTP Digest Authentication, as per RFC 2617.
+      #
+      # Initialize with the [Rack] application that you want protecting,
+      # and a block that looks up a plaintext password for a given username.
+      #
+      # +opaque+ needs to be set to a constant base64/hexadecimal string.
+      #
+      class MD5 < AbstractHandler
+
+        attr_accessor :opaque
+
+        attr_writer :passwords_hashed
+
+        def initialize(app)
+          super
+          @passwords_hashed = nil
+        end
+
+        def passwords_hashed?
+          !!@passwords_hashed
+        end
+
+        def call(env)
+          auth = Request.new(env)
+
+          unless auth.provided?
+            return unauthorized
+          end
+
+          if !auth.digest? || !auth.correct_uri? || !valid_qop?(auth)
+            return bad_request
+          end
+
+          if valid?(auth)
+            if auth.nonce.stale?
+              return unauthorized(challenge(:stale => true))
+            else
+              env['REMOTE_USER'] = auth.username
+
+              return @app.call(env)
+            end
+          end
+
+          unauthorized
+        end
+
+
+        private
+
+        QOP = 'auth'.freeze
+
+        def params(hash = {})
+          Params.new do |params|
+            params['realm'] = realm
+            params['nonce'] = Nonce.new.to_s
+            params['opaque'] = H(opaque)
+            params['qop'] = QOP
+
+            hash.each { |k, v| params[k] = v }
+          end
+        end
+
+        def challenge(hash = {})
+          "Digest #{params(hash)}"
+        end
+
+        def valid?(auth)
+          valid_opaque?(auth) && valid_nonce?(auth) && valid_digest?(auth)
+        end
+
+        def valid_qop?(auth)
+          QOP == auth.qop
+        end
+
+        def valid_opaque?(auth)
+          H(opaque) == auth.opaque
+        end
+
+        def valid_nonce?(auth)
+          auth.nonce.valid?
+        end
+
+        def valid_digest?(auth)
+          digest(auth, @authenticator.call(auth.username)) == auth.response
+        end
+
+        def md5(data)
+          ::Digest::MD5.hexdigest(data)
+        end
+
+        alias :H :md5
+
+        def KD(secret, data)
+          H([secret, data] * ':')
+        end
+
+        def A1(auth, password)
+          [ auth.username, auth.realm, password ] * ':'
+        end
+
+        def A2(auth)
+          [ auth.method, auth.uri ] * ':'
+        end
+
+        def digest(auth, password)
+          password_hash = passwords_hashed? ? password : H(A1(auth, password))
+
+          KD(password_hash, [ auth.nonce, auth.nc, auth.cnonce, QOP, H(A2(auth)) ] * ':')
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/auth/digest/nonce.rb

@@ -0,0 +1,51 @@
+require 'digest/md5'
+
+module Rack
+  module Auth
+    module Digest
+      # Rack::Auth::Digest::Nonce is the default nonce generator for the
+      # Rack::Auth::Digest::MD5 authentication handler.
+      #
+      # +private_key+ needs to set to a constant string.
+      #
+      # +time_limit+ can be optionally set to an integer (number of seconds),
+      # to limit the validity of the generated nonces.
+
+      class Nonce
+
+        class << self
+          attr_accessor :private_key, :time_limit
+        end
+
+        def self.parse(string)
+          new(*string.unpack("m*").first.split(' ', 2))
+        end
+
+        def initialize(timestamp = Time.now, given_digest = nil)
+          @timestamp, @given_digest = timestamp.to_i, given_digest
+        end
+
+        def to_s
+          [([ @timestamp, digest ] * ' ')].pack("m*").strip
+        end
+
+        def digest
+          ::Digest::MD5.hexdigest([ @timestamp, self.class.private_key ] * ':')
+        end
+
+        def valid?
+          digest == @given_digest
+        end
+
+        def stale?
+          !self.class.time_limit.nil? && (@timestamp - Time.now.to_i) < self.class.time_limit
+        end
+
+        def fresh?
+          !stale?
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/auth/digest/params.rb

@@ -0,0 +1,55 @@
+module Rack
+  module Auth
+    module Digest
+      class Params < Hash
+
+        def self.parse(str)
+          split_header_value(str).inject(new) do |header, param|
+            k, v = param.split('=', 2)
+            header[k] = dequote(v)
+            header
+          end
+        end
+
+        def self.dequote(str) # From WEBrick::HTTPUtils
+          ret = (/\A"(.*)"\Z/ =~ str) ? $1 : str.dup
+          ret.gsub!(/\\(.)/, "\\1")
+          ret
+        end
+
+        def self.split_header_value(str) # From WEBrick::HTTPUtils
+          str.scan(/((?:"(?:\\.|[^"])+?"|[^",]+)+)(?:,\s*|\Z)/n).collect{ |v| v[0] }
+        end
+
+        def initialize
+          super
+
+          yield self if block_given?
+        end
+
+        def [](k)
+          super k.to_s
+        end
+
+        def []=(k, v)
+          super k.to_s, v.to_s
+        end
+
+        UNQUOTED = ['qop', 'nc', 'stale']
+
+        def to_s
+          inject([]) do |parts, (k, v)|
+            parts << "#{k}=" + (UNQUOTED.include?(k) ? v.to_s : quote(v))
+            parts
+          end.join(', ')
+        end
+
+        def quote(str) # From WEBrick::HTTPUtils
+          '"' << str.gsub(/[\\\"]/o, "\\\1") << '"'
+        end
+
+      end
+    end
+  end
+end
+

data/lib/rack/auth/digest/request.rb

@@ -0,0 +1,40 @@
+require 'rack/auth/abstract/request'
+require 'rack/auth/digest/params'
+require 'rack/auth/digest/nonce'
+
+module Rack
+  module Auth
+    module Digest
+      class Request < Auth::AbstractRequest
+
+        def method
+          @env['REQUEST_METHOD']
+        end
+
+        def digest?
+          :digest == scheme
+        end
+
+        def correct_uri?
+          @env['PATH_INFO'] == uri
+        end
+
+        def nonce
+          @nonce ||= Nonce.parse(params['nonce'])
+        end
+
+        def params
+          @params ||= Params.parse(parts.last)
+        end
+
+        def method_missing(sym)
+          if params.has_key? key = sym.to_s
+            return params[key]
+          end
+          super
+        end
+
+      end
+    end
+  end
+end

data/lib/rack/auth/openid.rb

@@ -0,0 +1,116 @@
+# AUTHOR: blink <blinketje@gmail.com>; blink#ruby-lang@irc.freenode.net
+
+gem_require 'ruby-openid', '~> 1.0.0' if defined? Gem
+require 'rack/auth/abstract/handler'
+require 'openid'
+
+module Rack
+  module Auth
+    # Rack::Auth::OpenID provides a simple method for permitting openid
+    # based logins. It requires the ruby-openid lib from janrain to operate,
+    # as well as some method of session management of a Hash type.
+    #
+    # After a transaction, the response status object is stored in the
+    # environment at rack.auth.openid.status, which can be used in the
+    # followup block or in a wrapping application to accomplish
+    # additional data maniipulation.
+    #
+    # NOTE: Due to the amount of data that ruby-openid stores in the session,
+    # Rack::Session::Cookie may fault.
+    #
+    # A hash of data is stored in the session hash at the key of :openid.
+    # The fully canonicalized identity url is stored within at 'identity'.
+    # Extension data from 'openid.sreg.nickname' would be stored as
+    # { 'nickname' => value }.
+    #
+    # NOTE: To my knowledge there is no collision at this point from storage
+    # of this manner, if there is please let me know so I may adjust this app
+    # to cope.
+    # NOTE: This rack application is only compatible with the 1.x.x versions
+    # of the ruby-openid library. If rubygems is loaded at require time of
+    # this app, the specification will be made. If it is not then the 'openid'
+    # library will be required, and will fail if it is not compatible.
+    class OpenID < AbstractHandler
+      # Required for ruby-openid
+      OIDStore = ::OpenID::MemoryStore.new
+
+      # A Hash of options is taken as it's single initializing
+      # argument. String keys are taken to be openid protocol
+      # extension namespaces.
+      #
+      #   For example: 'sreg' => { 'required' => # 'nickname' }
+      #
+      # Other keys are taken as options for Rack::Auth::OpenID, normally Symbols.
+      # Only :return is required. :trust is highly recommended to be set.
+      #
+      # * :return defines the url to return to after the client authenticates
+      #   with the openid service provider. Should point to where this app is
+      #   mounted. (ex: 'http://mysite.com/openid')
+      # * :trust defines the url identifying the site they are actually logging
+      #   into. (ex: 'http://mysite.com/')
+      # * :session_key defines the key to the session hash in the env.
+      #   (by default it uses 'rack.session')
+      def initialize(options={})
+        raise ArgumentError, 'No return url provided.'  unless options[:return]
+        warn  'No trust url provided.'  unless options[:trust]
+        options[:trust] ||= options[:return]
+
+        @options  = {
+          :session_key => 'rack.session'
+        }.merge(options)
+      end
+
+      def call(env)
+        request = Rack::Request.new env
+        return no_session unless session = request.env[@options[:session_key]]
+        resp = if request.GET['openid.mode']
+                 finish session, request.GET, env
+               elsif request.GET['openid_url']
+                 check session, request.GET['openid_url'], env
+               else
+                 bad_request
+               end
+      end
+
+      def check(session, oid_url, env)
+        consumer = ::OpenID::Consumer.new session, OIDStore
+        oid = consumer.begin oid_url
+        return auth_fail unless oid.status == ::OpenID::SUCCESS
+        @options.each do |ns,s|
+          next unless ns.is_a? String
+          s.each {|k,v| oid.add_extension_arg(ns, k, v) }
+        end
+        r_url = @options.fetch :return do |k| request.url end
+        t_url = @options.fetch :trust
+        env['rack.auth.openid.status'] = oid
+        return 303, {'Location'=>oid.redirect_url( t_url, r_url )}, []
+      end
+
+      def finish(session, params, env)
+        consumer = ::OpenID::Consumer.new session, OIDStore
+        oid = consumer.complete params
+        return bad_login unless oid.status == ::OpenID::SUCCESS
+        session[:openid] = {'identity' => oid.identity_url}
+        @options.each do |ns,s|
+          next unless ns.is_a? String
+          oid.extension_response(ns).each{|k,v| session[k]=v }
+        end
+        env['rack.auth.openid.status'] = oid
+        return 303, {'Location'=>@options[:trust]}, []
+      end
+
+      def no_session
+        @options.
+          fetch :no_session, [500,{'Content-Type'=>'text/plain'},'No session available.']
+      end
+      def auth_fail
+        @options.
+          fetch :auth_fail, [500, {'Content-Type'=>'text/plain'},'Foreign server failure.']
+      end
+      def bad_login
+        @options.
+          fetch :bad_login, [401, {'Content-Type'=>'text/plain'},'Identification has failed.']
+      end
+    end
+  end
+end