tentd 0.0.1

data/lib/tentd/api/authentication_verification.rb

@@ -0,0 +1,50 @@
+require 'openssl'
+require 'base64'
+
+module TentD
+  class API
+    class AuthenticationVerification < Middleware
+      def action(env)
+        if env.hmac? && !(env.hmac.verified = verify_signature(env))
+          env = [403, {}, ['Invalid MAC Signature']]
+        end
+        env
+      end
+
+      private
+
+      # constant-time comparison algorithm to prevent timing attacks
+      def secure_compare(a, b)
+        return false unless a.bytesize == b.bytesize
+
+        l = a.unpack "C#{a.bytesize}"
+
+        res = 0
+        b.each_byte { |byte| res |= byte ^ l.shift }
+        res == 0
+      end
+
+      def verify_signature(env)
+        secure_compare(env.hmac.mac, build_request_signature(env))
+      end
+
+      def build_request_signature(env)
+        time = env.hmac.ts.to_i
+        nonce = env.hmac.nonce
+        request_string = build_request_string(time, nonce, env)
+        signature = Base64.encode64(OpenSSL::HMAC.digest(openssl_digest(env.hmac.algorithm).new, env.hmac.secret, request_string)).sub("\n", '')
+      end
+
+      def build_request_string(time, nonce, env)
+        body = env['rack.input'].read
+        env['rack.input'].rewind
+        request_uri = env.SCRIPT_NAME + (env.QUERY_STRING != '' ? "?#{env.QUERY_STRING}" : '')
+        [time.to_s, nonce, env.REQUEST_METHOD.to_s.upcase, request_uri, env.HTTP_HOST.split(':').first, (env.HTTP_X_FORWARDED_PORT || env.SERVER_PORT), body, nil].join("\n")
+      end
+
+      def openssl_digest(mac_algorithm)
+        @openssl_digest ||= OpenSSL::Digest.const_get(mac_algorithm.to_s.gsub(/hmac|-/, '').upcase)
+      end
+    end
+  end
+end

data/lib/tentd/api/authorizable.rb

@@ -0,0 +1,21 @@
+module TentD
+  class API
+    module Authorizable
+      class Error < StandardError
+      end
+
+      class Unauthorized < Error
+      end
+
+      def authorize_env!(env, scope)
+        unless authorize_env?(env, scope)
+          raise Unauthorized
+        end
+      end
+
+      def authorize_env?(env, scope)
+        env.authorized_scopes.to_a.include?(scope)
+      end
+    end
+  end
+end

data/lib/tentd/api/authorization.rb

@@ -0,0 +1,14 @@
+module TentD
+  class API
+    class Authorization < Middleware
+      def action(env)
+        env.authorized_scopes = []
+        if env.current_auth.kind_of?(Model::AppAuthorization)
+          env.authorized_scopes = env.current_auth.scopes.map(&:to_sym)
+          env.authorized_scopes.delete(:read_secrets) unless env.params && env.params.secrets.to_s == 'true'
+        end
+        env
+      end
+    end
+  end
+end

data/lib/tentd/api/core_profile_data.rb

@@ -0,0 +1,45 @@
+require 'hashie'
+
+module TentD
+  class API
+    class CoreProfileData < Hashie::Mash
+      def expected_version
+        v = TentVersion.from_uri(Model::ProfileInfo::TENT_PROFILE_TYPE_URI)
+        v.parts = v.parts[0..-2] << 'x'
+        v
+      end
+
+      def versions
+        keys.select { |key|
+          key =~ %r|^#{Model::ProfileInfo::TENT_PROFILE_TYPE_URI.sub(/\/v.*?$/, '')}|
+        }.map { |key| TentVersion.from_uri(key) }.sort
+      end
+
+      def version
+        versions.find do |v|
+          v == expected_version
+        end
+      end
+
+      def version_key
+        Model::ProfileInfo::TENT_PROFILE_TYPE_URI.sub(%r|/v.*?$|, '/v' << version.to_s)
+      end
+
+      def entity?(entity)
+        self[version_key][:entity] == entity
+      end
+
+      def servers
+        self[version_key][:servers]
+      end
+
+      def entity
+        self[version_key][:entity]
+      end
+
+      def licenses
+        self[version_key][:licenses]
+      end
+    end
+  end
+end

data/lib/tentd/api/followers.rb

@@ -0,0 +1,218 @@
+module TentD
+  class API
+    class Followers
+      include Router
+
+      class GetActualId < Middleware
+        def action(env)
+          [:follower_id, :before_id, :since_id].each do |id_key|
+            if env.params[id_key] && (f = Model::Follower.first(:public_id => env.params[id_key], :fields => [:id]))
+              env.params[id_key] = f.id
+            else
+              env.params[id_key] = nil
+            end
+          end
+          env
+        end
+      end
+
+      class AuthorizeReadOne < Middleware
+        def action(env)
+          if env.params.follower_id && env.current_auth && env.current_auth.kind_of?(Model::Follower) &&
+                 env.current_auth.id == env.params.follower_id
+            env.authorized_scopes << :self
+          end
+          env.full_read_authorized = authorize_env?(env, :read_followers)
+          env
+        end
+      end
+
+      class AuthorizeReadMany < Middleware
+        def action(env)
+          env.full_read_authorized = authorize_env?(env, :read_followers)
+          env
+        end
+      end
+
+      class AuthorizeWriteOne < Middleware
+        def action(env)
+          unless env.params.follower_id && env.current_auth && env.current_auth.kind_of?(Model::Follower) &&
+                 env.current_auth.id == env.params.follower_id
+            authorize_env!(env, :write_followers)
+          end
+          env.authorized_scopes << :self
+          env
+        end
+      end
+
+      class Discover < Middleware
+        def action(env)
+          return env if env.authorized_scopes.include?(:write_followers)
+          return [422, {}, ['Invalid notification path']] unless env.params.data.notification_path.kind_of?(String) &&
+                                                                !env.params.data.notification_path.match(%r{\Ahttps?://})
+          return [406, {}, ['Can not follow self']] if Model::User.current.profile_entity == env.params.data.entity
+          client = ::TentClient.new(nil, :faraday_adapter => TentD.faraday_adapter)
+          profile, profile_url = client.discover(env.params[:data]['entity']).get_profile
+          return [404, {}, ['Not Found']] unless profile
+
+          profile = CoreProfileData.new(profile)
+          return [409, {}, ['Entity Mismatch']] unless profile.entity?(env.params.data.entity)
+          env['profile'] = profile
+          env
+        end
+      end
+
+      class Confirm < Middleware
+        def action(env)
+          return env if env.authorized_scopes.include?(:write_followers)
+          client = TentClient.new(env.profile.servers, :faraday_adapter => TentD.faraday_adapter)
+          if client.follower.challenge(env.params.data.notification_path)
+            env
+          else
+            [403, {}, ['Unauthorized Follower']]
+          end
+        end
+      end
+
+      class Create < Middleware
+        def action(env)
+          return env if env.authorized_scopes.include?(:write_followers)
+          if follower = Model::Follower.create_follower(env.params[:data].merge('profile' => env['profile']))
+            env.authorized_scopes << :read_secrets
+            env.authorized_scopes << :self
+            env.notify_action = 'create'
+            env.notify_instance = follower
+            env.response = follower
+          end
+          env
+        end
+      end
+
+      class Import < Middleware
+        def action(env)
+          return env unless env.authorized_scopes.include?(:write_followers)
+          if env.authorized_scopes.include?(:write_secrets)
+            if follower = Model::Follower.create_follower(env.params.data, env.authorized_scopes)
+              env.response = ''
+            end
+          else
+            raise Unauthorized
+          end
+          env
+        end
+      end
+
+      class GetOne < Middleware
+        def action(env)
+          if env.full_read_authorized || authorize_env?(env, :self)
+            follower = Model::Follower.find(env.params.follower_id)
+          else
+            follower = Model::Follower.find_with_permissions(env.params.follower_id, env.current_auth)
+          end
+
+          if env.full_read_authorized || authorize_env?(env, :self) || (follower && follower.public?)
+            env.response = follower
+          else
+            raise Unauthorized
+          end
+
+          env
+        end
+      end
+
+      class GetCount < Middleware
+        def action(env)
+          env.params.return_count = true
+          env
+        end
+      end
+
+      class GetMany < Middleware
+        def action(env)
+          if env.full_read_authorized
+            followers = Model::Follower.fetch_all(env.params)
+          else
+            followers = Model::Follower.fetch_with_permissions(env.params, env.current_auth)
+          end
+          env.response = followers if followers
+          env
+        end
+      end
+
+      class Update < Middleware
+        def action(env)
+          env.response = Model::Follower.update_follower(env.params[:follower_id], env.params[:data], env.authorized_scopes)
+          env
+        end
+      end
+
+      class Destroy < Middleware
+        def action(env)
+          if (follower = Model::Follower.first(:id => env.params[:follower_id])) && follower.destroy
+            env.notify_action = 'delete'
+            env.notify_instance = follower
+            env.response = ''
+          end
+          env
+        end
+      end
+
+      class Notify < Middleware
+        def action(env)
+          return env unless follower = env.notify_instance
+          post = Model::Post.create(
+            :type => 'https://tent.io/types/post/follower/v0.1.0',
+            :entity => env['tent.entity'],
+            :content => {
+              :id => follower.public_id,
+              :entity => follower.entity,
+              :action => env.notify_action
+            }
+          )
+          Notifications.trigger(:type => post.type.uri, :post_id => post.id)
+          env
+        end
+      end
+
+      post '/followers' do |b|
+        b.use Discover
+        b.use Confirm
+        b.use Create
+        b.use Import
+        b.use Notify
+      end
+
+      get '/followers/count' do |b|
+        b.use AuthorizeReadMany
+        b.use GetActualId
+        b.use GetCount
+        b.use GetMany
+      end
+
+      get '/followers/:follower_id' do |b|
+        b.use GetActualId
+        b.use AuthorizeReadOne
+        b.use GetOne
+      end
+
+      get '/followers' do |b|
+        b.use AuthorizeReadMany
+        b.use GetActualId
+        b.use GetMany
+      end
+
+      put '/followers/:follower_id' do |b|
+        b.use GetActualId
+        b.use AuthorizeWriteOne
+        b.use Update
+      end
+
+      delete '/followers/:follower_id' do |b|
+        b.use GetActualId
+        b.use AuthorizeWriteOne
+        b.use Destroy
+        b.use Notify
+      end
+    end
+  end
+end

data/lib/tentd/api/followings.rb

@@ -0,0 +1,241 @@
+module TentD
+  class API
+    class Followings
+      include Router
+
+      class GetActualId < Middleware
+        def action(env)
+          id_mapping = [:following_id, :since_id, :before_id].select { |key| env.params.has_key?(key) }.inject({}) { |memo, key|
+            memo[env.params[key]] = key
+            env.params[key] = nil
+            memo
+          }
+          followings = Model::Following.all(:public_id => id_mapping.keys, :fields => [:id, :public_id])
+          followings.each do |following|
+            key = id_mapping[following.public_id]
+            env.params[key] = following.id
+          end
+          env
+        end
+      end
+
+      class AuthorizeWrite < Middleware
+        def action(env)
+          authorize_env!(env, :write_followings)
+          env
+        end
+      end
+
+      class GetOne < Middleware
+        def action(env)
+          if authorize_env?(env, :read_followings)
+            if following = Model::Following.first(:id => env.params.following_id, :confirmed => true)
+              env.following = following
+              env.response = following
+            end
+          else
+            following = Model::Following.find_with_permissions(env.params.following_id, env.current_auth) { |p,q,b| q << 'AND followings.confirmed = true' }
+            if following
+              env.response = following
+            else
+              raise Unauthorized
+            end
+          end
+          env
+        end
+      end
+
+      class GetCount < Middleware
+        def action(env)
+          env.params.return_count = true
+          env
+        end
+      end
+
+      class GetMany < Middleware
+        def action(env)
+          if authorize_env?(env, :read_followings)
+            env.response = Model::Following.fetch_all(env.params) { |p,q,b| q << 'followings.confirmed = true' }
+          else
+            env.response = Model::Following.fetch_with_permissions(env.params, env.current_auth) { |p,q,b| q << 'AND followings.confirmed = true' }
+          end
+          env
+        end
+      end
+
+      class Discover < Middleware
+        def action(env)
+          client = ::TentClient.new(nil, :faraday_adapter => TentD.faraday_adapter)
+          profile, profile_url = client.discover(env.params.data.entity).get_profile
+          return [404, {}, ['Not Found']] unless profile
+
+          profile = CoreProfileData.new(profile)
+          return [409, {}, ['Entity Mismatch']] unless profile.entity?(env.params.data.entity)
+          env.profile = profile
+          env.server_url = profile_url.sub(%r{/profile$}, '')
+          env
+        end
+      end
+
+      class Follow < Middleware
+        def action(env)
+          env.following = Model::Following.create(:entity => env.params.data.entity,
+                                                  :groups => env.params.data.groups.to_a.map { |g| g['id'] },
+                                                  :confirmed => false)
+          client = ::TentClient.new(env.server_url, :faraday_adapter => TentD.faraday_adapter)
+          res = client.follower.create(
+            :entity => env['tent.entity'],
+            :licenses => Model::ProfileInfo.tent_info.content['licenses'],
+            :notification_path => "notifications/#{env.following.public_id}"
+          )
+          case res.status
+          when 200...300
+            env.follow_data = res.body
+          else
+            return [res.status, res.headers, res.body]
+          end
+          env
+        end
+      end
+
+      class Create < Middleware
+        def action(env)
+          if env.following.confirm_from_params(env.follow_data.merge(env.params.data).merge(:profile => env.profile))
+            env.response = env.following
+            env.notify_action = 'create'
+            env.notify_instance = env.following
+          end
+          env
+        end
+      end
+
+      class Update < Middleware
+        def action(env)
+          if following = Model::Following.first(:id => env.params.following_id)
+            following.update_from_params(env.params.data, env.authorized_scopes)
+            env.response = following
+          end
+          env
+        end
+      end
+
+      class Destroy < Middleware
+        def action(env)
+          if (following = Model::Following.first(:id => env.params.following_id))
+            client = ::TentClient.new(following.core_profile.servers, following.auth_details.merge(:faraday_adapter => TentD.faraday_adapter))
+            res = client.follower.delete(following.remote_id)
+            following.destroy
+            if (200...300).to_a.include?(res.status)
+              env.response = ''
+              env.notify_action = 'delete'
+              env.notify_instance = following
+            end
+          end
+          env
+        end
+      end
+
+      class ProxyRequest < Middleware
+        def action(env)
+          following = env.following
+          client = TentClient.new(following.core_profile.servers.first,
+                                  following.auth_details.merge(:skip_serialization => true,
+                                                               :faraday_adapter => TentD.faraday_adapter))
+          env.params.delete(:following_id)
+          path = env.params.delete(:proxy_path)
+          res = client.http.get(path, env.params, whitelisted_headers(env))
+          [res.status, res.headers, [res.body]]
+        end
+
+        def whitelisted_headers(env)
+          %w(Accept If-Modified-Since).inject({}) do |h,k|
+            h[k] = env['HTTP_' + k.gsub('-', '_').upcase]; h
+          end
+        end
+      end
+
+      class RewriteProxyCaptureParams < Middleware
+        def action(env)
+          matches = env.params.delete(:captures)
+          env.params.following_id = matches.first
+          env.params.proxy_path = '/' + matches.last
+          env
+        end
+      end
+
+      class Notify < Middleware
+        def action(env)
+          return env unless following = env.notify_instance
+          post = Model::Post.create(
+            :type => 'https://tent.io/types/post/following/v0.1.0',
+            :entity => env['tent.entity'],
+            :content => {
+              :id => following.public_id,
+              :entity => following.entity,
+              :action => env.notify_action
+            }
+          )
+          Notifications.trigger(:type => post.type.uri, :post_id => post.id)
+          env
+        end
+      end
+
+      class RedirectToFollowUI < Middleware
+        def action(env)
+          if follow_url = Model::AppAuthorization.follow_url(env.params.entity)
+            return [302, { "Location" => follow_url }, []]
+          end
+          env
+        end
+      end
+
+      get '/follow' do |b|
+        b.use RedirectToFollowUI
+      end
+
+      get '/followings/count' do |b|
+        b.use GetActualId
+        b.use GetCount
+        b.use GetMany
+      end
+
+      get '/followings/:following_id' do |b|
+        b.use GetActualId
+        b.use GetOne
+      end
+
+      get '/followings' do |b|
+        b.use GetActualId
+        b.use GetMany
+      end
+
+      get %r{/followings/(\w+)/(.+)} do |b|
+        b.use RewriteProxyCaptureParams
+        b.use GetActualId
+        b.use GetOne
+        b.use ProxyRequest
+      end
+
+      post '/followings' do |b|
+        b.use AuthorizeWrite
+        b.use Discover
+        b.use Follow
+        b.use Create
+        b.use Notify
+      end
+
+      put '/followings/:following_id' do |b|
+        b.use AuthorizeWrite
+        b.use GetActualId
+        b.use Update
+      end
+
+      delete '/followings/:following_id' do |b|
+        b.use AuthorizeWrite
+        b.use GetActualId
+        b.use Destroy
+        b.use Notify
+      end
+    end
+  end
+end