thorero 0.9.4.4 → 0.9.4.5

data/lib/merb-core/dispatch/session/cookie.rb

@@ -0,0 +1,168 @@
+require 'base64'        # to convert Marshal.dump to ASCII
+require 'openssl'       # to generate the HMAC message digest
+# Most of this code is taken from bitsweat's implementation in rails
+module Merb
+
+  module SessionMixin
+
+    # Adds a before and after dispatch hook for setting up the cookie session
+    # store.
+    #
+    # ==== Parameters
+    # base<Class>:: The class to which the SessionMixin is mixed into.
+    def setup_session
+      request.session = Merb::CookieSession.new(cookies[_session_id_key], _session_secret_key)
+      @original_session = request.session.read_cookie
+    end
+
+    # Finalizes the session by storing the session in a cookie, if the session
+    # has changed.
+    def finalize_session
+      new_session = request.session.read_cookie
+      if @original_session != new_session
+        options = {:expires => (Time.now + _session_expiry)}
+        options[:domain] = _session_cookie_domain if _session_cookie_domain
+        cookies.set_cookie(_session_id_key, new_session, options)
+      end
+    end
+
+    # ==== Returns
+    # String:: The session store type, i.e. "cookie".
+    def session_store_type
+      "cookie"
+    end
+  end
+  
+  # If you have more than 4K of session data or don't want your data to be
+  # visible to the user, pick another session store.
+  #
+  # CookieOverflow is raised if you attempt to store more than 4K of data.
+  # TamperedWithCookie is raised if the data integrity check fails.
+  #
+  # A message digest is included with the cookie to ensure data integrity:
+  # a user cannot alter session data without knowing the secret key included
+  # in the hash. 
+  # 
+  # To use Cookie Sessions, set in config/merb.yml
+  #  :session_secret_key - your secret digest key
+  #  :session_store: cookie
+  class CookieSession
+    # TODO (maybe):
+    # include request ip address
+    # AES encrypt marshaled data
+    
+    # Raised when storing more than 4K of session data.
+    class CookieOverflow < StandardError; end
+    
+    # Raised when the cookie fails its integrity check.
+    class TamperedWithCookie < StandardError; end
+    
+    # Cookies can typically store 4096 bytes.
+    MAX = 4096
+    DIGEST = OpenSSL::Digest::Digest.new('SHA1') # or MD5, RIPEMD160, SHA256?
+    
+    attr_reader :data
+
+    # ==== Parameters
+    # cookie<String>:: The cookie.
+    # secret<String>:: A session secret.
+    #
+    # ==== Raises
+    # ArgumentError:: Nil or blank secret.
+    def initialize(cookie, secret)
+      if secret.nil? or secret.blank?
+        raise ArgumentError, 'A secret is required to generate an integrity hash for cookie session data.'
+      end
+      @secret = secret
+      @data = unmarshal(cookie) || Hash.new
+    end
+    
+    # ==== Returns
+    # String:: Cookie value.
+    #
+    # ==== Raises
+    # CookieOverflow:: Session contains too much information.
+    def read_cookie
+      unless @data.nil?
+        updated = marshal(@data)
+        raise CookieOverflow if updated.size > MAX
+        updated
+      end
+    end
+    
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to set.
+    # v<~to_s>:: The value of the session parameter to set.
+    def []=(k, v) 
+      @data[k] = v
+    end
+
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to retrieve.
+    #
+    # ==== Returns
+    # String:: The value of the session parameter.
+    def [](k) 
+      @data[k] 
+    end
+
+    # Yields the session data to an each block.
+    #
+    # ==== Parameter
+    # &b:: The block to pass to each.
+    def each(&b) 
+      @data.each(&b) 
+    end
+
+    # Deletes the session by emptying stored data.
+    def delete  
+      @data = {} 
+    end
+    
+    private
+
+    # Attempts to redirect any messages to the data object.
+    def method_missing(name, *args, &block)
+      @data.send(name, *args, &block)
+    end
+    
+    # Generate the HMAC keyed message digest. Uses SHA1.
+    def generate_digest(data)
+      OpenSSL::HMAC.hexdigest(DIGEST, @secret, data)
+    end
+    
+    # Marshal a session hash into safe cookie data. Include an integrity hash.
+    #
+    # ==== Parameters
+    # session<Hash>:: The session to store in the cookie.
+    #
+    # ==== Returns
+    # String:: The cookie to be stored.
+    def marshal(session)
+      data = Base64.encode64(Marshal.dump(session)).chop
+      Merb::Request.escape "#{data}--#{generate_digest(data)}"
+    end
+    
+    # Unmarshal cookie data to a hash and verify its integrity.
+    #
+    # ==== Parameters
+    # cookie<~to_s>:: The cookie to unmarshal.
+    #
+    # ==== Raises
+    # TamperedWithCookie:: The digests don't match.
+    #
+    # ==== Returns
+    # Hash:: The stored session data.
+    def unmarshal(cookie)
+      if cookie
+        data, digest = cookie.split('--')
+        return {} if data.blank?
+        unless digest == generate_digest(data)
+          delete
+          raise TamperedWithCookie, "Maybe the site's session_secret_key has changed?"
+        end
+        Marshal.load(Base64.decode64(data))
+      end
+    end
+  end
+end

data/lib/merb-core/dispatch/session/memcached.rb

@@ -0,0 +1,184 @@
+module Merb
+
+  module SessionMixin
+
+    # Adds a before and after dispatch hook for setting up the memcached
+    # session store.
+    #
+    # ==== Parameters
+    # base<Class>:: The class to which the SessionMixin is mixed into.
+    def setup_session
+      orig_key = cookies[_session_id_key]
+      session, key = Merb::MemCacheSession.persist(orig_key)
+      request.session = session
+      @_fingerprint = Marshal.dump(request.session.data).hash
+      if key != orig_key 
+        set_session_id_cookie(key)
+      end
+    end
+
+    # Finalizes the session by storing the session ID in a cookie, if the
+    # session has changed.
+    def finalize_session
+      if @_fingerprint != Marshal.dump(request.session.data).hash
+        begin
+          CACHE.set("session:#{request.session.session_id}", request.session.data)
+        rescue => err
+          Merb.logger.debug("MemCache Error: #{err.message}")
+          Merb::SessionMixin::finalize_session_exception_callbacks.each {|x| x.call(err) }
+        end
+      end
+      if request.session.needs_new_cookie or @_new_cookie
+        set_session_id_cookie(request.session.session_id)
+      end
+    end
+
+    # ==== Returns
+    # String:: The session store type, i.e. "memcache".
+    def session_store_type
+      "memcache"
+    end
+  end
+
+  ##
+  # Sessions stored in memcached.
+  #
+  # Requires setup in your +init.rb+.
+  #
+  #   require 'memcache'
+  #   CACHE = MemCache.new('127.0.0.1:11211', { :namespace => 'my_app' })
+  #
+  # And a setting in +init.rb+:
+  #
+  #   c[:session_store] = 'memcache'
+  #
+  # If you are using the memcached gem instead of memcache-client, you must setup like this:
+  #
+  #   require 'memcached'
+  #   CACHE = Memcached.new('127.0.0.1:11211', { :namespace => 'my_app' })
+  #
+  class MemCacheSession
+
+    attr_accessor :session_id
+    attr_accessor :data
+    attr_accessor :needs_new_cookie
+
+    # ==== Parameters
+    # session_id<String>:: A unique identifier for this session.
+    def initialize(session_id)
+      @session_id = session_id
+      @data = {}
+    end
+
+    class << self
+
+      # Generates a new session ID and creates a new session.
+      #
+      # ==== Returns
+      # MemCacheSession:: The new session.
+      def generate
+        sid = Merb::SessionMixin::rand_uuid
+        new(sid)
+      end
+
+      # ==== Parameters
+      # session_id<String:: The ID of the session to retrieve.
+      #
+      # ==== Returns
+      # Array::
+      #   A pair consisting of a MemCacheSession and the session's ID. If no
+      #   sessions matched session_id, a new MemCacheSession will be generated.
+      #
+      # ==== Notes
+      # If there are persiste exceptions callbacks to execute, they all get executed
+      # when Memcache library raises an exception.
+      def persist(session_id)
+        unless session_id.blank?
+          begin
+            session = CACHE.get("session:#{session_id}")
+          rescue => err
+            Merb.logger.warn!("Could not persist session to MemCache: #{err.message}")
+            Merb::SessionMixin::persist_exception_callbacks.each {|x| x.call(err) }
+          end
+          if session.nil?
+            # Not in memcached, but assume that cookie exists
+            session = new(session_id)
+          end
+        else
+          # No cookie...make a new session_id
+          session = generate
+        end
+        if session.is_a?(MemCacheSession)
+          [session, session.session_id]
+        else
+          # recreate using the rails session as the data
+          session_object = MemCacheSession.new(session_id)
+          session_object.data = session
+          [session_object, session_object.session_id]
+        end
+      end
+
+      # Don't try to reload in dev mode.
+      def reloadable?
+        false
+      end
+
+    end
+
+    # Regenerate the session ID.
+    def regenerate
+      @session_id = Merb::SessionMixin::rand_uuid
+      self.needs_new_cookie=true
+    end
+
+    # Recreates the cookie with the default expiration time. Useful during log
+    # in for pushing back the expiration date.
+    def refresh_expiration
+      self.needs_new_cookie=true
+    end
+
+    # Deletes the session by emptying stored data.
+    def delete
+      @data = {}
+    end
+
+    # ==== Returns
+    # Boolean:: True if session has been loaded already.
+    def loaded?
+      !! @data
+    end
+
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to set.
+    # v<~to_s>:: The value of the session parameter to set.
+    def []=(k, v)
+      @data[k] = v
+    end
+
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to retrieve.
+    #
+    # ==== Returns
+    # String:: The value of the session parameter.
+    def [](k)
+      @data[k]
+    end
+
+    # Yields the session data to an each block.
+    #
+    # ==== Parameter
+    # &b:: The block to pass to each.
+    def each(&b)
+      @data.each(&b)
+    end
+
+    private
+
+    # Attempts to redirect any messages to the data object.
+    def method_missing(name, *args, &block)
+      @data.send(name, *args, &block)
+    end
+
+  end
+
+end

data/lib/merb-core/dispatch/session/memory.rb

@@ -0,0 +1,241 @@
+module Merb
+
+  module SessionMixin
+
+    # Adds a before and after dispatch hook for setting up the memory session
+    # store.
+    #
+    # ==== Parameters
+    # base<Class>:: The class to which the SessionMixin is mixed into.
+    def setup_session
+      orig_key = cookies[_session_id_key]
+      session, key = Merb::MemorySession.persist(orig_key)
+      request.session = session
+      if key != orig_key 
+        set_session_id_cookie(key)
+      end
+    end
+
+    # Finalizes the session by storing the session ID in a cookie, if the
+    # session has changed.
+    def finalize_session
+      if request.session.needs_new_cookie or @_new_cookie
+        set_session_id_cookie(request.session.session_id)
+      end
+    end
+
+    # ==== Returns
+    # String:: The session store type, i.e. "memory".
+    def session_store_type
+      "memory"
+    end
+  end
+  
+  ##
+  # Sessions stored in memory.
+  #
+  # Set it up by adding the following to your init file:
+  #
+  #  Merb::Config.use do |c|
+  #    c[:session_store]      = :memory
+  #    c[:memory_session_ttl] = 3600 # in seconds, one hour
+  #  end
+  #
+  # Sessions will remain in memory until the server is stopped or the time
+  # as set in :memory_session_ttl expires.
+  class MemorySession
+
+    attr_accessor :session_id
+    attr_accessor :data
+    attr_accessor :needs_new_cookie
+
+    # ==== Parameters
+    # session_id<String>:: A unique identifier for this session.
+    def initialize(session_id)
+      @session_id = session_id
+      @data = {}
+    end
+
+    class << self
+
+      # Generates a new session ID and creates a new session.
+      #
+      # ==== Returns
+      # MemorySession:: The new session.
+      def generate
+        sid = Merb::SessionMixin::rand_uuid
+        MemorySessionContainer[sid] = new(sid)
+      end
+
+      # ==== Parameters
+      # session_id<String:: The ID of the session to retrieve.
+      #
+      # ==== Returns
+      # Array::
+      #   A pair consisting of a MemorySession and the session's ID. If no
+      #   sessions matched session_id, a new MemorySession will be generated.
+      def persist(session_id)
+        if session_id
+          session = MemorySessionContainer[session_id]
+        end
+        unless session
+          session = generate
+        end
+        [session, session.session_id]
+      end
+
+    end
+
+    # Regenerate the Session ID
+    def regenerate
+      new_sid = Merb::SessionMixin::rand_uuid 
+      old_sid = @session_id
+      MemorySessionContainer[new_sid] = MemorySessionContainer[old_sid]
+      @session_id = new_sid
+      MemorySessionContainer.delete(old_sid)
+      self.needs_new_cookie=true 
+    end 
+      
+    # Recreates the cookie with the default expiration time. Useful during log
+    # in for pushing back the expiration date.
+    def refresh_expiration 
+      self.needs_new_cookie=true 
+    end 
+     
+    # Deletes the session by emptying stored data.
+    def delete
+      @data = {} 
+    end
+     
+    # ==== Returns
+    # Boolean:: True if session has been loaded already.
+    def loaded?
+      !! @data
+    end
+    
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to set.
+    # v<~to_s>:: The value of the session parameter to set.
+    def []=(k, v) 
+      @data[k] = v
+    end
+
+    # ==== Parameters
+    # k<~to_s>:: The key of the session parameter to retrieve.
+    #
+    # ==== Returns
+    # String:: The value of the session parameter.
+    def [](k) 
+      @data[k] 
+    end
+
+    # Yields the session data to an each block.
+    #
+    # ==== Parameter
+    # &b:: The block to pass to each.
+    def each(&b) 
+      @data.each(&b) 
+    end
+    
+    private
+
+    # Attempts to redirect any messages to the data object.
+    def method_missing(name, *args, &block)
+      @data.send(name, *args, &block)
+    end
+
+  end
+
+  # Used for handling multiple sessions stored in memory.
+  class MemorySessionContainer
+    class << self
+
+      # ==== Parameters
+      # ttl<Fixnum>:: Session validity time in seconds. Defaults to 1 hour.
+      #
+      # ==== Returns
+      # MemorySessionContainer:: The new session container.
+      def setup(ttl=nil)
+        @sessions = Hash.new
+        @timestamps = Hash.new
+        @mutex = Mutex.new
+        @session_ttl = ttl || 60*60 # default 1 hour
+        start_timer
+        self
+      end
+
+      # Creates a new session based on the options.
+      #
+      # ==== Parameters
+      # opts<Hash>:: The session options (see below).
+      #
+      # ==== Options (opts)
+      # :session_id<String>:: ID of the session to create in the container.
+      # :data<MemorySession>:: The session to create in the container.
+      def create(opts={})
+        self[opts[:session_id]] = opts[:data]
+      end
+
+      # ==== Parameters
+      # key<String>:: ID of the session to retrieve.
+      #
+      # ==== Returns
+      # MemorySession:: The session corresponding to the ID.
+      def [](key)
+        @mutex.synchronize {
+          @timestamps[key] = Time.now
+          @sessions[key]
+        }
+      end
+
+      # ==== Parameters
+      # key<String>:: ID of the session to set.
+      # val<MemorySession>:: The session to set.
+      def []=(key, val) 
+        @mutex.synchronize {
+          @timestamps[key] = Time.now
+          @sessions[key] = val
+        } 
+      end
+
+      # ==== Parameters
+      # key<String>:: ID of the session to delete.
+      def delete(key)
+        @mutex.synchronize {
+          @sessions.delete(key)
+          @timestamps.delete(key)
+        }
+      end
+
+      # Deletes any sessions that have reached their maximum validity.
+      def reap_old_sessions
+        @timestamps.each do |key,stamp|
+          if stamp + @session_ttl < Time.now
+            delete(key)
+          end  
+        end
+        GC.start
+      end
+
+      # Starts the timer that will eventually reap outdated sessions.
+      def start_timer
+        Thread.new do
+          loop {
+            sleep @session_ttl
+            reap_old_sessions
+          } 
+        end  
+      end
+
+      # ==== Returns
+      # Array:: The sessions stored in this container.
+      def sessions
+        @sessions
+      end  
+      
+    end # end singleton class
+
+  end # end MemorySessionContainer
+end
+
+Merb::MemorySessionContainer.setup(Merb::Config[:memory_session_ttl])