RubyGems - ucb_rails_security - Versions diffs - 2.0.7 - Mend

ucb_rails_security 2.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

data/CHANGELOG ADDED Viewed

@@ -0,0 +1,6 @@
+= UCB Rails Security - Changelog
+== Version 2.0 July 31, 2008
+* Made module compatible with rails 2.1
+* Added custom logging for debugging auth/authz filter processing

data/Manifest ADDED Viewed

@@ -0,0 +1,56 @@
+CHANGELOG
+Manifest
+README
+Rakefile
+TODO
+generators/ucb_rails_security/templates/controllers/ucb_security/base_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/ldap_search_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/role_users_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/roles_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/user_roles_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/users_controller.rb
+generators/ucb_rails_security/templates/db/migrate/xxx_create_ucb_rails_security_tables.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/base_helper.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/builder.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/roles_helper.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/users_helper.rb
+generators/ucb_rails_security/templates/initializers/ucb_security_config.rb
+generators/ucb_rails_security/templates/javascripts/ucb_security.js
+generators/ucb_rails_security/templates/models/ldap_search.rb
+generators/ucb_rails_security/templates/models/role.rb
+generators/ucb_rails_security/templates/models/user.rb
+generators/ucb_rails_security/templates/models/user_roles.rb
+generators/ucb_rails_security/templates/stylesheets/ucb_security.css
+generators/ucb_rails_security/templates/views/layouts/ucb_security/_main_navigation.html.erb
+generators/ucb_rails_security/templates/views/layouts/ucb_security/application.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/ldap_search/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/role_users/_new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/role_users/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/_users.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/show.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/user_roles/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/show.html.erb
+generators/ucb_rails_security/ucb_rails_security_generator.rb
+init.rb
+lib/helpers/rspec_helpers.rb
+lib/tasks/ucb_rails_security.rake
+lib/ucb_rails_security.rb
+lib/ucb_rails_security_casauthentication.rb
+lib/ucb_rails_security_logger.rb
+lib/ucb_rs_controller_methods.rb
+rdoc_includes/application_controller_rb.txt
+rspec/_all_specs.rb
+rspec/_setup.rb
+rspec/filter_ldap_spec.rb
+rspec/filter_role_spec.rb
+rspec/filter_spec.rb
+rspec/filter_user_spec.rb
+rspec/logged_in_status_spec.rb
+rspec/ucb_rails_security_casauthentication_spec.rb
+rspec/ucb_rails_security_spec.rb

data/README ADDED Viewed

@@ -0,0 +1,195 @@
+= UC Berkeley Rails Security
+UCB::Rails::Security simplifies CAS auth and ldap authz within your rails application by adding
+custom filters to your rails controllers.
+== Description
+This plugin adds authentication/authorization to your rails application.  Currently
+CAS is the only supported authentication scheme.  Authorization is handled by
+various filters that this plugin provides.  The filters can utilize: values from
+a users and or roles table  as well as ldap attributes of the authenticated user.
+These filters are typically added to your application controller by including
+the ucb_rs_controller_methods module.  Example:
+user has CAS authenticated
+  class ApplicationController < ActionController::Base
+    include UCB::Rails::Security::ControllerMethods
+    before_filter :filter_logged_in
+  end
+This would only allow access to if the user has CAS authenticated
+== Installation
+These installation instructions assume that you already have a database
+configured for your rails application and that you have already run the
+initial <tt>rake db:migrate</tt> command to setup your <tt>schema_info</tt> table.
+From RAILS_ROOT run:
+  script/generate ucb_rails_security
+This will generate scaffolding for a rudimentary user/role administration interface.
+It will also install a db:migration: <tt>xxx_create_ucb_rails_security_tables.rb</tt>,
+where xxx is the next highest available migration number.
+Now run: <tt>rake db:migrate</tt> to run the migrations.
+== Configuration
+Configuration for this plugin is handled in the file:
+RAILS_ROOT/config/initializers/ucb_security_config.rb
+You probably want to uncomment the first config option so
+your application can use the users table.  The file itself
+has comments explaining the options.
+Before you can use the users table, you must create a security user.
+Run the following from RAILS_ROOT:
+  rake ucb:create_security_user UID=#{your_uid}
+This adds you to the users table and gives you the 'Security' role.
+By default, you must have the 'Security' role to access the administrative
+interface.  Now start your application server and point your browser to:
+  localhost:3000/ucb_security/
+You should be redirected to CAS.  CAS authenticate and you should now
+have access to the ucb_security administrator pages.
+=== Customization
+The ucb_security scaffolding includes an rudimentary administrative interface
+to manage users and roles within your rails application. Most of the ucb_security
+scaffolding has been installed under the namespace ucb_security:
+  RAILS_ROOT/apps/controller/ucb_security
+  RAILS_ROOT/apps/views/ucb_security
+  RAILS_ROOT/apps/helpers/ucb_security
+  RAILS_ROOT/public/stylesheets/ucb_security.css
+The models, however, are installed directly beneath your models directory:
+  RAILS_ROOT/apps/models/user
+  RAILS_ROOT/apps/models/roles
+  RAILS_ROOT/apps/models/user_roles
+Finally, the ucb_security scaffolding added custom routes to the top of
+your route file:
+  RAILS_ROOT/config/routes.rb
+Don't like how something looks?  Feel free to change the views, or the stylesheet.
+If you start changing the models or routes, make sure you add tests!
+== Usage
+=== Authentication
+The simplest use of this module is to require that users be authenticated
+by CAS, i.e., they have entered a valid CalNet id and passphrase.
+The following controller requires a user be authenticated:
+  class MyController < ApplicationController
+    before_filter :filter_logged_in
+  end
+If the user is already logged in (has been CAS authenticated) then
+the user can access the controller.
+If not logged in the user will be redirected to the CAS
+authentication service.  Upon successful authentication
+the user will be redirected to the originally requested url.
+==== Authentication Methods
+The only authentication method supported is CAS [https://auth.berkeley.edu/cas/login].
+More info about CAS[http://en.wikipedia.org/wiki/Single_sign_on].
+=== Authorization
+==== LDAP Filters
+UCB::Rails::Security is closely integrated with, and in fact depends
+on UCB::LDAP. Authenticated users are looked up in the LDAP directory and the
+corresponding UCB::LDAP::Person instance is stored in the Rails session.
+Applications have easy access to a logged in user's LDAP attributes
+for general purposes, but more importantly these attributes can be
+used in controller filters with minimal effort (next section).
+Applications can manage access to controllers based on LDAP attributes.
+This controller can only be accessed by UCB employees:
+  class MyController < ApplicationController
+    before_filter :filter_ldap_employee?
+  end
+Note that this filter is dynamically created and queries the <tt>employee?</tt>
+method of the user's UCB::LDAP::Person entry to do its work.
+See UCB::Rails::Security::ControllerMethods for more information.
+==== User and Role Filters
+If an application has +User+ and +Role+ tables, they can be used to control authorization.
+===== User Filters
+This controller is restricted to users in the user table:
+  class MyController < ApplicationController
+    before_filter :filter_in_user_table
+  end
+This controller is restricted to users that can update:
+  class MyController < ApplicationController
+    before_filter :filter_user_can_update?
+  end
+Note that this filter is dynamically created by sending the <tt>can_update?</tt>
+message to the user instance.
+Any filter of the form ":filter_user_method" will return <tt>true</tt> if the
+user instance returns <tt>true</tt> when sent <tt>method</tt>.
+===== Role Filters
+This controller is restricted to users who have the admin role:
+  class MyController < ApplicationController
+    before_filter :filter_role_admin
+  end
+Note that this filter is dynamically created and queries the roles
+for the user to see if "admin" is one of the roles.
+See UCB::Rails::Security::ControllerMethods for more information.
+== More Information
+* UCB::Rails::Security for configuration
+* UCB::Rails::Security::ControllerMethods for filters, form helpers, etc.
+== Version
+:include: ./version.yml
+== Author
+Steven Hansen (runner@berkeley.edu)
+Steve Downey

data/Rakefile ADDED Viewed

@@ -0,0 +1,21 @@
+require 'rubygems'
+require 'rake'
+require 'echoe'
+require 'hanna/rdoctask'
+Echoe.new('ucb_rails_security', '2.0.7') do |p|
+  p.description    = "Simplifies CAS auth and ldap authz within your rails application"
+  p.url            = "http://ucbrb.rubyforge.org/ucb_rails_security"
+  p.author         = "Steven Hansen, Steven Downey"
+  p.email          = "runner@berkeley.edu"
+  p.ignore_pattern = ["svn_user.yml", "tasks/**/**", "test/**/**", "version.yml"]
+  p.runtime_dependencies = ["rubycas-client", ">= 2.0.1"]
+  p.runtime_dependencies = ["ucb_ldap", ">= 1.3.0"]
+  p.project = "ucbrb"
+  p.rdoc_options = "-o doc --inline-source -T hanna lib/*.rb"
+  p.rdoc_pattern = ["README", "CHANGELOG", "lib/**/**", "rdoc_includes/**/**"]
+end
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }

data/TODO ADDED Viewed

@@ -0,0 +1,3 @@
+= UCB Rails Security - Todo
+* Add ability for admin/security users to login as other users.

data/generators/ucb_rails_security/templates/controllers/ucb_security/base_controller.rb ADDED Viewed

@@ -0,0 +1,17 @@
+class UcbSecurity::BaseController < ApplicationController
+  # Move this include into your ApplicationController to add security to your entire application
+  include UCB::Rails::Security::ControllerMethods
+  layout 'layouts/ucb_security/application'
+  # Only allow access to users that have the "Security" role
+  before_filter :filter_role_security, :except => [:not_authorized, :logout]
+  before_filter :append_headers
+private
+  def append_headers
+    response.headers['Cache-Control'] = "no-store, no-cache, must-revalidate"
+    response.headers['Expires'] = "The, 01 Jan 1970 00:00:00 GMT"
+    response.headers['Pragma'] = "no-cache"
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/ldap_search_controller.rb ADDED Viewed

@@ -0,0 +1,10 @@
+class UcbSecurity::LdapSearchController < UcbSecurity::BaseController
+  def index
+    @ldap_people = LdapSearch.find(params[:search_term], params[:search_value])
+    @select_options = LdapSearch.search_term_select_list()
+    @search_term = params[:search_term].blank? ? "" : params[:search_term].to_sym
+    @search_initiated = true if params[:commit]
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/role_users_controller.rb ADDED Viewed

@@ -0,0 +1,27 @@
+class UcbSecurity::RoleUsersController < UcbSecurity::BaseController
+  before_filter :load_role
+  def edit
+    @unassociated_users = @role.non_users_menu_list()
+    @associated_users = @role.users_menu_list()
+  end
+  def update
+    @role.update_attributes(:user_ids => params[:user_ids])
+    @role.save!
+    flash[:notice] = "Role users were successfully updated."
+    redirect_to(edit_ucb_security_role_users_path(@role))
+  rescue ActiveRecord::RecordInvalid
+    flash[:error] = @role.errors.each_full {}.join('<br/>')
+    render :action => 'edit'
+  end
+protected
+  def load_role
+    @role = Role.find(params[:role_id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_roles_url)
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/roles_controller.rb ADDED Viewed

@@ -0,0 +1,52 @@
+class UcbSecurity::RolesController < UcbSecurity::BaseController
+  before_filter :init_role, :only => [:show, :edit, :update, :destroy]
+  def index
+    @roles = Role.find(:all, :order => 'name')
+  end
+  def show
+  end
+  def new
+    @role = Role.new
+  end
+  def edit
+  end
+  def create
+    @role = Role.new(params[:role])
+    @role.save!
+    flash[:notice] = 'Role was successfully created.'
+    redirect_to(ucb_security_role_path(@role))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @role.errors.each_full {}.join('<br/>')
+    render(:action => 'new')
+  end
+  def update
+    @role.update_attributes!(params[:role])
+    flash[:notice] = 'Role was successfully updated.'
+    redirect_to(edit_ucb_security_role_path(@role))
+  rescue ActiveRecord::RecordInvalid => e
+    flash.now[:error] = @role.errors.each_full {}.join('<br/>')
+    render :action => 'edit'
+  end
+  def destroy
+    @role.destroy
+    flash[:notice] = "Record was successfully deleted"
+    redirect_to(ucb_security_roles_path())
+  end
+protected
+  def init_role
+    @role = Role.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_roles_path())
+    return false
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/user_roles_controller.rb ADDED Viewed

@@ -0,0 +1,29 @@
+class UcbSecurity::UserRolesController < UcbSecurity::BaseController
+    before_filter :load_user
+    def edit
+      @roles = Role.find(:all, :order => 'name')
+    end
+    def update
+      params[:user] ||= {}
+      params[:user][:role_ids] ||= []
+      @user.update_attributes!(params[:user])
+      flash[:notice] = 'User roles were successfully updated.'
+      redirect_to(edit_ucb_security_user_roles_path(@user))
+    rescue ActiveRecord::RecordInvalid
+      @roles = Role.find(:all, :order => 'name')
+      flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+      render(:action => 'edit')
+    end
+  protected
+    def load_user
+      @user = User.find(params[:user_id])
+    rescue ActiveRecord::RecordNotFound
+      flash[:error] = "Record Not Found"
+      redirect_to(ucb_security_users_path())
+    end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/users_controller.rb ADDED Viewed

@@ -0,0 +1,59 @@
+class UcbSecurity::UsersController < UcbSecurity::BaseController
+  before_filter :init_user, :only => [:show, :edit, :update, :destroy]
+  def index
+    @users = User.find(:all, :order => "last_name, first_name")
+  end
+  def show
+  end
+  def new
+    @user = User.new_from_ldap_uid(params[:ldap_uid])
+  rescue UCB::LDAP::Person::RecordNotFound => e
+    flash[:error] = e.message
+    redirect_to(ucb_security_users_path())
+  end
+  def edit
+  end
+  def create
+    @user = User.new(params[:user])
+    @user.save!
+    flash[:notice] = 'User was successfully created.'
+    redirect_to(ucb_security_user_path(@user))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+    render(:action => 'new')
+  end
+  def update
+    @user.update_attributes!(params[:user])
+    flash[:notice] = 'User was successfully updated.'
+    redirect_to(edit_ucb_security_user_path(@user))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+    render(:action => 'edit')
+  end
+  def destroy
+    if @user.current_user?(ldap_uid())
+      flash[:error] = "You cannot delete yourself!"
+      redirect_to(ucb_security_users_path()) and return nil
+    else
+      @user.destroy
+      flash[:notice] = "User was successfully destroyed"
+      redirect_to(ucb_security_users_path())
+    end
+  end
+protected
+  def init_user
+    @user = User.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_users_path())
+  end
+end

data/generators/ucb_rails_security/templates/db/migrate/xxx_create_ucb_rails_security_tables.rb ADDED Viewed

@@ -0,0 +1,31 @@
+class CreateUcbRailsSecurityTables < ActiveRecord::Migration
+  def self.up
+    create_table "users", :force => true do |t|
+      t.string :ldap_uid
+      t.string :first_name
+      t.string :last_name
+      t.string :email
+      t.string :phone
+      t.string :department
+      t.timestamps
+    end
+    create_table "roles", :force => true do |t|
+      t.string :name
+      t.string :description
+      t.timestamps
+    end
+    create_table "user_roles", :force => true, :id => false do |t|
+      t.integer :user_id
+      t.integer :role_id
+      t.timestamps
+    end
+  end
+  def self.down
+    drop_table :users
+    drop_table :roles
+    drop_table :user_roles
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/base_helper.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module UcbSecurity::BaseHelper
+  def role_checkbox
+    raise "This method has been deprecated"
+  end
+  def in_user_table?
+    id_from_uid ? true : false
+  end
+  def id_from_uid
+    @user_uids[@entry.uid]
+  end
+  def display_message
+    return "<div class='error'>#{flash[:error]}</div>" if flash[:error]
+    return "<div class='notice'>#{flash[:notice]}</div>" if flash[:notice]
+  end
+  def title(title)
+    @title = title
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/builder.rb ADDED Viewed

@@ -0,0 +1,25 @@
+class UcbSecurity::Builder < ActionView::Helpers::FormBuilder
+  def text_field(label, method, options = {}, html_options = {})
+    field = super(method, html_options)
+    format_field(label, method, options, field)
+  end
+  def text_area(label, method, options = {}, html_options = {})
+    field = super(method, html_options)
+    format_field(label, method, options, field)
+  end
+  def text(label, method, options = {}, html_options = {})
+    format_field(label, method, options, "#{@object.send(method)}")
+  end
+  def format_field(label, method, options, field)
+    label = "* ".concat(label) if options[:required] == true
+    @template.content_tag(:p,
+      "#{@template.content_tag(:label, label, :for => "#{@object_name}_#{method}")} #{field}"
+    )
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/roles_helper.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ module UcbSecurity::RolesHelper
2	+ end

data/generators/ucb_rails_security/templates/helpers/ucb_security/users_helper.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ module UcbSecurity::UsersHelper
2	+ end

data/generators/ucb_rails_security/templates/initializers/ucb_security_config.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# Uncomment this if your Application uses a user table
+#
+# UCB::Rails::Security::using_user_table = true
+# When a user logs of CAS, the CAS logout page will display a link for
+# the user to return to the original application.  By default, UCB::Rails::Security
+# uses http://appdomain.com/ucb_security
+# Uncommening the below config would change it to: http://appdomain.com
+#
+# UCB::Rails::Security::CASAuthentication.home_url = ''
+# By default, UCB::Rails::Security will return ldap test entries for all
+# Rails environments except production.  Uncommenting the below will change
+# the behaviour to return test ids for all environments.  You can also add
+# this config option to a specific environment file to confine the config.
+#
+# UCB::Rails::Security::CASAuthentication.allow_test_entries = true