ucb_rails_security 2.0.7

data/lib/helpers/rspec_helpers.rb

@@ -0,0 +1,119 @@
+
+module UCB
+  module Rails
+    module Security
+      module RspecHelpers
+        #
+        # Adds mock user login functionality for testing apps using ucb_rails_security
+        #
+        # The main advantage to using these helpers is that, when running your tests,
+        # actual ldap connections are never made, instead a mock ldap object is used.
+        # This dramatically increases the performance of your tests.
+        #
+        # The helpers also avoid adding the logged in user to the users table, again
+        # this increases the speed of the tests.
+        #
+        #
+        # Usage:
+        #
+        #  # log user into the application before controller test(s) are run.
+        #  before(:each) do
+        #    login_user() do
+        #      User.create!(
+        #        :ldap_uid => "666", 
+        #        :first_name => "first_name", 
+        #        :last_name => "last_name"
+        #      )
+        #    end
+        #  end
+        #
+        #
+        #  # log user into the application with specified roles before controller 
+        #  # test(s) are run.
+        #  before(:each) do
+        #    login_user_with_roles(["security", "admin"]) do
+        #      User.create!(
+        #        :ldap_uid => "666", 
+        #        :first_name => "first_name", 
+        #        :last_name => "last_name"
+        #      )
+        #    end
+        #  end
+        #
+        # One caveat, when using login_user_with_roles, the roles that are granted 
+        # to the user are not saved to the database.  For that user, we stub 
+        # user.roles to return those roles.  This means that you cannot add additional
+        # roles to this user during a test as roles() has been stubbed. The user
+        # you use to login should only be used to allow access to a given 
+        # controller/action during your test.
+        
+        def mock_ldap_person(ldap_uid = 1)
+          ldap_person = mock("ldap_person")
+          ldap_person.stub!(:uid).and_return(ldap_uid.to_s)
+          ldap_person.stub!(:email).and_return("email_#{ldap_uid}")
+          ldap_person.stub!(:first_name).and_return("first_name_#{ldap_uid}")
+          ldap_person.stub!(:last_name).and_return("last_name_#{ldap_uid}")
+          ldap_person.stub!(:phone).and_return("phone_#{ldap_uid}")
+          ldap_person.stub!(:dept_code).and_return("dept_code_#{ldap_uid}")
+          ldap_person.stub!(:dept_name).and_return("dept_name_#{ldap_uid}")
+          ldap_person
+        end
+
+        def new_user_instance(ldap_uid = 1)
+          User.new(
+            :ldap_uid => ldap_uid,
+            :email => "email_#{ldap_uid}",
+            :first_name => "first_name_#{ldap_uid}",
+            :last_name => "last_name_#{ldap_uid}",
+            :phone => "phone_#{ldap_uid}",
+            :department => "department_#{ldap_uid}"
+          )
+        end
+
+        # Logs in a given user with the specified roles.  Block should return the User instance:
+        #
+        # @current_user = login_user_with_roles(["security"]) do
+        #   User.create!(:ldap_uid => "666", :first_name => "first_name", :last_name => "last_name") 
+        # end
+        #
+        def login_user_with_roles(roles, &block)
+          raise(Exception, "Expecting block to return User object") unless block_given?
+          user = yield()
+          login_user(user)
+          grant_roles_to_user(user, roles)
+        end
+
+        # Logs in a given user to the application:
+        #
+        #   user = User.create!(:ldap_uid => "666", :first_name => "first_name", :last_name => "last_name") 
+        #   login_user(user)
+        #
+        def login_user(user)
+          user = yield() if block_given?
+          raise(Exception, "login_user() expects user object as argument or return value of a block") if user.nil?
+          UCB::Rails::Security::CASAuthentication.force_login_filter_true_for = user.ldap_uid
+          mock_ldap_person = UCB::LDAP::Person.new([])
+          mock_ldap_person.stub!(:first_name).and_return(user.first_name)
+          mock_ldap_person.stub!(:last_name).and_return(user.last_name)
+          mock_ldap_person.stub!(:uid).and_return(user.ldap_uid)
+          
+          # Inject our mock objects into the UCB::Rails::Security system
+          controller().send(:ldap_user=, mock_ldap_person)
+          controller().send(:user_table_id=, user.id)
+          controller().send(:user_table_user=, user)
+        end
+
+        # Gives the uesrs instance the specified roles:
+        #
+        #   grant_roles_to_user(user, ["Security"])
+        #
+        def grant_roles_to_user(user, r_names)
+          roles = r_names.map { |r| Role.new(:name => r) }
+          user.stub!(:roles).and_return(roles)
+          #user.roles << roles
+        end
+        
+      end
+    end
+  end
+end

data/lib/tasks/ucb_rails_security.rake

@@ -0,0 +1,22 @@
+namespace :ucb do
+  desc 'Create user w/security role'
+  task :create_security_user => :environment do
+    if (ldap_uid = ENV['UID'])
+      role = Role.find_or_create_by_name('security')
+      begin
+        user = User.find_or_create_by_ldap_uid!(ldap_uid)
+        user.roles << role unless user.roles.include?(role)
+        user.save!
+        puts "Security role granted to user (ldap_uid: #{ldap_uid})"
+      rescue UCB::LDAP::Person::RecordNotFound
+        puts "Unable to find person (ldap_uid: #{ldap_uid}) in LDAP."
+      end
+    else
+      puts
+      puts 'USAGE: '
+      puts "\trake ucb:create_security_user UID=<uid>"
+      puts "\trake ucb:create_security_user UID=<uid> RAILS_ENV=<env>"
+      puts
+    end
+  end
+end

data/lib/ucb_rails_security.rb

@@ -0,0 +1,60 @@
+require 'rubygems'
+
+gem 'actionpack', '>= 2.0.0'
+require 'action_controller'
+
+gem 'rubycas-client', '>= 2.0.1'
+require 'casclient'
+require 'casclient/frameworks/rails/filter'
+
+gem 'ucb_ldap', '>= 1.3.0'
+require 'ucb_ldap'
+
+require 'ucb_rails_security_casauthentication'
+require 'ucb_rs_controller_methods' 
+
+
+
+module UCB #:nodoc:
+  module Rails #:nodoc:
+    # = UCB Rails Security
+    module Security
+      
+      # Returns +true+ if application is using a user table 
+      # which must be named +User+.
+      def self.using_user_table?
+        @using_user_table
+      end
+      
+      # Set this to +true+ if your application is using a +User+ table.
+      def self.using_user_table=(bool)
+        @using_user_table = bool
+      end
+      
+      # URL user is redirected to when authorization fails. 
+      # Defaults to '/not_authorized'
+      def self.not_authorized_url()
+        @not_authorized_url || '/not_authorized'
+      end
+      
+      # Setter for not_authorized_url()
+      def self.not_authorized_url=(url)
+        @not_authorized_url = url
+      end
+      
+      # Reset instance variables for testing
+      def self.reset_instance_variables() #:nodoc:
+        self.using_user_table = nil
+        self.not_authorized_url = nil
+      end
+      
+      def self.logger
+        @logger ||= UCB::Rails::Security::Logger.new("#{RAILS_ROOT}/log/ucb_security_#{RAILS_ENV}.log")
+      end
+      
+      def self.logger=(val)
+        @logger = val
+      end
+    end
+  end
+end

data/lib/ucb_rails_security_casauthentication.rb

@@ -0,0 +1,117 @@
+# Implementation of UCB::Rails::Security
+
+module UCB #:nodoc:
+  module Rails #:nodoc:
+    module Security
+      # = CAS Authentication Class
+      #
+      # This class is where you override the default CAS settings.
+      class CASAuthentication
+    
+        ENV_DEVELOPMENT = 'development'
+        ENV_DEV_INTEGRATION = 'dev_integration'
+        ENV_TEST = 'test'
+        ENV_PRODUCTION = 'production'
+      
+        CAS_BASE_URL_TEST = "https://auth-test.berkeley.edu/cas"    
+        CAS_BASE_URL_PRODUCTION = "https://auth.berkeley.edu/cas"
+      
+        def self.logger()
+          UCB::Rails::Security.logger
+        end
+        
+        # Filter for CAS authentication.  To use filter, in controller:
+        # 
+        #   before_filter UCB::Rails::Security::CASAuthentication
+        #
+        # or use the controller method instead
+        #
+        #   before_filter :filter_logged_in
+        #
+        def self.filter(controller) #:nodoc:
+          logger.debug("In UCB::Rails::Security::CASAuthentication.filter")
+          if environment == ENV_TEST && force_login_filter_true_for
+            controller.session[:cas_user] = force_login_filter_true_for
+            return true
+          end
+          CASClient::Frameworks::Rails::Filter.configure(
+            :cas_base_url => self.cas_base_url(),
+            :logger => self.logger()
+          )
+
+          logger.debug("Before CASClient::Frameworks::Rails::Filter.filter(controller)")
+          if CASClient::Frameworks::Rails::Filter.filter(controller)
+            logger.debug("After CASClient::Frameworks::Rails::Filter.filter(controller)")
+            return true
+          else
+            return false
+          end
+        end
+
+        # Returns CAS base url to be used for CAS authentication.  Default
+        # is based on Rails environment (RAILS_ENV).
+        def self.cas_base_url
+          return @cas_base_url if @cas_base_url
+          (environment == ENV_PRODUCTION) ? CAS_BASE_URL_PRODUCTION : CAS_BASE_URL_TEST
+        end
+
+        def self.allow_test_entries?
+          @allow_test_entries ||= (environment != ENV_PRODUCTION)
+        end
+
+        def self.allow_test_entries=(bool)
+          @allow_test_entries = bool
+        end
+
+        # Setter for cas_base_url
+        def self.cas_base_url=(url)
+          @cas_base_url = url
+        end
+
+        # Returns CAS logout url
+        def self.logout_url
+          "#{self.cas_base_url}/logout"
+        end
+        
+        def self.home_url=(url)
+          @home_url = url
+        end
+        
+        def self.home_url
+          @home_url || "ucb_security"
+        end
+        
+        # This method exists so it can be stubbed to test cas_base_url()
+        def self.environment #:nodoc:
+          RAILS_ENV
+        end
+        
+        # LDAP Uid for which login is forced successful if in test
+        # environemnt.
+        def self.force_login_filter_true_for()
+          @force_login_filter_true_for || false
+        end
+    
+        # In test environment, every call to #filter() will simulate
+        # successful authentication for _ldap_uid_ if this method
+        # is called.
+        def self.force_login_filter_true_for=(ldap_uid)
+          @force_login_filter_true_for = ldap_uid
+        end
+        
+        # Servername is pulled from request object.
+        # def self.server_name(controller) #:nodoc:
+        #   $TESTING ? "host_with_port" : controller.request.host_with_port
+        # end
+        
+        # Used for testing
+        def self.reset_instance_variables() #:nodoc:
+          self.force_login_filter_true_for = nil
+          self.cas_base_url = nil
+          self.allow_test_entries = nil
+          self.home_url = nil
+        end
+      end
+    end
+  end
+end

data/lib/ucb_rails_security_logger.rb

@@ -0,0 +1,33 @@
+require 'logger'
+
+# this overrides clean_logger.rb in Rails that pretty much completely breaks logging #!@%*(#@*$&%!!...
+module UCB
+  module Rails
+    module Security
+      
+      class Logger < ::Logger
+        def initialize(logdev, shift_age = 0, shift_size = 1048576)
+          @default_formatter = self.class::Formatter.new
+          super
+        end
+  
+        def format_message(severity, datetime, progrname, msg)
+          (@formatter || @default_formatter).call(severity, datetime, progname, msg)
+        end
+    
+        def break
+          self << "\n"
+        end
+    
+        class Formatter < ::Logger::Formatter
+          Format = "[%s#%d] %5s -- %s: %s\n"
+      
+          def call(severity, time, progname, msg)
+            Format % [format_datetime(time), $$, severity, progname, msg2str(msg)]
+          end
+        end
+      end
+      
+    end
+  end
+end