RubyGems - ucb_rails_security - Versions diffs - 2.0.7 - Mend

ucb_rails_security 2.0.7

Files changed (60) hide show

data/CHANGELOG ADDED Viewed

@@ -0,0 +1,6 @@
+= UCB Rails Security - Changelog
+== Version 2.0 July 31, 2008
+* Made module compatible with rails 2.1
+* Added custom logging for debugging auth/authz filter processing

data/Manifest ADDED Viewed

@@ -0,0 +1,56 @@
+CHANGELOG
+Manifest
+README
+Rakefile
+TODO
+generators/ucb_rails_security/templates/controllers/ucb_security/base_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/ldap_search_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/role_users_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/roles_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/user_roles_controller.rb
+generators/ucb_rails_security/templates/controllers/ucb_security/users_controller.rb
+generators/ucb_rails_security/templates/db/migrate/xxx_create_ucb_rails_security_tables.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/base_helper.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/builder.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/roles_helper.rb
+generators/ucb_rails_security/templates/helpers/ucb_security/users_helper.rb
+generators/ucb_rails_security/templates/initializers/ucb_security_config.rb
+generators/ucb_rails_security/templates/javascripts/ucb_security.js
+generators/ucb_rails_security/templates/models/ldap_search.rb
+generators/ucb_rails_security/templates/models/role.rb
+generators/ucb_rails_security/templates/models/user.rb
+generators/ucb_rails_security/templates/models/user_roles.rb
+generators/ucb_rails_security/templates/stylesheets/ucb_security.css
+generators/ucb_rails_security/templates/views/layouts/ucb_security/_main_navigation.html.erb
+generators/ucb_rails_security/templates/views/layouts/ucb_security/application.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/ldap_search/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/role_users/_new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/role_users/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/_users.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/roles/show.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/user_roles/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/edit.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/index.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/new.html.erb
+generators/ucb_rails_security/templates/views/ucb_security/users/show.html.erb
+generators/ucb_rails_security/ucb_rails_security_generator.rb
+init.rb
+lib/helpers/rspec_helpers.rb
+lib/tasks/ucb_rails_security.rake
+lib/ucb_rails_security.rb
+lib/ucb_rails_security_casauthentication.rb
+lib/ucb_rails_security_logger.rb
+lib/ucb_rs_controller_methods.rb
+rdoc_includes/application_controller_rb.txt
+rspec/_all_specs.rb
+rspec/_setup.rb
+rspec/filter_ldap_spec.rb
+rspec/filter_role_spec.rb
+rspec/filter_spec.rb
+rspec/filter_user_spec.rb
+rspec/logged_in_status_spec.rb
+rspec/ucb_rails_security_casauthentication_spec.rb
+rspec/ucb_rails_security_spec.rb

data/README ADDED Viewed

@@ -0,0 +1,195 @@
+= UC Berkeley Rails Security
+UCB::Rails::Security simplifies CAS auth and ldap authz within your rails application by adding
+custom filters to your rails controllers.
+== Description
+This plugin adds authentication/authorization to your rails application.  Currently
+CAS is the only supported authentication scheme.  Authorization is handled by
+various filters that this plugin provides.  The filters can utilize: values from
+a users and or roles table  as well as ldap attributes of the authenticated user.
+These filters are typically added to your application controller by including
+the ucb_rs_controller_methods module.  Example:
+user has CAS authenticated
+  class ApplicationController < ActionController::Base
+    include UCB::Rails::Security::ControllerMethods
+    before_filter :filter_logged_in
+  end
+This would only allow access to if the user has CAS authenticated
+== Installation
+These installation instructions assume that you already have a database
+configured for your rails application and that you have already run the
+initial <tt>rake db:migrate</tt> command to setup your <tt>schema_info</tt> table.
+From RAILS_ROOT run:
+  script/generate ucb_rails_security
+This will generate scaffolding for a rudimentary user/role administration interface.
+It will also install a db:migration: <tt>xxx_create_ucb_rails_security_tables.rb</tt>,
+where xxx is the next highest available migration number.
+Now run: <tt>rake db:migrate</tt> to run the migrations.
+== Configuration
+Configuration for this plugin is handled in the file:
+RAILS_ROOT/config/initializers/ucb_security_config.rb
+You probably want to uncomment the first config option so
+your application can use the users table.  The file itself
+has comments explaining the options.
+Before you can use the users table, you must create a security user.
+Run the following from RAILS_ROOT:
+  rake ucb:create_security_user UID=#{your_uid}
+This adds you to the users table and gives you the 'Security' role.
+By default, you must have the 'Security' role to access the administrative
+interface.  Now start your application server and point your browser to:
+  localhost:3000/ucb_security/
+You should be redirected to CAS.  CAS authenticate and you should now
+have access to the ucb_security administrator pages.
+=== Customization
+The ucb_security scaffolding includes an rudimentary administrative interface
+to manage users and roles within your rails application. Most of the ucb_security
+scaffolding has been installed under the namespace ucb_security:
+  RAILS_ROOT/apps/controller/ucb_security
+  RAILS_ROOT/apps/views/ucb_security
+  RAILS_ROOT/apps/helpers/ucb_security
+  RAILS_ROOT/public/stylesheets/ucb_security.css
+The models, however, are installed directly beneath your models directory:
+  RAILS_ROOT/apps/models/user
+  RAILS_ROOT/apps/models/roles
+  RAILS_ROOT/apps/models/user_roles
+Finally, the ucb_security scaffolding added custom routes to the top of
+your route file:
+  RAILS_ROOT/config/routes.rb
+Don't like how something looks?  Feel free to change the views, or the stylesheet.
+If you start changing the models or routes, make sure you add tests!
+== Usage
+=== Authentication
+The simplest use of this module is to require that users be authenticated
+by CAS, i.e., they have entered a valid CalNet id and passphrase.
+The following controller requires a user be authenticated:
+  class MyController < ApplicationController
+    before_filter :filter_logged_in
+  end
+If the user is already logged in (has been CAS authenticated) then
+the user can access the controller.
+If not logged in the user will be redirected to the CAS
+authentication service.  Upon successful authentication
+the user will be redirected to the originally requested url.
+==== Authentication Methods
+The only authentication method supported is CAS [https://auth.berkeley.edu/cas/login].
+More info about CAS[http://en.wikipedia.org/wiki/Single_sign_on].
+=== Authorization
+==== LDAP Filters
+UCB::Rails::Security is closely integrated with, and in fact depends
+on UCB::LDAP. Authenticated users are looked up in the LDAP directory and the
+corresponding UCB::LDAP::Person instance is stored in the Rails session.
+Applications have easy access to a logged in user's LDAP attributes
+for general purposes, but more importantly these attributes can be
+used in controller filters with minimal effort (next section).
+Applications can manage access to controllers based on LDAP attributes.
+This controller can only be accessed by UCB employees:
+  class MyController < ApplicationController
+    before_filter :filter_ldap_employee?
+  end
+Note that this filter is dynamically created and queries the <tt>employee?</tt>
+method of the user's UCB::LDAP::Person entry to do its work.
+See UCB::Rails::Security::ControllerMethods for more information.
+==== User and Role Filters
+If an application has +User+ and +Role+ tables, they can be used to control authorization.
+===== User Filters
+This controller is restricted to users in the user table:
+  class MyController < ApplicationController
+    before_filter :filter_in_user_table
+  end
+This controller is restricted to users that can update:
+  class MyController < ApplicationController
+    before_filter :filter_user_can_update?
+  end
+Note that this filter is dynamically created by sending the <tt>can_update?</tt>
+message to the user instance.
+Any filter of the form ":filter_user_method" will return <tt>true</tt> if the
+user instance returns <tt>true</tt> when sent <tt>method</tt>.
+===== Role Filters
+This controller is restricted to users who have the admin role:
+  class MyController < ApplicationController
+    before_filter :filter_role_admin
+  end
+Note that this filter is dynamically created and queries the roles
+for the user to see if "admin" is one of the roles.
+See UCB::Rails::Security::ControllerMethods for more information.
+== More Information
+* UCB::Rails::Security for configuration
+* UCB::Rails::Security::ControllerMethods for filters, form helpers, etc.
+== Version
+:include: ./version.yml
+== Author
+Steven Hansen (runner@berkeley.edu)
+Steve Downey

data/Rakefile ADDED Viewed

@@ -0,0 +1,21 @@
+require 'rubygems'
+require 'rake'
+require 'echoe'
+require 'hanna/rdoctask'
+Echoe.new('ucb_rails_security', '2.0.7') do |p|
+  p.description    = "Simplifies CAS auth and ldap authz within your rails application"
+  p.url            = "http://ucbrb.rubyforge.org/ucb_rails_security"
+  p.author         = "Steven Hansen, Steven Downey"
+  p.email          = "runner@berkeley.edu"
+  p.ignore_pattern = ["svn_user.yml", "tasks/**/**", "test/**/**", "version.yml"]
+  p.runtime_dependencies = ["rubycas-client", ">= 2.0.1"]
+  p.runtime_dependencies = ["ucb_ldap", ">= 1.3.0"]
+  p.project = "ucbrb"
+  p.rdoc_options = "-o doc --inline-source -T hanna lib/*.rb"
+  p.rdoc_pattern = ["README", "CHANGELOG", "lib/**/**", "rdoc_includes/**/**"]
+end
+Dir["#{File.dirname(__FILE__)}/tasks/*.rake"].sort.each { |ext| load ext }

data/TODO ADDED Viewed

@@ -0,0 +1,3 @@
+= UCB Rails Security - Todo
+* Add ability for admin/security users to login as other users.

data/generators/ucb_rails_security/templates/controllers/ucb_security/base_controller.rb ADDED Viewed

@@ -0,0 +1,17 @@
+class UcbSecurity::BaseController < ApplicationController
+  # Move this include into your ApplicationController to add security to your entire application
+  include UCB::Rails::Security::ControllerMethods
+  layout 'layouts/ucb_security/application'
+  # Only allow access to users that have the "Security" role
+  before_filter :filter_role_security, :except => [:not_authorized, :logout]
+  before_filter :append_headers
+private
+  def append_headers
+    response.headers['Cache-Control'] = "no-store, no-cache, must-revalidate"
+    response.headers['Expires'] = "The, 01 Jan 1970 00:00:00 GMT"
+    response.headers['Pragma'] = "no-cache"
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/ldap_search_controller.rb ADDED Viewed

@@ -0,0 +1,10 @@
+class UcbSecurity::LdapSearchController < UcbSecurity::BaseController
+  def index
+    @ldap_people = LdapSearch.find(params[:search_term], params[:search_value])
+    @select_options = LdapSearch.search_term_select_list()
+    @search_term = params[:search_term].blank? ? "" : params[:search_term].to_sym
+    @search_initiated = true if params[:commit]
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/role_users_controller.rb ADDED Viewed

@@ -0,0 +1,27 @@
+class UcbSecurity::RoleUsersController < UcbSecurity::BaseController
+  before_filter :load_role
+  def edit
+    @unassociated_users = @role.non_users_menu_list()
+    @associated_users = @role.users_menu_list()
+  end
+  def update
+    @role.update_attributes(:user_ids => params[:user_ids])
+    @role.save!
+    flash[:notice] = "Role users were successfully updated."
+    redirect_to(edit_ucb_security_role_users_path(@role))
+  rescue ActiveRecord::RecordInvalid
+    flash[:error] = @role.errors.each_full {}.join('<br/>')
+    render :action => 'edit'
+  end
+protected
+  def load_role
+    @role = Role.find(params[:role_id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_roles_url)
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/roles_controller.rb ADDED Viewed

@@ -0,0 +1,52 @@
+class UcbSecurity::RolesController < UcbSecurity::BaseController
+  before_filter :init_role, :only => [:show, :edit, :update, :destroy]
+  def index
+    @roles = Role.find(:all, :order => 'name')
+  end
+  def show
+  end
+  def new
+    @role = Role.new
+  end
+  def edit
+  end
+  def create
+    @role = Role.new(params[:role])
+    @role.save!
+    flash[:notice] = 'Role was successfully created.'
+    redirect_to(ucb_security_role_path(@role))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @role.errors.each_full {}.join('<br/>')
+    render(:action => 'new')
+  end
+  def update
+    @role.update_attributes!(params[:role])
+    flash[:notice] = 'Role was successfully updated.'
+    redirect_to(edit_ucb_security_role_path(@role))
+  rescue ActiveRecord::RecordInvalid => e
+    flash.now[:error] = @role.errors.each_full {}.join('<br/>')
+    render :action => 'edit'
+  end
+  def destroy
+    @role.destroy
+    flash[:notice] = "Record was successfully deleted"
+    redirect_to(ucb_security_roles_path())
+  end
+protected
+  def init_role
+    @role = Role.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_roles_path())
+    return false
+  end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/user_roles_controller.rb ADDED Viewed

@@ -0,0 +1,29 @@
+class UcbSecurity::UserRolesController < UcbSecurity::BaseController
+    before_filter :load_user
+    def edit
+      @roles = Role.find(:all, :order => 'name')
+    end
+    def update
+      params[:user] ||= {}
+      params[:user][:role_ids] ||= []
+      @user.update_attributes!(params[:user])
+      flash[:notice] = 'User roles were successfully updated.'
+      redirect_to(edit_ucb_security_user_roles_path(@user))
+    rescue ActiveRecord::RecordInvalid
+      @roles = Role.find(:all, :order => 'name')
+      flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+      render(:action => 'edit')
+    end
+  protected
+    def load_user
+      @user = User.find(params[:user_id])
+    rescue ActiveRecord::RecordNotFound
+      flash[:error] = "Record Not Found"
+      redirect_to(ucb_security_users_path())
+    end
+end

data/generators/ucb_rails_security/templates/controllers/ucb_security/users_controller.rb ADDED Viewed

@@ -0,0 +1,59 @@
+class UcbSecurity::UsersController < UcbSecurity::BaseController
+  before_filter :init_user, :only => [:show, :edit, :update, :destroy]
+  def index
+    @users = User.find(:all, :order => "last_name, first_name")
+  end
+  def show
+  end
+  def new
+    @user = User.new_from_ldap_uid(params[:ldap_uid])
+  rescue UCB::LDAP::Person::RecordNotFound => e
+    flash[:error] = e.message
+    redirect_to(ucb_security_users_path())
+  end
+  def edit
+  end
+  def create
+    @user = User.new(params[:user])
+    @user.save!
+    flash[:notice] = 'User was successfully created.'
+    redirect_to(ucb_security_user_path(@user))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+    render(:action => 'new')
+  end
+  def update
+    @user.update_attributes!(params[:user])
+    flash[:notice] = 'User was successfully updated.'
+    redirect_to(edit_ucb_security_user_path(@user))
+  rescue ActiveRecord::RecordInvalid
+    flash.now[:error] = @user.errors.each_full {}.join('<br/>')
+    render(:action => 'edit')
+  end
+  def destroy
+    if @user.current_user?(ldap_uid())
+      flash[:error] = "You cannot delete yourself!"
+      redirect_to(ucb_security_users_path()) and return nil
+    else
+      @user.destroy
+      flash[:notice] = "User was successfully destroyed"
+      redirect_to(ucb_security_users_path())
+    end
+  end
+protected
+  def init_user
+    @user = User.find(params[:id])
+  rescue ActiveRecord::RecordNotFound
+    flash[:error] = "Record Not Found"
+    redirect_to(ucb_security_users_path())
+  end
+end

data/generators/ucb_rails_security/templates/db/migrate/xxx_create_ucb_rails_security_tables.rb ADDED Viewed

@@ -0,0 +1,31 @@
+class CreateUcbRailsSecurityTables < ActiveRecord::Migration
+  def self.up
+    create_table "users", :force => true do |t|
+      t.string :ldap_uid
+      t.string :first_name
+      t.string :last_name
+      t.string :email
+      t.string :phone
+      t.string :department
+      t.timestamps
+    end
+    create_table "roles", :force => true do |t|
+      t.string :name
+      t.string :description
+      t.timestamps
+    end
+    create_table "user_roles", :force => true, :id => false do |t|
+      t.integer :user_id
+      t.integer :role_id
+      t.timestamps
+    end
+  end
+  def self.down
+    drop_table :users
+    drop_table :roles
+    drop_table :user_roles
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/base_helper.rb ADDED Viewed

@@ -0,0 +1,23 @@
+module UcbSecurity::BaseHelper
+  def role_checkbox
+    raise "This method has been deprecated"
+  end
+  def in_user_table?
+    id_from_uid ? true : false
+  end
+  def id_from_uid
+    @user_uids[@entry.uid]
+  end
+  def display_message
+    return "<div class='error'>#{flash[:error]}</div>" if flash[:error]
+    return "<div class='notice'>#{flash[:notice]}</div>" if flash[:notice]
+  end
+  def title(title)
+    @title = title
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/builder.rb ADDED Viewed

@@ -0,0 +1,25 @@
+class UcbSecurity::Builder < ActionView::Helpers::FormBuilder
+  def text_field(label, method, options = {}, html_options = {})
+    field = super(method, html_options)
+    format_field(label, method, options, field)
+  end
+  def text_area(label, method, options = {}, html_options = {})
+    field = super(method, html_options)
+    format_field(label, method, options, field)
+  end
+  def text(label, method, options = {}, html_options = {})
+    format_field(label, method, options, "#{@object.send(method)}")
+  end
+  def format_field(label, method, options, field)
+    label = "* ".concat(label) if options[:required] == true
+    @template.content_tag(:p,
+      "#{@template.content_tag(:label, label, :for => "#{@object_name}_#{method}")} #{field}"
+    )
+  end
+end

data/generators/ucb_rails_security/templates/helpers/ucb_security/roles_helper.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ module UcbSecurity::RolesHelper
2	+ end

data/generators/ucb_rails_security/templates/helpers/ucb_security/users_helper.rb ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ module UcbSecurity::UsersHelper
2	+ end

data/generators/ucb_rails_security/templates/initializers/ucb_security_config.rb ADDED Viewed

@@ -0,0 +1,20 @@
+# Uncomment this if your Application uses a user table
+#
+# UCB::Rails::Security::using_user_table = true
+# When a user logs of CAS, the CAS logout page will display a link for
+# the user to return to the original application.  By default, UCB::Rails::Security
+# uses http://appdomain.com/ucb_security
+# Uncommening the below config would change it to: http://appdomain.com
+#
+# UCB::Rails::Security::CASAuthentication.home_url = ''
+# By default, UCB::Rails::Security will return ldap test entries for all
+# Rails environments except production.  Uncommenting the below will change
+# the behaviour to return test ids for all environments.  You can also add
+# this config option to a specific environment file to confine the config.
+#
+# UCB::Rails::Security::CASAuthentication.allow_test_entries = true