vidibus-user 0.0.10 → 1.0.0

data/README.md

@@ -0,0 +1,32 @@
+# Vidibus::User [![Build Status](https://travis-ci.org/vidibus/vidibus-user.png)](https://travis-ci.org/vidibus/vidibus-user) [![Code Climate](https://codeclimate.com/github/vidibus/vidibus-user.png)](https://codeclimate.com/github/vidibus/vidibus-user)
+
+Provides single sign-on through OAuth2 authentication. It adds a simple user model to your application which can be extended easily.
+
+This gem is part of [Vidibus](http://vidibus.org), an open source toolset for building distributed (video) applications.
+
+
+## Installation
+
+Add `gem 'vidibus-service'` to your Gemfile. Then call `bundle install` on your console.
+
+
+## Obtaining user data
+
+After authorization via OAuth2 this gem requests user data from the providing service. It expects `GET /oauth/user` to return JSON data. The dataset must at least include the user's UUID.
+
+The [Vidibus::Oauth2Server](https://github.com/vidibus/vidibus-oauth2_server) gem will provide a controller for this task.
+
+
+## Dependencies
+
+In order to perform authentication, this gem depends on services provided by the [Vidibus::Service](https://github.com/vidibus/vidibus-service) gem.
+
+
+## TODO
+
+Explain usage and integration.
+
+
+## Copyright
+
+Copyright (c) 2010-2013 Andre Pankratz. See LICENSE for details.

data/Rakefile

@@ -1,35 +1,17 @@
-require "rubygems"
-require "rake"
-require "rake/rdoctask"
-require "rspec"
-require "rspec/core/rake_task"
+$:.unshift File.expand_path('../lib/', __FILE__)
 
-begin
-  require "jeweler"
-  Jeweler::Tasks.new do |gem|
-    gem.name = "vidibus-user"
-    gem.summary = %Q{Single sign-on for Vidibus applications.}
-    gem.description = %Q{Provides single sign-on and a local user model.}
-    gem.email = "andre@vidibus.com"
-    gem.homepage = "http://github.com/vidibus/vidibus-user"
-    gem.authors = ["Andre Pankratz"]
-  end
-  Jeweler::GemcutterTasks.new
-rescue LoadError
-  puts "Jeweler (or a dependency) not available. Install it with: gem install jeweler"
-end
+require 'bundler'
+require 'rdoc/task'
+require 'rspec'
+require 'rspec/core/rake_task'
+require 'vidibus/user/version'
 
-Rspec::Core::RakeTask.new(:rcov) do |t|
-  t.pattern = "spec/**/*_spec.rb"
-  t.rcov = true
-  t.rcov_opts = ["--exclude", "^spec,/gems/"]
-end
+Bundler::GemHelper.install_tasks
 
 Rake::RDocTask.new do |rdoc|
-  version = File.exist?("VERSION") ? File.read("VERSION") : ""
-  rdoc.rdoc_dir = "rdoc"
-  rdoc.title = "vidibus-user #{version}"
-  rdoc.rdoc_files.include("README*")
-  rdoc.rdoc_files.include("lib/**/*.rb")
-  rdoc.options << "--charset=utf-8"
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title = "vidibus-user #{Vidibus::User::VERSION}"
+  rdoc.rdoc_files.include('README*')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+  rdoc.options << '--charset=utf-8'
 end

data/config/routes.rb

@@ -1,5 +1,5 @@
-require "user/callback_app"
+require 'vidibus/user/callback_app'
 
 Rails.application.routes.draw do
-  match "/authenticate_user" => Vidibus::User::CallbackApp
+  get '/authenticate_user' => Vidibus::User::CallbackApp
 end

data/lib/vidibus/user/callback_app.rb

@@ -5,14 +5,14 @@ module Vidibus
         self.new.call(env)
       end
 
-      # This is just a rack endpoint for Connector authentication. It will be called
-      # by the Connector after requesting an authentication code.
+      # This is a rack endpoint user authentication. It will be called
+      # by the consumer after requesting an authentication code.
       def call(env)
-        env["warden"].authenticate!(:scope => :user)
+        env['warden'].authenticate!(:scope => :user)
 
         # Redirect to return path after signin
-        return_to = env["rack.session"][:user_return_to] || "/"
-        [302, {"Content-Type" => "text/html", "Location" => return_to}, ["Login successful."]]
+        return_to = env['rack.session'][:user_return_to] || '/'
+        [302, {'Content-Type' => 'text/html', 'Location' => return_to}, ['Login successful.']]
       end
     end
   end

data/lib/vidibus/user/errors.rb

@@ -0,0 +1,7 @@
+module Vidibus
+  module User
+    class Error < StandardError; end
+    class ServiceError < Error; end
+    class SingleSignOnError < Error; end
+  end
+end

data/lib/vidibus/user/extensions/controller.rb

@@ -1,52 +1,34 @@
+require 'vidibus/user/extensions/helper'
+
 module Vidibus
   module User
     module Extensions
-
-      # Contains extensions of ApplicationController.
       module Controller
-        extend ActiveSupport::Concern
-
-        included do
-          helper_method :warden, :signed_in?, :user_signed_in?, :current_user, :user_session
-        end
-
-        protected
-
-        # Accessor for the warden proxy instance.
-        def warden
-          request.env["warden"]
-        end
-
-        # Performs login on Connector service.
-        def authenticate_user!
-          return if user_signed_in?
-          store_location
-          warden.authenticate!(:scope => :user)
-        end
+        include Helper
 
-        # Returns session of currently signed in user.
-        def user_session
-          current_user and warden.session(:user)
+        # Authenticates user from single sign on cookie.
+        # Nothing happens if authentication fails.
+        def single_sign_on
+          return if authenticated?
+          warden.authenticate(:single_sign_on)
         end
 
-        # Returns user currently logged in.
-        def current_user
-          warden.user(:user)
+        # Authenticates user either from single sign on cookie
+        # or from email and password params.
+        # Calls failure app if authentication fails.
+        def authenticate!
+          return if authenticated?
+          warden.authenticate!
         end
+        alias :signin! :authenticate!
+        alias :authenticate_user! :authenticate!
 
-        # Returns true if user is logged in.
-        def user_signed_in?
-          warden.authenticated?(:user)
-        end
-        alias_method :signed_in?, :user_signed_in?
-
-        private
-
-        # Stores current location in session to perform redirect after signin in session
-        def store_location
-          Rails.logger.error 'store_location: '+request.fullpath
-          session[:user_return_to] = request.fullpath
+        # Performs logout.
+        def logout
+          return unless authenticated?
+          warden.logout
         end
+        alias :signout :logout
       end
     end
   end

data/lib/vidibus/user/extensions/helper.rb

@@ -0,0 +1,29 @@
+module Vidibus
+  module User
+    module Extensions
+      module Helper
+
+        # Accessor for the warden proxy instance.
+        def warden
+          request.env['warden']
+        end
+
+        # Returns the user that is currently logged in.
+        def current_user
+          warden.user
+        end
+
+        # Returns the session of the currently signed-in user.
+        def user_session
+          warden.session if current_user
+        end
+
+        # Returns true if user is logged in.
+        def authenticated?
+          warden.authenticated?
+        end
+        alias :signed_in? :authenticated?
+      end
+    end
+  end
+end

data/lib/vidibus/user/extensions.rb

@@ -1,5 +1,16 @@
-require "user/extensions/controller"
+require 'vidibus/user/extensions/controller'
+require 'vidibus/user/extensions/helper'
 
-ActiveSupport.on_load(:action_controller) do
-  include Vidibus::User::Extensions::Controller
+if defined?(ActiveSupport)
+  ActiveSupport.on_load(:action_controller) do
+    include Vidibus::User::Extensions::Controller
+  end
+
+  ActiveSupport.on_load(:application_helper) do
+    include Vidibus::User::Extensions::Helper
+  end
+
+  ActiveSupport.on_load(:action_view) do
+    include Vidibus::User::Extensions::Helper
+  end
 end

data/lib/vidibus/user/mongoid.rb

@@ -1,10 +1,12 @@
+require 'vidibus-uuid'
+
 module Vidibus
   module User
     module Mongoid
       extend ActiveSupport::Concern
       included do
-        field :uuid
-        field :email
+        field :uuid, type: String
+        field :email, type: String
         validates :uuid, :uuid => true
       end
     end

data/lib/vidibus/user/railstie.rb

@@ -0,0 +1,19 @@
+if defined?(::Rails::Engine)
+  module Vidibus
+    module User
+      class Engine < ::Rails::Engine
+
+        # Add warden to rack stack and use vidibus strategy.
+        config.app_middleware.use ::Warden::Manager do |manager|
+          manager.default_strategies :single_sign_on
+          manager.default_scope = :user
+          manager.failure_app = Vidibus::User.failure_app
+        end
+
+        config.after_initialize do
+          Vidibus::User.logger = Rails.logger
+        end
+      end
+    end
+  end
+end

data/lib/vidibus/user/version.rb

@@ -0,0 +1,5 @@
+module Vidibus
+  module User
+    VERSION = '1.0.0'
+  end
+end

data/lib/vidibus/user/warden/callbacks/after_set_user.rb

@@ -0,0 +1,4 @@
+# Warden callback that validates the SSO session.
+Warden::Manager.after_set_user do |user, auth, opts|
+  # TODO
+end

data/lib/vidibus/user/warden/callbacks/before_logout.rb

@@ -0,0 +1,5 @@
+# Warden callback that sends a request to the central user registration
+# for single sign-out
+Warden::Manager.before_logout do |user, auth, opts|
+  # TODO
+end

data/lib/vidibus/user/warden/callbacks.rb

@@ -0,0 +1,2 @@
+require 'vidibus/user/warden/callbacks/after_set_user'
+require 'vidibus/user/warden/callbacks/before_logout'

data/lib/vidibus/user/warden/failure_app.rb

@@ -0,0 +1,30 @@
+module Vidibus
+  module User
+    module Warden
+      class FailureApp
+        include Warden::Helper
+
+        def self.call(env)
+          self.new.call(env)
+        end
+
+        # This is a rack endpoint user authentication. It will be called
+        # by the consumer after requesting an authentication code.
+        def call(env)
+          @env = env
+          body = "Please authenticate at #{host}#{Vidibus::User.login_path}"
+          header = {
+            'Content-Type' => 'text/html',
+            'Location' => Vidibus::User.login_path,
+            'Content-Length' => body.length.to_s
+          }
+          [302, header, [body]]
+        end
+
+        def env
+          @env
+        end
+      end
+    end
+  end
+end

data/lib/vidibus/user/warden/helper.rb

@@ -0,0 +1,55 @@
+module Vidibus
+  module User
+    module Warden
+      module Helper
+
+        # Sets credentials for Connector login in session.
+        # The client_secret will be validated through Vidibus' OauthServer
+        # when issuing an OAuth token. To protect the service's secret, a
+        # custom signature will be sent instead.
+        def credentials
+          @credentials ||= begin
+            service = ::Service.discover(:user, realm)
+            unless service
+              raise(ServiceError, 'No user service is available.')
+            end
+            {
+              :client_id => "#{this.uuid}-#{realm}",
+              :client_secret => Vidibus::Secure.sign(this.uuid, service.secret),
+              :service_url => service.url
+            }
+          end
+        end
+
+        # Returns this service
+        def this
+          @this ||= ::Service.this
+        end
+
+        # Returns the current realm
+        def realm
+          @realm ||= params['realm'] || env[:realm]
+        end
+
+        # Returns OAuth client
+        def client
+          @client ||= OAuth2::Client.new(credentials[:client_id], credentials[:client_secret], :site => credentials[:service_url])
+        end
+
+        # Returns current host.
+        def host
+          "#{protocol}#{env['HTTP_HOST']}"
+        end
+
+        # Returns protocol depending on SERVER_PORT.
+        def protocol
+          env['SERVER_PORT'] == 443 ? 'https://' : 'http://'
+        end
+
+        def logger
+          Vidibus::User.logger
+        end
+      end
+    end
+  end
+end

data/lib/vidibus/user/warden/serialize.rb

@@ -0,0 +1,7 @@
+Warden::Manager.serialize_into_session do |user|
+  user.id
+end
+
+Warden::Manager.serialize_from_session do |id|
+  ::User.find(id)
+end

data/lib/vidibus/user/warden/strategies/single_sign_on.rb

@@ -0,0 +1,77 @@
+require 'oauth2'
+
+# Warden strategy to authenticate user from a
+# single sign-on cookie.
+::Warden::Strategies.add(:single_sign_on) do
+  include Vidibus::User::Warden::Helper
+
+  USER_DATA_PATH = '/oauth/user'
+
+  # Run this strategy only if a realm is present.
+  def valid?
+    !!realm
+  end
+
+  def user
+    @user
+  end
+
+  def authenticate!
+    return if fetch_code
+    fetch_access_token
+    fetch_user_data
+    user ? success!(user) : fail!
+  end
+
+  private
+
+  def args
+    {:redirect_url => "#{host}/authenticate_user?realm=#{realm}"}
+  end
+
+  def code
+    params['code']
+  end
+
+  def access_token
+    @access_token ||= begin
+      client.auth_code.get_token(code, args)
+    end
+  end
+
+  def fetch_code
+    return if code
+    failsafe do
+      redirect!(client.auth_code.authorize_url(args))
+    end
+  end
+
+  def fetch_access_token
+    failsafe do
+      access_token
+    end
+  end
+
+  def fetch_user_data
+    begin
+      response = access_token.get(USER_DATA_PATH)
+      user_data = JSON.parse(response.body)
+      query = {:uuid => user_data['uuid']}
+      user = User.where(query).first || User.create!(query)
+      user.update_attributes!(user_data)
+      @user = user
+    rescue OAuth2::Error => e
+      logger.error("Vidibus::User: Failed to fetch user data from #{credentials[:service_url]}/#{USER_DATA_PATH}: #{e.message}")
+    rescue => e
+      logger.error("Vidibus::User: #{e.message}")
+    end
+  end
+
+  def failsafe(&block)
+    begin
+      block.call
+    rescue OAuth2::Error => e
+      raise(Vidibus::User::SingleSignOnError, e.response.body)
+    end
+  end
+end

data/lib/vidibus/user/warden/strategies.rb

@@ -0,0 +1 @@
+require 'vidibus/user/warden/strategies/single_sign_on'

data/lib/vidibus/user/warden.rb

@@ -0,0 +1,5 @@
+require 'vidibus/user/warden/serialize'
+require 'vidibus/user/warden/helper'
+require 'vidibus/user/warden/strategies'
+require 'vidibus/user/warden/callbacks'
+require 'vidibus/user/warden/failure_app'

data/lib/vidibus/user.rb

@@ -1,3 +1,20 @@
-require "user/extensions"
-require "user/warden_strategy"
-require "user/mongoid"
+require 'vidibus/user/errors'
+require 'vidibus/user/mongoid'
+require 'vidibus/user/warden'
+require 'vidibus/user/extensions'
+require 'vidibus/user/railstie'
+
+module Vidibus
+  module User
+    extend self
+
+    attr_accessor :login_path
+    @login_path = '/login'
+
+    attr_accessor :logger
+    @logger = Logger.new(STDOUT)
+
+    attr_accessor :failure_app
+    @failure_app = Vidibus::User::Warden::FailureApp
+  end
+end

data/lib/vidibus-user.rb

@@ -1,20 +1,3 @@
-require "rails"
-
-$:.unshift(File.join(File.dirname(__FILE__), "vidibus"))
-require "user"
-
-module Vidibus
-  module User
-    class Error < StandardError; end
-    class NoRealmError < Error; end
-
-    class Engine < ::Rails::Engine
-
-      # Add warden to rack stack and use connector strategy.
-      config.app_middleware.use Warden::Manager do |manager|
-        manager.default_strategies :connector
-        manager.default_scope = :user
-      end
-    end
-  end
-end
+require 'warden'
+require 'vidibus-service'
+require 'vidibus/user'