warden-github-rails-thinknear-fork 1.1.0

data/lib/warden/github/rails/config.rb

@@ -0,0 +1,49 @@
+module Warden
+  module GitHub
+    module Rails
+      class Config
+        BadConfig = Class.new(StandardError)
+
+        # Default scope to use when not explicitly specified.
+        attr_accessor :default_scope
+
+        # The list of scopes and their configs. This is used to add custom
+        # configs to a specific scope. When using a scope that is not listed
+        # here, it will use the default configs from warden-github.
+        attr_reader :scopes
+
+        # A hash containing team alias names and their numeric id.
+        attr_reader :teams
+
+        def initialize
+          @default_scope = :user
+          @scopes = {}
+          @teams = {}
+        end
+
+        # Adds a scope with custom configurations to the list of scopes.
+        def add_scope(name, config={})
+          scopes[name] = config
+        end
+
+        # Maps a team id to a name in order to easier reference it.
+        def add_team(name, id)
+          teams[name.to_sym] = Integer(id)
+        end
+
+        # Gets the team id for a team id or alias.
+        def team_id(team)
+          # In ruby 1.8 doing a Integer(:symbol) returns an integer. Thus, test
+          # for symbol first.
+          if team.is_a? Symbol
+            teams.fetch(team)
+          else
+            Integer(team)  rescue teams.fetch(team.to_sym)
+          end
+        rescue IndexError
+          fail BadConfig, "No team id defined for team #{team}."
+        end
+      end
+    end
+  end
+end

data/lib/warden/github/rails/controller_helpers.rb

@@ -0,0 +1,39 @@
+module Warden
+  module GitHub
+    module Rails
+      module ControllerHelpers
+        def self.included(klass)
+          klass.helper_method(:github_authenticated?, :github_user)
+        end
+
+        # Initiates the OAuth flow if not already authenticated for the
+        # specified scope.
+        def github_authenticate!(scope=Rails.default_scope)
+          request.env['warden'].authenticate!(:scope => scope)
+        end
+
+        # Logs out a user if currently logged in for the specified scope.
+        def github_logout(scope=Rails.default_scope)
+          request.env['warden'].logout(scope)
+        end
+
+        # Checks whether a user is logged in for the specified scope.
+        def github_authenticated?(scope=Rails.default_scope)
+          request.env['warden'].authenticated?(scope)
+        end
+
+        # Returns the currently signed in user for the specified scope. See the
+        # documentation for Warden::GitHub::User for available methods.
+        def github_user(scope=Rails.default_scope)
+          request.env['warden'].user(scope)
+        end
+
+        # Accessor for the currently signed in user's session. This will be
+        # cleared once logged out.
+        def github_session(scope=Rails.default_scope)
+          request.env['warden'].session(scope)  if github_authenticated?(scope)
+        end
+      end
+    end
+  end
+end

data/lib/warden/github/rails/railtie.rb

@@ -0,0 +1,42 @@
+module Warden
+  module GitHub
+    module Rails
+      class Railtie < ::Rails::Railtie
+        initializer 'warden-github-rails.warden' do |app|
+          # When devise is used, it inserts a warden middlware. Multiple warden
+          # middlewares do not work properly. Devise allows for a block to be
+          # specified that is invoked when its warden middleware is configured.
+          # This makes it possible to setup warden-github-rails through devise.
+          if defined?(::Devise)
+            ::Devise.warden { |config| setup_scopes(config) }
+          else
+            app.config.middleware.use Warden::Manager do |config|
+              setup_failure_app(config)
+              setup_scopes(config)
+            end
+          end
+        end
+
+        initializer 'warden-github-rails.helpers' do
+          ActiveSupport.on_load(:action_controller) do
+            include ControllerHelpers
+          end
+        end
+
+        def setup_scopes(config)
+          Rails.scopes.each do |scope, scope_config|
+            config.scope_defaults scope, :strategies => [:github],
+                                         :config => scope_config
+          end
+        end
+
+        def setup_failure_app(config)
+          config.failure_app = lambda do |env|
+            [403, {}, [env['warden'].message]]
+          end
+        end
+      end
+    end
+  end
+end
+

data/lib/warden/github/rails/routes.rb

@@ -0,0 +1,83 @@
+module Warden
+  module GitHub
+    module Rails
+      module Routes
+        # Enforces an authenticated GitHub user for the routes. If not
+        # authenticated, it initiates the OAuth flow.
+        #
+        # Team and organization memberships can be checked by specifying a hash
+        # such as `:team => 'foobar'` or `:org => 'my_company'`.
+        def github_authenticate(scope=nil, options={}, &routes_block)
+          github_constraint(scope, options, routes_block) do |warden, scope|
+            warden.authenticate!(:scope => scope)
+          end
+        end
+
+        # The routes will only be visible to authenticated GitHub users. When
+        # not authenticated, it does not initiate the OAuth flow.
+        #
+        # Team and organization memberships can be checked by specifying a hash
+        # such as `:team => 'foobar'` or `:org => 'my_company'`.
+        def github_authenticated(scope=nil, options={}, &routes_block)
+          github_constraint(scope, options, routes_block) do |warden, scope|
+            warden.authenticated?(:scope => scope)
+          end
+        end
+
+        # The routes will only be visible to all but authenticated GitHub users.
+        #
+        # This constraint currently does not check for memberships since of its
+        # limited usage.
+        def github_unauthenticated(scope=nil, options={}, &routes_block)
+          github_constraint(scope, options, routes_block) do |warden, scope|
+            not warden.authenticated?(:scope => scope)
+          end
+        end
+
+        private
+
+        def github_constraint(scope, options, routes_block, &block)
+          options, scope = scope, nil  if scope.is_a? Hash
+          scope ||= Rails.default_scope
+
+          constraint = lambda do |request|
+            warden = request.env['warden']
+
+            if block.call(warden, scope)
+              if (user = warden.user(scope))
+                evaled_options = github_eval_options(options, request)
+                github_enforce_options(user, evaled_options)
+              else
+                true
+              end
+            end
+          end
+
+          constraints(constraint, &routes_block)
+        end
+
+        def github_enforce_options(user, options)
+          if (team = options[:team])
+            user.team_member?(Rails.team_id(team))
+          elsif (org = options[:org] || options[:organization])
+            user.organization_member?(org)
+          else
+            true
+          end
+        end
+
+        def github_eval_options(options, request)
+          Hash[options.map { |k,v|
+            if v.is_a?(Proc)
+              [k, v.call(request)]
+            else
+              [k, v]
+            end
+          }]
+        end
+      end
+    end
+  end
+end
+
+ActionDispatch::Routing::Mapper.send(:include, Warden::GitHub::Rails::Routes)

data/lib/warden/github/rails/test_helpers.rb

@@ -0,0 +1,28 @@
+require 'warden/github'
+require 'warden/github/rails/test_helpers/mock_user'
+
+module Warden
+  module GitHub
+    module Rails
+      module TestHelpers
+        include ::Warden::Test::Helpers
+
+        # Login a mock GitHub user and return it.
+        def github_login(scope=Rails.default_scope)
+          MockUser.new.tap do |user|
+            login_as(user, :scope => scope)
+          end
+        end
+      end
+    end
+  end
+end
+
+# Add a method to Rack::Response to easily determine if a request resulted in an
+# OAuth redirect to GitHub.
+class Rack::Response
+  def github_oauth_redirect?
+    redirect? and
+      location.start_with?('https://github.com/login/oauth/authorize')
+  end
+end

data/lib/warden/github/rails/test_helpers/mock_user.rb

@@ -0,0 +1,30 @@
+module Warden
+  module GitHub
+    module Rails
+      module TestHelpers
+        class MockUser < User
+          attr_reader :memberships
+
+          def initialize(*args)
+            super
+            @memberships = { :team => [], :org => [] }
+          end
+
+          def stub_membership(args)
+            args.each do |type, values|
+              memberships.fetch(type).concat(Array(values))
+            end
+          end
+
+          def team_member?(id)
+            memberships[:team].include?(id)
+          end
+
+          def organization_member?(id)
+            memberships[:org].include?(id)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/warden/github/rails/version.rb

@@ -0,0 +1,9 @@
+module Warden
+  module GitHub
+    module Rails
+      VERSION = File.read(
+        File.expand_path('../../../../../VERSION', __FILE__)
+      ).strip
+    end
+  end
+end

data/spec/integration/controller_helpers_spec.rb

@@ -0,0 +1,95 @@
+require 'spec_helper'
+
+describe 'controller helpers' do
+  {
+    :scoped   => :admin,
+    :unscoped => Warden::GitHub::Rails.default_scope
+  }.each do |type, scope|
+    context "when using #{type}" do
+      describe '#github_authenticate!' do
+        subject(:request) { get "/#{type}/authenticate" }
+
+        context 'when not logged in' do
+          it 'initiates the oauth flow' do
+            expect(request).to be_github_oauth_redirect
+          end
+        end
+
+        context 'when logged in' do
+          before { github_login(scope) }
+          it 'does nothing' do
+            expect(request).to be_ok
+          end
+        end
+      end
+
+      describe '#github_logout' do
+        context 'when not logged in' do
+          it 'does nothing' do
+            expect(get("/#{type}/logout").body).to eq('false')
+          end
+        end
+
+        context 'when logged in' do
+          it 'logs out the user' do
+            github_login(scope)
+            expect(get("/#{type}/logout").body).to eq('true')
+            expect(get("/#{type}/logout").body).to eq('false')
+          end
+        end
+      end
+
+      describe '#github_authenticated?' do
+        subject(:request) { get "/#{type}/authenticated" }
+
+        context 'when not logged in' do
+          it 'returns false' do
+            expect(request.body).to eq('false')
+          end
+        end
+
+        context 'when logged in' do
+          it 'returns true' do
+            github_login(scope)
+            expect(request.body).to eq('true')
+          end
+        end
+      end
+
+      describe '#github_user' do
+        subject(:request) { get "/#{type}/user" }
+
+        context 'when not logged in' do
+          it 'returns nil' do
+            expect(request.body).to be_blank
+          end
+        end
+
+        context 'when logged in' do
+          it 'returns the logged in user' do
+            github_login(scope)
+            expect(request.body).to \
+              include('Warden::GitHub::Rails::TestHelpers::MockUser')
+          end
+        end
+      end
+
+      describe '#github_session' do
+        subject(:request) { get "/#{type}/session" }
+
+        context 'when not logged in' do
+          it 'should be nil' do
+            expect(request.body).to be_blank
+          end
+        end
+
+        context 'when logged in' do
+          it "returns the user's session" do
+            github_login(scope)
+            expect(request.body).to eq({ :foo => :bar }.to_s)
+          end
+        end
+      end
+    end
+  end
+end

data/spec/integration/membership_spec.rb

@@ -0,0 +1,183 @@
+require 'spec_helper'
+
+describe 'request to a protected resource' do
+  context 'that requires a team membership' do
+    context 'which is specified by a numeric team id' do
+      subject { get '/team/protected' }
+
+      context 'when not logged in' do
+        it { should be_github_oauth_redirect }
+      end
+
+      context 'when logged in' do
+        context 'and team member' do
+          before do
+            user = github_login
+            user.stub_membership(:team => 123)
+          end
+
+          it { should be_ok }
+        end
+
+        context 'and not team member' do
+          before { github_login }
+          it { should be_not_found}
+        end
+      end
+    end
+
+    context 'which is specified by a team alias' do
+      subject { get '/team_alias/protected' }
+
+      context 'when not logged in' do
+        it { should be_github_oauth_redirect }
+      end
+
+      context 'when logged in' do
+        context 'and team member' do
+          before do
+            user = github_login
+            user.stub_membership(:team => 456)
+          end
+
+          it { should be_ok }
+        end
+
+        context 'and not team member' do
+          before { github_login }
+          it { should be_not_found}
+        end
+      end
+    end
+
+    context 'which is specified by a lambda' do
+      subject { get '/dynamic_team/123' }
+
+      context 'when logged in' do
+        context 'and team member' do
+          before do
+            user = github_login
+            user.stub_membership(:team => 123)
+          end
+
+          it { should be_ok }
+        end
+
+        context 'and not team member' do
+          before { github_login }
+          it { should be_not_found}
+        end
+      end
+    end
+  end
+
+  context 'that requires an organization membership' do
+    { :org => :foobar_inc, :organization => 'some_org' }.each do |key, value|
+      context "which is specified as #{key}" do
+        subject { get "/#{key}/protected" }
+
+        context 'when not logged in' do
+          it { should be_github_oauth_redirect }
+        end
+
+        context 'when logged in' do
+          context 'and organization member' do
+            before do
+              user = github_login
+              user.stub_membership(:org => value)
+            end
+
+            it { should be_ok }
+          end
+
+          context 'and not organization member' do
+            before { github_login }
+            it { should be_not_found }
+          end
+        end
+      end
+    end
+
+    context 'which is specified by a lambda' do
+      subject { get '/dynamic_org/some_org' }
+
+      context 'when logged in' do
+        context 'and organization member' do
+          before do
+            user = github_login
+            user.stub_membership(:org => 'some_org')
+          end
+
+          it { should be_ok }
+        end
+
+        context 'and not organization member' do
+          before { github_login }
+          it { should be_not_found}
+        end
+      end
+    end
+  end
+end
+
+describe 'request to a resource that only exists when logged in' do
+  context 'that requires a team membership' do
+    context 'which is specified by a numeric team id' do
+      subject { get '/team/conditional' }
+
+      context 'when team member' do
+        before do
+          user = github_login
+          user.stub_membership(:team => 123)
+        end
+
+        it { should be_ok }
+      end
+
+      context 'when not team member' do
+        before { github_login }
+        it { should be_not_found}
+      end
+    end
+
+    context 'which is specified by a team alias' do
+      subject { get '/team_alias/conditional' }
+
+      context 'when team member' do
+        before do
+          user = github_login
+          user.stub_membership(:team => 456)
+        end
+
+        it { should be_ok }
+      end
+
+      context 'when not team member' do
+        before { github_login }
+        it { should be_not_found}
+      end
+    end
+  end
+
+  context 'that requires an organization membership' do
+    { :org => :foobar_inc, :organization => 'some_org' }.each do |key, value|
+      context "which is specified as #{key}" do
+        subject { get "/#{key}/conditional" }
+
+        context 'when organization member' do
+          before do
+            user = github_login
+            user.stub_membership(:org => value)
+          end
+
+          it { should be_ok }
+        end
+
+        context 'when not organization member' do
+          before { github_login }
+          it { should be_not_found }
+        end
+      end
+    end
+  end
+end