wcc-auth 0.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6c2afec20c4229b28f32abae4da9d22644c57bb2
+  data.tar.gz: 84abb21d431971dd9ce00576fac0f7aa5b5411d3
+SHA512:
+  metadata.gz: b64cd3fccbe65635e39dd47a8e162ec073c960611f2c566ce8db7da513dbdc86a18bbb04427fa14c38f2b1ef8865d30a173a343db1f8a25a19453d5ec710ef8b
+  data.tar.gz: 5a86a83daf93ec913e5c00bd6fbbf771cedd3357237a7c05d928521ed02c8b28afab82e277fe9d53581c167c95ab4e574e001c8757bb71bbf9274493fb0e2ff1

data/.gitignore

@@ -0,0 +1,17 @@
+*.gem
+*.rbc
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--format progress

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in wcc-auth.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2014 Watermark Community Church, Dallas, TX
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,115 @@
+# WCC::Auth
+
+Provides the necessary tools for handling authentication through
+Watermark's OAuth provider as well as authorizing the user has access to
+specific features within the application. There are special hooks for
+Rails apps using Devise, but the primitive structures could be used on
+any Ruby project. Currently, the only tested path is Rails with Devise.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'wcc-auth', '~> 0.3.0'
+```
+
+If you are using a Rails app with Devise you can use a special require
+hook that will setup all the Devise specific configuration for you.
+
+```ruby
+gem 'wcc-auth', '~> 0.3.0', require: 'wcc/auth/devise'
+```
+
+## Configuration
+
+There are a few steps to setup your app. These instructions are specific
+to a Rails app.
+
+#### Add the configuration block to an initializer
+
+In order to configure the gem you must run the `WCC::Auth.setup` block.
+See below for an example:
+
+```ruby
+WCC::Auth.setup do |config|
+  config.app_name = "app-name"
+  config.environment = Rails.env
+  config.app_id = 'app-client-id-from-oauth-provider'
+  config.app_secret = 'app-client-secret-from-oauth-provider'
+end
+```
+
+#### Setup your controllers
+
+```ruby
+# Add this include to your ApplicationController
+class ApplicationController < ActionController::Base
+  include WCC::Auth::ControllerHelpers
+end
+```
+
+#### Setup your user model
+
+```ruby
+class User < ActiveRecord::Base
+  include WCC::Auth::Providers::ActiveRecord
+
+  # ...
+
+end
+```
+
+#### Setup authorization (optional)
+
+If you would like to use the `TieredAbility` class included with
+`WCC::Auth` just create an Ability class that extends the
+`WCC::Auth::TieredAbility` class. The authenticated user will include an
+info variables called `access_level_id`. This corresponds to a
+`WCC::Auth::AccessLevel`.
+
+The access levels are broken down into 5 tiers with the following rules:
+
+* **No access** -- This is the default level
+* **Basic** -- This is provides read-only access
+* **Contribute** -- Read-write for only data the user owns
+* **Manage** -- Read-write for other's data
+* **App Admin** -- Can change app configuration
+* **System Admin** -- Has full access to all features always
+
+Each tier inherits all priveleges of the lower tiers. The rules here are
+guidelines for the app to follow. It is ultimately up to the client
+application to decide what each of these tiers means for it. Do your
+best to adhere to these rules.
+
+Here is an example Ability class using the DSL provided by `WCC::Auth`.
+
+```ruby
+class Ability < WCC::Auth::TieredAbility
+  at_level(:contribute) do |user|
+    can :read, Person
+    can :manage, Task, created_by_id: user.id
+    can :manage, Comment, created_by_id: user.id
+
+    cannot :destroy, Task
+  end
+
+  at_level(:appadmin) do |user|
+    can :manage, :all
+    cannot :create, TaskGroup
+  end
+
+
+  at_level(:sysadmin) do |user|
+    can :manage, :all
+  end
+end
+```
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,8 @@
+require "bundler/gem_tasks"
+
+task :default => :test
+
+desc "Run the RSpec test suite"
+task :test do
+  exec "rspec ."
+end

data/lib/omniauth/strategies/watermark.rb

@@ -0,0 +1,29 @@
+class OmniAuth::Strategies::Watermark < OmniAuth::Strategies::OAuth2
+  option :name, :watermark
+
+  option :client_options, {
+    site: WCC::Auth.config.authorize_site,
+    authorize_path: WCC::Auth.config.authorize_path,
+  }
+
+  option :authorize_params, WCC::Auth.config.authorize_params
+
+  uid do
+    raw_info["id"]
+  end
+
+  info do
+    {
+      email: raw_info["email"],
+      first_name: raw_info["first_name"],
+      last_name: raw_info["last_name"],
+      access_level_id: raw_info["access_level_id"],
+      arena_id: raw_info["arena_id"],
+    }
+  end
+
+  def raw_info
+    @raw_info ||= access_token.get('/api/v1/me.json').parsed
+  end
+
+end

data/lib/wcc/auth/ability.rb

@@ -0,0 +1,36 @@
+require 'cancan'
+
+class WCC::Auth::TieredAbility
+  include CanCan::Ability
+
+  def initialize(user)
+    @user = user
+    grant_access_at(@user.access_level)
+  end
+
+  def grant_access_at(access_level)
+    levels.each do |level, can_blocks|
+      if access_level >= level
+        can_blocks.each { |can_block| instance_exec(@user, &can_block) }
+      end
+    end
+  end
+
+  def levels
+    self.class.levels
+  end
+
+  def self.at_level(level_key, &can_block)
+    level = WCC::Auth::AccessLevel[level_key] or
+      raise ArgumentError, "#{level_key} is not a valid access level"
+    levels[level] << can_block
+  end
+
+  def self.levels
+    @levels ||= Hash.new { |hash, key| hash[key] = [] }
+  end
+
+  def self.inherited(subclass)
+    subclass.send :instance_variable_set, :@levels, levels.dup
+  end
+end

data/lib/wcc/auth/access_level.rb

@@ -0,0 +1,38 @@
+module WCC::Auth
+
+  ACCESS_LEVELS = [
+    { id: nil, name: "None", slug: "none", description: "no access", level: 0 },
+    { id: 1, name: "Basic", slug: "basic", description: "read access", level: 1 },
+    { id: 2, name: "Contribute", slug: "contribute", description: "read-write of data user owns", level: 2 },
+    { id: 3, name: "Manage", slug: "manage", description: "read-write of other's data", level: 3 },
+    { id: 4, name: "App Admin", slug: "appadmin", description: "read-write app configuration", level: 4 },
+    { id: 5, name: "System Admin", slug: "sysadmin", description: "full access", level: 5 },
+  ]
+
+  AccessLevel = Struct.new(:id, :name, :slug, :description, :level) do
+    include Comparable
+
+    def <=>(record)
+      self.level <=> record.level
+    end
+
+    def self.[](index_or_slug, db=ACCESS_LEVELS)
+      all(db).select do |al|
+        al.level.to_s === index_or_slug.to_s ||
+          al.slug === index_or_slug.to_s
+      end.last
+    end
+
+    def self.all(db=ACCESS_LEVELS)
+      db.collect do |row|
+        new.tap { |access_level|
+          row.each { |field, value|
+            access_level[field] = value
+          }
+        }
+      end.sort
+    end
+
+  end
+
+end

data/lib/wcc/auth/config.rb

@@ -0,0 +1,77 @@
+WCC::Auth::Config = Struct.new(:environment,
+                               :app_name,
+                               :app_url,
+                               :app_url_protocol,
+                               :app_id,
+                               :app_secret,
+                               :app_domain_suffix,
+                               :authorize_site,
+                               :authorize_path,
+                               :authorize_params) do
+
+  def authorize_site
+    self[:authorize_site] || default_authorize_site
+  end
+
+  def authorize_path
+    self[:authorize_path] || "/oauth/authorize"
+  end
+
+  def authorize_params
+    self[:authorize_params] || {}
+  end
+
+  def app_url
+    self[:app_url] || default_app_url
+  end
+
+  def app_url_protocol
+    self[:app_domain_suffix] || default_app_url_protocol
+  end
+
+  def app_domain_suffix
+    self[:app_domain_suffix] || default_app_domain_suffix
+  end
+
+  def nucleus_url
+    case environment.to_sym
+    when :production
+      "https://login.watermark.org"
+    when :staging
+      "http://login.staging.watermark.org"
+    when :development
+      "http://login.dev"
+    end
+  end
+
+  private
+
+  def default_app_url
+    "#{app_url_protocol}://#{app_name}#{app_domain_suffix}"
+  end
+
+  def default_app_url_protocol
+    case environment.to_sym
+    when :production
+      "https"
+    else
+      "http"
+    end
+  end
+
+  def default_app_domain_suffix
+    case environment.to_sym
+    when :production
+      ".watermark.org"
+    when :staging
+      ".staging.watermark.org"
+    when :development
+      ".dev"
+    end
+  end
+
+  def default_authorize_site
+    nucleus_url
+  end
+
+end

data/lib/wcc/auth/controller_helpers.rb

@@ -0,0 +1,11 @@
+module WCC::Auth::ControllerHelpers
+
+  def access_level
+    current_user.access_level
+  end
+
+  def self.included(receiver)
+    receiver.helper_method :access_level
+  end
+
+end

data/lib/wcc/auth/devise/watermark_callbacks_controller.rb

@@ -0,0 +1,26 @@
+class WCC::Auth::Devise::WatermarkCallbacksController < Devise::OmniauthCallbacksController
+  skip_authorization_check if respond_to?(:skip_authorization_check)
+
+  def watermark
+    oauth_data = request.env["omniauth.auth"]
+    @user = User.initialize_from_watermark_oauth(oauth_data)
+    @user.save
+
+    sign_in_and_redirect @user
+  end
+
+  def failure
+    Rails.logger.error failed_strategy.name
+    Rails.logger.error failure_message
+    set_flash_message :alert, :failure, :kind => OmniAuth::Utils.camelize(failed_strategy.name), :reason => failure_message
+    redirect_to after_omniauth_failure_path_for(resource_name)
+  end
+
+  protected
+
+  def after_omniauth_failure_path_for(scope)
+    root_path
+  end
+
+end
+

data/lib/wcc/auth/devise.rb

@@ -0,0 +1,22 @@
+require "wcc/auth"
+require "devise"
+
+module WCC
+  module Auth
+    module Devise
+      autoload :WatermarkCallbacksController, 'wcc/auth/devise/watermark_callbacks_controller'
+    end
+  end
+end
+
+WCC::Auth.finalize_callbacks << -> {
+  require "omniauth/strategies/watermark"
+  Devise.setup do |config|
+    config.omniauth :watermark,
+      WCC::Auth.config.app_id,
+      WCC::Auth.config.app_secret
+  end
+
+  OmniAuth.config.full_host = WCC::Auth.config.app_url
+}
+

data/lib/wcc/auth/providers/active_record.rb

@@ -0,0 +1,41 @@
+module WCC::Auth::Providers::ActiveRecord
+
+  module ClassMethods
+
+    def credential_data_mapping(oauth_data)
+      {
+        email: oauth_data.info.email,
+        first_name: oauth_data.info.first_name,
+        last_name: oauth_data.info.last_name,
+        access_token: oauth_data.credentials.token,
+        access_level_id: oauth_data.info.access_level_id,
+      }
+    end
+
+    def initialize_from_watermark_oauth(oauth_data)
+      find_or_initialize_by(provider: :watermark, uid: oauth_data.uid).tap do |user|
+        user.assign_attributes(credential_data_mapping(oauth_data))
+      end
+    end
+
+  end
+
+  module InstanceMethods
+
+    def access_level
+      WCC::Auth::AccessLevel[access_level_id || :none]
+    end
+
+    def has_access?(level)
+      access_level >= WCC::Auth::AccessLevel[level]
+    end
+
+  end
+
+  def self.included(receiver)
+    receiver.send :extend, ClassMethods
+    receiver.send :include, InstanceMethods
+  end
+
+end
+

data/lib/wcc/auth/providers.rb

@@ -0,0 +1,8 @@
+module WCC
+  module Auth
+    module Providers
+    end
+  end
+end
+
+require 'wcc/auth/providers/active_record'

data/lib/wcc/auth/version.rb

@@ -0,0 +1,5 @@
+module WCC
+  module Auth
+    VERSION = "0.3.0"
+  end
+end

data/lib/wcc/auth.rb

@@ -0,0 +1,33 @@
+require "wcc/auth/version"
+require "wcc/auth/config"
+
+require "wcc/auth/access_level"
+require "wcc/auth/ability"
+require "wcc/auth/providers"
+require "wcc/auth/controller_helpers"
+
+require "omniauth"
+require "omniauth-oauth2"
+
+module WCC
+  module Auth
+
+    def self.setup
+      yield config
+      finalize
+    end
+
+    def self.config
+      @config ||= WCC::Auth::Config.new
+    end
+
+    def self.finalize
+      finalize_callbacks.each(&:call)
+    end
+
+    def self.finalize_callbacks
+      @finalize_callbacks ||= []
+    end
+
+  end
+end

data/spec/spec_helper.rb

@@ -0,0 +1,11 @@
+$LOAD_PATH.unshift(File.join(__FILE__, "..", "..", "lib"))
+
+require 'wcc/auth'
+
+RSpec.configure do |config|
+  config.treat_symbols_as_metadata_keys_with_true_values = true
+  config.run_all_when_everything_filtered = true
+  config.filter_run :focus
+
+  config.order = 'random'
+end

data/spec/wcc/auth/access_level_spec.rb

@@ -0,0 +1,65 @@
+require 'spec_helper'
+
+describe WCC::Auth::AccessLevel do
+  let(:klass) { WCC::Auth::AccessLevel }
+  let(:test_db) do
+    [
+      { id: 1, name: "Foo", slug: "foo", description: "foo", level: 2 },
+      { id: 2, name: "Bar", slug: "bar", description: "bar", level: 1 },
+    ]
+  end
+
+  describe "class indexing operators" do
+    subject { klass }
+
+    it "returns record by slug if symbol or string is passed" do
+      expect(klass["foo", test_db].level).to eq(2)
+      expect(klass[:bar, test_db].level).to eq(1)
+    end
+
+    it "returns record by level if number is passed" do
+      expect(klass[2, test_db].level).to eq(2)
+      expect(klass["1", test_db].level).to eq(1)
+    end
+
+    it "uses ACCESS_LEVELS db by default" do
+      expect(klass[:appadmin].slug).to eq("appadmin")
+    end
+  end
+
+  describe "::all class method" do
+    subject { klass }
+
+    it "returns array of records as listed in db argument" do
+      levels = subject.all(test_db)
+      expect(levels.count).to eq(2)
+      expect(levels.all? { |level| level.kind_of?(klass) }).to be_true
+    end
+
+    it "returns objects in level order" do
+      levels = subject.all(test_db)
+      expect(levels[0].slug).to eq("bar")
+      expect(levels[1].name).to eq("Foo")
+    end
+
+    it "uses ACCESS_LEVELS constant as DB if non provided" do
+      levels = subject.all
+      expect(levels.count).to eq(WCC::Auth::ACCESS_LEVELS.count)
+      expect(levels.last.slug).to eq("sysadmin")
+    end
+  end
+
+  describe "comparability" do
+    it "implements comparable methods" do
+      a = klass.new
+      b = klass.new
+      a.level = 1
+      b.level = 2
+      expect(a < b).to be_true
+      expect(b == a).to be_false
+      expect(b < a).to be_false
+    end
+  end
+
+end
+

data/spec/wcc/auth/config_spec.rb

@@ -0,0 +1,21 @@
+require 'spec_helper'
+
+describe WCC::Auth::Config do
+  let(:klass) { WCC::Auth::Config }
+
+  describe "default attributes" do
+    subject { klass.new }
+    it "sets authorize_site according to environment" do
+      subject.environment = :development
+      expect(subject.authorize_site).to eq("http://login.dev")
+      subject.environment = :production
+      expect(subject.authorize_site).to eq("https://login.watermark.org")
+    end
+
+    it "sets authorize_path" do
+      expect(subject.authorize_path).to eq("/oauth/authorize")
+    end
+  end
+
+
+end

data/spec/wcc/auth/tiered_ability_spec.rb

@@ -0,0 +1,89 @@
+require 'spec_helper'
+
+describe WCC::Auth::TieredAbility do
+  let(:klass) { WCC::Auth::TieredAbility }
+  let(:access_level) { WCC::Auth::AccessLevel }
+
+  describe "defining levels" do
+    it "stores blocks in ::levels" do
+      subclass = Class.new(klass) do
+        at_level(:basic) {}
+        at_level(:contribute) {}
+        at_level(:basic) {}
+      end
+      expect(subclass.levels[access_level[:basic]].size).to eq(2)
+      expect(subclass.levels[access_level[:contribute]].size).to eq(1)
+    end
+  end
+
+  describe "#initialize" do
+    it "grants access to the user's access_level" do
+      ability = Class.new(klass) do
+        at_level(:basic) { |user| user.ping }
+      end
+      user = double("User")
+      level = double("AccessLevel")
+      allow(level).to receive(:>=).and_return(true)
+      expect(user).to receive(:access_level).and_return(level)
+      expect(user).to receive(:ping)
+      ability.new(user)
+    end
+  end
+
+  describe "#grant_access_at" do
+    let(:mock_klass) {
+      Class.new(klass) do
+        def initialize(mock)
+          @user = mock
+        end
+      end
+    }
+
+    it "runs only the levels that the given access level allows" do
+      ability = Class.new(mock_klass) do
+        at_level(:basic) { |mock| mock.basic }
+        at_level(:appadmin) { |mock| mock.appadmin }
+      end
+      mock = double
+      expect(mock).to receive(:basic)
+      ability.new(mock).grant_access_at(access_level[:manage])
+    end
+
+    it "runs the blocks in the defined order" do
+      ability = Class.new(mock_klass) do
+        at_level(:appadmin) { |mock| mock.first }
+        at_level(:basic) { |mock| mock.second }
+        at_level(:manage) { |mock| mock.fourth }
+        at_level(:basic) { |mock| mock.third }
+      end
+      mock = double
+      expect(mock).to receive(:first).ordered
+      expect(mock).to receive(:second).ordered
+      expect(mock).to receive(:third).ordered
+      expect(mock).to receive(:fourth).ordered
+      ability.new(mock).grant_access_at(access_level[:sysadmin])
+    end
+  end
+
+  describe "subclassing" do
+    it "inherits defined levels from parent class" do
+      sub1 = Class.new(klass) do
+        at_level(:basic) {}
+      end
+      sub2 = Class.new(sub1)
+      expect(sub2.levels.size).to eq(1)
+    end
+
+    it "subclass and parent class have independent levels" do
+      sub1 = Class.new(klass) do
+        at_level(:basic) {}
+      end
+      sub2 = Class.new(sub1) do
+        at_level(:contribute) {}
+      end
+      expect(sub1.levels.size).to eq(1)
+      expect(sub2.levels.size).to eq(2)
+    end
+  end
+
+end

data/spec/wcc_auth_spec.rb

@@ -0,0 +1,33 @@
+require 'spec_helper'
+
+describe WCC::Auth do
+
+  before(:each) do
+    @previous_config = WCC::Auth.send(:instance_variable_get, :@config)
+    @previous_callbacks = WCC::Auth.send(:instance_variable_get, :@finalize_callbacks)
+  end
+
+  after(:each) do
+    WCC::Auth.send :instance_variable_set, :@config, @previous_config
+    WCC::Auth.send :instance_variable_set, :@finalize_callbacks, @previous_callbacks
+  end
+
+  describe "::setup class method" do
+    it "yields config with ::setup and sets it to ::config" do
+      the_config = nil
+      WCC::Auth.setup do |config|
+        expect(config).to be_a(WCC::Auth::Config)
+        the_config = config
+      end
+      expect(the_config).to eq(WCC::Auth.config)
+    end
+
+    it "calls finalize" do
+      ping = nil
+      WCC::Auth.finalize_callbacks << -> { ping = "pong" }
+      WCC::Auth.setup { |config| }
+      expect(ping).to eq("pong")
+    end
+  end
+
+end

data/wcc-auth.gemspec

@@ -0,0 +1,29 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'wcc/auth/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "wcc-auth"
+  spec.version       = WCC::Auth::VERSION
+  spec.authors       = ["Travis Petticrew"]
+  spec.email         = ["tpetticrew@watermark.org"]
+  spec.description   = %q{Authentication / Authorization library for Watermark apps}
+  spec.summary       = File.readlines("README.md").join
+  spec.homepage      = "https://github.com/watermarkchurch/wcc-auth"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files`.split($/)
+  spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
+  spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "cancancan", "~> 1.9.2"
+  spec.add_dependency "devise", "~> 3.1"
+  spec.add_dependency "omniauth", "~> 1.1"
+  spec.add_dependency "omniauth-oauth2", "~> 1.0"
+
+  spec.add_development_dependency "bundler", "~> 1.3"
+  spec.add_development_dependency "rake"
+  spec.add_development_dependency "rspec"
+end

metadata

@@ -0,0 +1,205 @@
+--- !ruby/object:Gem::Specification
+name: wcc-auth
+version: !ruby/object:Gem::Version
+  version: 0.3.0
+platform: ruby
+authors:
+- Travis Petticrew
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2014-09-11 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: cancancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.2
+- !ruby/object:Gem::Dependency
+  name: devise
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.1'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Authentication / Authorization library for Watermark apps
+email:
+- tpetticrew@watermark.org
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- Gemfile
+- LICENSE.txt
+- README.md
+- Rakefile
+- lib/omniauth/strategies/watermark.rb
+- lib/wcc/auth.rb
+- lib/wcc/auth/ability.rb
+- lib/wcc/auth/access_level.rb
+- lib/wcc/auth/config.rb
+- lib/wcc/auth/controller_helpers.rb
+- lib/wcc/auth/devise.rb
+- lib/wcc/auth/devise/watermark_callbacks_controller.rb
+- lib/wcc/auth/providers.rb
+- lib/wcc/auth/providers/active_record.rb
+- lib/wcc/auth/version.rb
+- spec/spec_helper.rb
+- spec/wcc/auth/access_level_spec.rb
+- spec/wcc/auth/config_spec.rb
+- spec/wcc/auth/tiered_ability_spec.rb
+- spec/wcc_auth_spec.rb
+- wcc-auth.gemspec
+homepage: https://github.com/watermarkchurch/wcc-auth
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.2.2
+signing_key: 
+specification_version: 4
+summary: '# WCC::Auth  Provides the necessary tools for handling authentication through
+  Watermark''s OAuth provider as well as authorizing the user has access to specific
+  features within the application. There are special hooks for Rails apps using Devise,
+  but the primitive structures could be used on any Ruby project. Currently, the only
+  tested path is Rails with Devise.  ## Installation  Add this line to your application''s
+  Gemfile:  ```ruby gem ''wcc-auth'', ''~> 0.3.0'' ```  If you are using a Rails app
+  with Devise you can use a special require hook that will setup all the Devise specific
+  configuration for you.  ```ruby gem ''wcc-auth'', ''~> 0.3.0'', require: ''wcc/auth/devise''
+  ```  ## Configuration  There are a few steps to setup your app. These instructions
+  are specific to a Rails app.  #### Add the configuration block to an initializer  In
+  order to configure the gem you must run the `WCC::Auth.setup` block. See below for
+  an example:  ```ruby WCC::Auth.setup do |config| config.app_name = "app-name" config.environment
+  = Rails.env config.app_id = ''app-client-id-from-oauth-provider'' config.app_secret
+  = ''app-client-secret-from-oauth-provider'' end ```  #### Setup your controllers  ```ruby
+  # Add this include to your ApplicationController class ApplicationController < ActionController::Base
+  include WCC::Auth::ControllerHelpers end ```  #### Setup your user model  ```ruby
+  class User < ActiveRecord::Base include WCC::Auth::Providers::ActiveRecord  # ...  end
+  ```  #### Setup authorization (optional)  If you would like to use the `TieredAbility`
+  class included with `WCC::Auth` just create an Ability class that extends the `WCC::Auth::TieredAbility`
+  class. The authenticated user will include an info variables called `access_level_id`.
+  This corresponds to a `WCC::Auth::AccessLevel`.  The access levels are broken down
+  into 5 tiers with the following rules:  * **No access** -- This is the default level
+  * **Basic** -- This is provides read-only access * **Contribute** -- Read-write
+  for only data the user owns * **Manage** -- Read-write for other''s data * **App
+  Admin** -- Can change app configuration * **System Admin** -- Has full access to
+  all features always  Each tier inherits all priveleges of the lower tiers. The rules
+  here are guidelines for the app to follow. It is ultimately up to the client application
+  to decide what each of these tiers means for it. Do your best to adhere to these
+  rules.  Here is an example Ability class using the DSL provided by `WCC::Auth`.  ```ruby
+  class Ability < WCC::Auth::TieredAbility at_level(:contribute) do |user| can :read,
+  Person can :manage, Task, created_by_id: user.id can :manage, Comment, created_by_id:
+  user.id  cannot :destroy, Task end  at_level(:appadmin) do |user| can :manage, :all
+  cannot :create, TaskGroup end   at_level(:sysadmin) do |user| can :manage, :all
+  end end ```  ## Contributing  1. Fork it 2. Create your feature branch (`git checkout
+  -b my-new-feature`) 3. Commit your changes (`git commit -am ''Add some feature''`)
+  4. Push to the branch (`git push origin my-new-feature`) 5. Create new Pull Request'
+test_files:
+- spec/spec_helper.rb
+- spec/wcc/auth/access_level_spec.rb
+- spec/wcc/auth/config_spec.rb
+- spec/wcc/auth/tiered_ability_spec.rb
+- spec/wcc_auth_spec.rb