generators/simple_roles/templates/migration.rb lib/identity/add_or_make_admin_user.rb lib/identity/cookie_token.rb lib/identity/nil_roles.rb lib/identity/password.rb lib/identity/simple_roles.rb lib/trustification/email_validation.rb @@ -67,6 +67,4 @@ module AuthenticationTestHelper ctrlr.stub!(:get_authorization).and_return(val) end <% end %> - end - generators/authenticated/templates/authentication_test_helper.rb @@ -14,7 +14,7 @@ protected # Use req[:for], not current_user, to make your decision # * :to => the requested action # * :on => the resource or resources request will act on - # * :extra => any extra information passed by the access control request + # * :context => any extra information passed by the access control request # # get_authorization can return # * nil/false will raise AccessDenied (demands) or deny access (requests) @@ -40,3 +40,23 @@ protected <%= model_name %>.is_a?(<%= class_name %>) end end + +User.class_eval do +protected + # + # Most roles/privileges are assigned explicitly: designating a user to be a + # moderator, granting 'push' permissions to a newly-hired programmer. + # + # Some are granted and revoked automatically, though. Many sites don't make a + # user active until they've verified their email address. A communal blog + # might not allow 'front-page posting' for the first month after joining. + # + # reconcile_privileges! lets the Policy module assign or revoke privileges + # based on the subject's current state. + # + def reconcile_privileges! occasion='', *more_info + logger.info "Reassigning privileges for #{self.class} id #{self.id}: #{occasion} #{more_info.to_json}" + # user is active if and only if email is verified. + # set_role!(:active, email_verified?) + end +end generators/authenticated/templates/security_policy.rb @@ -17,7 +17,7 @@ class SessionsController < ApplicationController begin login_by_password! params[:login], params[:password] rescue Exception => error - handle_signin_error error + handle_login_error error else # success! remember_me_flag = (params[:remember_me] == "1") handle_remember_cookie! remember_me_flag @@ -46,4 +46,22 @@ protected logger.warn "Failed login for '#{params[:login]}' from #{request.remote_ip} at #{Time.now.utc}: #{error}" end + # react to login failures + def handle_login_error error + logout_keeping_session! + begin + raise error + rescue AccountNotActive => error + log_failed_signin error + redirect_back_or_default('/') + rescue AccountNotFound, BadPassword => error + log_failed_signin error + try_again + rescue AuthenticationError, SecurityError => error + log_failed_signin error + redirect_back_or_default('/') + end + # general exceptions are uncaught + end + end generators/authenticated/templates/sessions_controller.rb @@ -55,8 +55,8 @@ describe SessionsController do describe "successfully" do it_should_behave_like "successful login" # password -# it "tries login" do controller.should_receive(:login_by_password!).with('test_login', 'monkey'); controller.stub!(:current_user).and_return(@user); do_login end -# it "becomes logged in through the front door" do controller.should_receive(:become_logged_in_as!).with(@user); controller.stub!(:current_user).and_return(@user); do_login end + it "tries login" do controller.should_receive(:login_by_password!).with('test_login', 'monkey'); controller.stub!(:current_user).and_return(@user); do_login end + it "becomes logged in through the front door" do controller.should_receive(:become_logged_in_as!).with(@user); controller.stub!(:current_user).and_return(@user); do_login end it "asks to authenticate me" do <%= class_name %>.should_receive(:authenticate_by_password).with('test_login', 'monkey'); do_login end # cookies it "sets cookie with remember me checked" do controller.should_receive(:handle_remember_cookie!).with(true); do_login(:remember_me => "1"); end generators/authenticated/templates/spec/controllers/sessions_controller_spec.rb @@ -40,7 +40,7 @@ describe <%= model_controller_class_name %>Controller do it "welcomes me nicely" do do_signup; response.flash[:notice].should =~ /Thank.*sign.*up/i end # auto login if authorized to do so it "logs me in" do controller.should_receive(:become_logged_in_as).with(@user).and_return(true); do_signup; end - it "only logs me in if authorized" do controller.should_receive(:get_authorization).with({:for => @user, :to => :login,:on=>nil,:extra=>nil}).and_return(true); do_signup; end + it "only logs me in if authorized" do controller.should_receive(:get_authorization).with({:for => @user, :to => :login,:on=>nil,:context=>nil}).and_return(true); do_signup; end it "doesn't fail if not authorized" do stub_auth!(controller, false); lambda{ do_signup }.should_not raise_error end it "does fail if other errors" do controller.stub!(:get_authorization).and_raise("frobnozz"); lambda{ do_signup }.should raise_error("frobnozz") end end generators/authenticated/templates/spec/controllers/users_controller_spec.rb @@ -44,7 +44,7 @@ describe Authentication do lambda{ b_l_i_a! false}.should raise_error(AuthenticationError) end it "asks for authorization" do - @mock_controller.should_receive(:get_authorization).at_least(:once).with({:for => @<%= model_name %>, :to => :login, :on => nil, :extra => nil}).and_return(true) + @mock_controller.should_receive(:get_authorization).at_least(:once).with({:for => @<%= model_name %>, :to => :login, :on => nil, :context => nil}).and_return(true) b_l_i_a! @<%= model_name %> end it "raises the given error if authorization fails" do @@ -58,7 +58,7 @@ describe Authentication do describe "become_logged_in_as!" do def b_l_i_a_no_raise(u) @mock_controller.send(:become_logged_in_as, u) end it "asks for authorization" do - @mock_controller.should_receive(:get_authorization).at_least(:once).with({:for => @<%= model_name %>, :to => :login, :on => nil, :extra => nil}).and_return(true) + @mock_controller.should_receive(:get_authorization).at_least(:once).with({:for => @<%= model_name %>, :to => :login, :on => nil, :context => nil}).and_return(true) b_l_i_a_no_raise @<%= model_name %> end it "raises an AuthenticationError unless <%= model_name %>" do generators/authenticated/templates/spec/lib/authentication_spec.rb @@ -1,5 +1,5 @@ class <%= class_name %> < ActiveRecord::Base - security_components :identity => [:password, :cookie_token] + security_components :security_policy, :identity => [:password, :cookie_token, :simple_roles] # Validation constants are in config/initializers/rest_auth_config.rb validates_presence_of :login generators/authenticated/templates/user.rb @@ -1,8 +1,5 @@ %w[ security_components - authentication - access_control - identity ].each do |f| require f end init.rb @@ -18,7 +18,7 @@ protected # Call with positional args (assumes current_user as the subject) # authorized? action, resource, *args # or call with options - # authorized? :for => user, :to => action, :on => resource, :extra => anything_extra + # authorized? :for => user, :to => action, :on => resource, :context => any_extra_context # # Examples: # authorized? :for => user, :to => :log_in_as_user # check if user is activated @@ -45,7 +45,7 @@ protected # Best for use with before_filter # # Fills in request from controller action params: - # :for => current_user, :to => action, :on => self.class, :extras => params + # :for => current_user, :to => action, :on => self.class, :context => params # # If user is not authorized, raises an AccessDenied exception; see # handle_access_denied, below. @@ -56,7 +56,7 @@ protected decision = get_authorization_with_args :for => current_user, :to => params[:action], :on => resource_guess, - :extras => params + :context => params raise(decision||AccessDenied) if is_denial?(decision) decision end @@ -71,10 +71,11 @@ protected end def parse_access_req_args *args req = args.extract_options! + req.assert_valid_keys(:for, :to, :on, :context) if args # ordered params - action, resource, extra = args - req.reverse_merge! :to => action, :on => resource, :extra => extra + action, resource, context = args + req.reverse_merge! :to => action, :on => resource, :context => context end # request on behalf of current user if none specified # (note that an explicit :for => nil or false is left untouched) lib/access_control.rb @@ -1,18 +1,5 @@ module Identity - # - # Define any user roles here -- eg :moderator or :admin. - # - # This example gives every user two roles: :user and :active, and no other. - # - # This is just a stub called by the authorization routines. Add logic over - # there if you want these roles to do anything. For more complex needs, see - # notes/RailsPlugins.txt for role-based security plugins - # - def has_role? role - [:user, :active].include? role - end - module ModelClassMethods # # Create a secure one-way hash of the input. @@ -32,6 +19,23 @@ module Identity end end + # + # Define any user roles here -- eg :moderator or :admin. + # + # This example gives every user two roles: :user and :active, and no other. + # + # This is just a stub called by the authorization routines. Add logic over + # there if you want these roles to do anything. For more complex needs, see + # notes/RailsPlugins.txt for role-based security plugins + # + def has_role? role + [:user, :active].include? role + end + + + # + # Validations + # # restful-authentication/notes/Tradeoffs.txt has more information on how these # validation formats were chosen. lib/identity.rb @@ -23,6 +23,7 @@ end def security_components(*args) SecurityComponents.walk_reqs(args).each do |concern| - include concern.to_s.classify.constantize + # require_dependency concern.to_s # causes double includes ?? + include concern.to_s.camelize.constantize end end lib/security_components.rb @@ -1,5 +1,74 @@ h2. Authorization +h2. Policy: rules for making authorization decisions. + +h3. Rules + +A _rule_ is a tuple specifying "(permission) for: (subjects) to (action) on +(resource), must (obligations) given (context)". For example, + * "it is /denied/ for /users/s to /grant permissions/ on /User/s -- must /log/ + * "it is /allowed/ for /admin/s to /destroy/ /Posts/s -- must (/give secondary password/) + * (allow, GLG-20s, launch, nukes, alerting NORAD, given DEFCON 5 and launch keys turned at same time) + + +The broadest approach is the Access Control Matrix: give the decision +(permission and obligations) for every combination of subject, action, and +resource. This obviously won't scale. + +One popular approach is Role Based Access Control. A Role maps (subjects) to +groups of (action, resource, decision). + +One implmentation would be: +* each subject can have_many UserRoles +* each resource has_one ResourceType +* there are a small number of enumerated actions +* a DecisionsRoles table gives an allow/deny for each (role, action, resource_type). +For example, + + * faculty {can, (create,update,submit), grants}, {can not, touch knobs, experiments} + * students {can not, touch knobs, experiments}, {can not, order with dept credit card, pizza} + * custodians {can, open, all rooms}, ... + * Snape is a _faculty_, Hermione is a _student_, CarlReed is a _janitor_ + +A large part of the appeal is that this is so easily implemented in a database: +rule-matching is a simple 'for all roles granted this subject, the decision for +this action and resource_type'. It's easy to add logic for permission and role +assignment: if the janitor WillHunting gets admitted as a student, we just add +that fact to the UsersRoles table; and if they build a level-5 clean room, they +can add a higher-priority rule revoking all access to that room, even to +custodians. + +There's a few ways this can become cumbersome. Context-based decisions don't +fit well: + * mogwai {can not, eat, food, if it's after midnight} + + + +* Rule matcher: find all rules matching the request. + This involves some interplay with the policy, especially if + + + + + + + + + + + + + + + + + + + + + + + "Best Practices for Authorization":http://www.owasp.org/index.php/Guide_to_Authorization # auth system should deny by default notes/Authorization.txt @@ -1,9 +1,8 @@ - app/models user.rb user/ - email_validation_mailer User::EmailValidationMailer + email_validation_mailer User::EmailValidationMailer email_validation_observer app/controllers @@ -19,14 +18,58 @@ app/views lib/email_validation +'if your email is validated, you are active" +"only active users can log in" +"users are not active if their email is not validated" +:access_control => [:must_validate_email_to_log_in] +must_validate_email_to_log_in + hooks have_role, answers 'no' to :active + => get_authorization must check user & active. + + # def has_role?() end + # def revoke_role!() end + # def grant_role!() end + # def set_role!() end + # alias_method :has_role!, :grant_role! + # alias_method :has_no_role, revoke_role! + # alias_method :has_role, grant_role! + # def accepts_no_role() end + # def accepts_role() end -'if your email is validated, you are active" +--------------------------------------------------------------------------- +** need to make it work invariantly with user=nil meanin :anon role + bq. access_control [:new, :create, :update, :edit] => '(admin | user | + moderator)', :delete => 'admin' + <% restrict_to "(admin | moderator) & !blacklist" do %> + <%= link_to "Admin & Moderator only link", :action =>'foo' %> + <% end %> -"only active users can log in" +--------------------------------------------------------------------------- -"users are not active if their email is not validated" +Roles: + "grant role" 25 700 + "assign role" 128 000 + "assign role" security 122 000 + "revoke role" security 9 900 + "revoke role" 14 600 + "remove role" security 9 500 + "remove role" 21 500 + security deny permit 476 000 + security deny allow 2 210 000 +permissions grant / revoke / set (true|false) + +roles assign / remove / set (true|false) +policies allow / deny / restrict (with=>Proc) +outcomes allow / deny +obligations +* redirect, +* render +* verify (re-authenticate) +* confirm (are you sure?) +* log +* escalate (secondary passwd) notes/ComponentLayout.txt @@ -3,7 +3,7 @@ h1. Rails Authentication, Authorization and Access Control plugins h2. Authentication plugins * http://github.com/technoweenie/restful-authentication/tree/master -- the accepted standard for authentication -* http://github.com/mrflip/restful-authentication/tree/master -- my fork of restful_authentication with more modularity, more specs and a few security tweaks +* http://github.com/mrflip/restful-authentication/tree/master -- mrflip's fork of restful_authentication with more modularity, more specs and a few security tweaks * http://github.com/josh/open_id_authentication/tree/master -- OpenID authentication h2. Authorization plugins @@ -12,66 +12,128 @@ From * http://agilewebdevelopment.com/plugins/tag/security * http://www.vaporbase.com/postings/Authorization_in_Rails -* http://github.com/jbarket/restful-authorization/tree/master +List: -* http://agilewebdevelopment.com/plugins/rolerequirement +* restful-authorization + http://github.com/jbarket/restful-authorization/tree/master + +* role_requirement + http://agilewebdevelopment.com/plugins/rolerequirement http://code.google.com/p/rolerequirement/ http://rolerequirement.googlecode.com/svn/tags/role_requirement/ 9 votes -* http://github.com/ezmobius/acl_system2/ +* ACL System 2 + http://github.com/ezmobius/acl_system2/ http://agilewebdevelopment.com/plugins/acl_system http://opensvn.csie.org/ezra/rails/plugins/dev/acl_system2/ last touched 2006 57 votes on AWD * also: http://agilewebdevelopment.com/plugins/acl_system2_ownership - bq. access_control [:new, :create, :update, :edit] => '(admin | user | - moderator)', :delete => 'admin' - <% restrict_to "(admin | moderator) & !blacklist" do %> - <%= link_to "Admin & Moderator only link", :action =>'foo' %> - <% end %> - -* Authorization Recipe (from Rails Recipes #32) - http://www.vaporbase.com/postings/Authorization_in_Rails - http://opensvn.csie.org/mabs29/plugins/simple_access_control - -* Active ACL - http://phpgacl.sourceforge.net/demo/phpgacl/docs/manual.html - (Access-matrix driven) - -* http://github.com/aiwilliams/access_controlled_system - -* http://agilewebdevelopment.com/plugins/access - -* http://robzon.aenima.pl/2007/12/base-auth-is-out.html - http://agilewebdevelopment.com/plugins/base_auth - http://base-auth.googlecode.com/svn/trunk/ - 40 votes - -* http://agilewebdevelopment.com/plugins/authorization +* Rails-Authorization (see below) + http://agilewebdevelopment.com/plugins/authorization http://www.writertopia.com/developers/authorization http://github.com/DocSavage/rails-authorization-plugin/tree/master - Opaque policy descriptions 19 votes -* http://github.com/shuber/access_control_list/ - Not much there yet - -* https://opensvn.csie.org/traccgi/tobionrails - http://agilewebdevelopment.com/plugins/access_control - http://opensvn.csie.org/tobionrails/plugins/access_control - last touched 1 year ago - -* http://github.com/mdarby/restful_acl/ - -- google code too -- - Just does REST? More of an app than a plugin. - -* http://github.com/stonean/lockdown/tree/master - http://lockdown.rubyforge.org - http://groups.google.com/group/stonean_lockdown?hl=en - "Lockdown stores an array of access rights in the session" - +* Others: +** http://github.com/aiwilliams/access_controlled_system +** http://agilewebdevelopment.com/plugins/access +** http://robzon.aenima.pl/2007/12/base-auth-is-out.html + http://agilewebdevelopment.com/plugins/base_auth + http://base-auth.googlecode.com/svn/trunk/ + 40 votes +** Authorization Recipe (from Rails Recipes #32) + http://www.vaporbase.com/postings/Authorization_in_Rails + http://opensvn.csie.org/mabs29/plugins/simple_access_control +** Active ACL + http://phpgacl.sourceforge.net/demo/phpgacl/docs/manual.html + (Access-matrix driven) +** http://github.com/shuber/access_control_list/ +** https://opensvn.csie.org/traccgi/tobionrails + http://agilewebdevelopment.com/plugins/access_control + http://opensvn.csie.org/tobionrails/plugins/access_control + last touched 1 year ago +** http://github.com/mdarby/restful_acl/ +** http://github.com/stonean/lockdown/tree/master + http://lockdown.rubyforge.org + http://groups.google.com/group/stonean_lockdown?hl=en + "Lockdown stores an array of access rights in the session" + +--------------------------------------------------------------------------- +h3. rails-authorization + + authorization + roles are (user, role), (user, role, rsrc_type), or (user, role, rsrc_instance) + + has_role? + has_role, has_no_role + accepts_role? + accepts_role + accepts_no_role + + # user.is_member? --> Returns true if user has any role of "member" + # user.is_member_of? this_workshop --> Returns true/false. Must have authorizable object after query. + # user.is_eligible_for [this_award] --> Gives user the role "eligible" for "this_award" + # user.is_moderator --> Gives user the general role "moderator" (not tied to any class or object) + # user.is_candidate_of_what --> Returns array of objects for which this user is a "candidate" (any type) + # user.is_candidate_of_what(Party) --> Returns array of objects for which this user is a "candidate" (only 'Party' type) + user.is_role? + user.is_/role_name/ + user.is_no[t]?_role? + user.is_no[t]?_/role_name/ + + # model.has_members --> Returns array of users which have role "member" on that model + # model.has_members? --> Returns true/false + model.has_/.*/? + model.has_/.*/ + + Tables: + roles_users role_id, user_id + roles name, rsrc_type, rsrc_id + + access control: + self.permit + permit? + permit + has_permission? + +--------------------------------------------------------------------------- +h3. Restful Authorization + + authorization & policy + Largely defined in access control statements. + Rules are deny-only with default allow + Users can have /roles/ and /states/, which may be denied separately. + + tables: + roles name + roles_users join + + access control: + authorize_role + authorize_state + authorize_/action/ => calls action_is_authorized? + self.require_authorization + => adds before_filter :check_authorization, + keeps its own options hash + takes the standard before_filter args: + :only, :except, :if => proc_or_string, :unless => proc_or_string + + outcome: + default allow, rules can only deny. + obligations: + On deny: + :redirect_url => "/session/new" + :render_url => { :file => "#{RAILS_ROOT}/public/404.html" }, :status => "404" + (else falls through to access_denied) + On success: + redirect_back_or_default can be called by code + next_authorized_url_for?(user, {:controller=>, :action=>, ...params...}, binding) + => acts as a rule chain, giving a (deny, redirect or render) or nil for success + +*************************************************************************** h2. Trust / Validation etc. plugins notes/RailsPlugins.txt 682c8f9193d9d4f38e34cdcb0fb772c5594b052f Philip (flip) Kromer flip@infochimps.org http://github.com/technoweenie/restful-authentication/commit/673fcf889fe420a1dd20ec7e9306af9287286d62 673fcf889fe420a1dd20ec7e9306af9287286d62 2008-06-01T23:11:29-07:00 2008-06-01T23:11:29-07:00 Added simple roles, simple automatic role assignment hook; minor fixes: * handle_login_error lives in sessions_controller, as it should * get_authorization takes :context => /anything extra/ (was spelled :extra) * security_components uses .camelize, not .classify (so that pluralization remains intact) * some notes on existing rails plugins, and on rule resolution / policy / authz f4c5ef381bde1ae88d84ce9928ac2d9751c926d1 Philip (flip) Kromer flip@infochimps.org