Permalink
Browse files

Add drawbridge; Remove friend fixes with update

  • Loading branch information...
1 parent 465bc16 commit 40a7037a343a0a212bea798b3ce96106eaf02535 @xeqi xeqi committed Nov 17, 2012
Showing with 43 additions and 26 deletions.
  1. +8 −5 project.clj
  2. +6 −2 src/clojars/auth.clj
  3. +19 −18 src/clojars/web.clj
  4. +10 −1 test/clojars/test/integration/uploads.clj
View
13 project.clj
@@ -8,21 +8,24 @@
:exclusions
[org.apache.httpcomponents/httpcore]]
[s3-wagon-private "1.0.0"]
- [compojure "1.1.1"]
+ [compojure "1.1.3"
+ :exclusions [org.clojure/core.incubator]]
[ring/ring-jetty-adapter "1.1.1"]
[hiccup "1.0.1"]
- [cheshire "2.2.2"]
+ [cheshire "3.0.0"]
[korma "0.3.0-beta10"]
[org.clojars.ato/nailgun "0.7.1"]
[org.xerial/sqlite-jdbc "3.6.17"]
[org.apache.commons/commons-email "1.2"]
- [net.cgrand/regex "1.0.1" :exclusions [org.clojure/clojure]]
+ [net.cgrand/regex "1.0.1"
+ :exclusions [org.clojure/clojure]]
[clj-time "0.3.8"]
- [com.cemerick/friend "0.0.8"
+ [com.cemerick/friend "0.1.2"
:exclusions [org.openid4java/openid4java-nodeps]]
[clj-stacktrace "0.2.4"]
[ring-anti-forgery "0.2.0"]
- [valip "0.2.0"]]
+ [valip "0.2.0"]
+ [com.cemerick/drawbridge "0.0.6"]]
:profiles {:test {:resource-paths ["test-resources"]
:dependencies [[kerodon "0.0.7"]
[nailgun-shim "0.0.1"]]}
View
8 src/clojars/auth.clj
@@ -15,12 +15,16 @@
(when (not (empty? password))
{:username user :password password})))
+(def admin? #{"ato" "technomancy" "xeqi"})
+
(defn authorized? [account group]
(if account
(let [names (group-membernames group)]
(or (some #{account} names) (empty? names)))))
(defmacro require-authorization [group & body]
`(if (authorized? ~'account ~group)
- (do ~@body)
- (friend/throw-unauthorized friend/*identity*)))
+ (do ~@body)
+ (friend/throw-unauthorized friend/*identity*
+ {:cemerick.friend/exprs (quote [~@body])
+ :cemerick.friend/required-roles ~group})))
View
37 src/clojars/web.clj
@@ -4,7 +4,7 @@
find-user-by-user-or-email]]
[clojars.config :refer [config]]
[clojars.auth :refer [with-account try-account require-authorization
- get-user]]
+ get-user admin?]]
[clojars.repo :as repo]
[clojars.friend.registration :as registration]
[clojars.web.dashboard :refer [dashboard index-page]]
@@ -23,12 +23,13 @@
[ring.middleware.resource :refer [wrap-resource]]
[ring.util.response :refer [redirect status response]]
[ring.middleware.anti-forgery :refer [wrap-anti-forgery]]
- [compojure.core :refer [defroutes GET POST PUT ANY context]]
+ [compojure.core :refer [defroutes GET POST PUT ANY context routes]]
[compojure.handler :refer [site]]
[compojure.route :refer [not-found]]
[cemerick.friend :as friend]
[cemerick.friend.credentials :as creds]
- [cemerick.friend.workflows :as workflows]))
+ [cemerick.friend.workflows :as workflows]
+ [cemerick.drawbridge :as drawbridge]))
(defroutes main-routes
(GET "/search" {session :session params :params}
@@ -164,28 +165,28 @@
(partial creds/bcrypt-credential-fn
get-user)
:workflows [(workflows/http-basic :realm "clojars")]
- :unauthorized-handler
- (partial workflows/http-basic-deny "clojars")})
+ :allow-anon? false})
(repo/wrap-file (:repo config))))
+ (context "/admin" _
+ (let [drawb (drawbridge/ring-handler)]
+ (-> (routes (ANY "/repl" request
+ (with-account
+ (if (admin? account)
+ (drawb request)))))
+ (friend/authenticate
+ {:credential-fn
+ (partial creds/bcrypt-credential-fn
+ get-user)
+ :workflows [(workflows/http-basic :realm "clojars")]
+ :allow-anon? false})
+ (site))))
(-> main-routes
- ; Work around friend#20 and ring-anti-forgery#10
- ((fn [h] (fn [r] (let [s (:session r)
- res (h r)]
- (if (:session res)
- res
- (assoc res :session s))))))
(friend/authenticate
{:credential-fn
(partial creds/bcrypt-credential-fn
get-user)
:workflows [(workflows/interactive-form)
- registration/workflow]
- :login-uri "/login"
- :default-landing-uri "/"
- :unauthorized-handler
- (fn [r]
- (-> (redirect "/login")
- (assoc-in [:session ::friend/unauthorized-uri] (:uri r))))})
+ registration/workflow]})
(wrap-anti-forgery)
(wrap-exceptions)
(site)
View
11 test/clojars/test/integration/uploads.clj
@@ -156,7 +156,16 @@
(deftest put-on-html-fails
(-> (session clojars-app)
- (visit "/repo/group/artifact/1.0.0/injection.html" :request-method :put)
+ (register-as "dantheman" "test@example.org" "password" "")
+ (visit "/repo/group/artifact/1.0.0/injection.html"
+ :request-method :put
+ :headers {"authorization"
+ (str "Basic "
+ (String. (base64/encode
+ (.getBytes "dantheman:password"
+ "UTF-8"))
+ "UTF-8"))}
+ :body "XSS here")
(has (status? 400))))
(deftest put-using-dotdot-fails

0 comments on commit 40a7037

Please sign in to comment.