Merge pull request #154 from pulibrary/auth-tokens

Token authentication for scripted access

app/controllers/auth_tokens_controller.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+class AuthTokensController < ApplicationController
+  before_action :set_auth_token, only: [:show, :edit, :update, :destroy]
+  authorize_resource only: [:new, :edit, :create, :update, :destroy]
+
+  # GET /auth_tokens
+  def index
+    @auth_tokens = AuthToken.all
+  end
+
+  # GET /auth_tokens/1
+  def show; end
+
+  # GET /auth_tokens/new
+  def new
+    @auth_token = AuthToken.new
+  end
+
+  # GET /auth_tokens/1/edit
+  def edit; end
+
+  # POST /auth_tokens
+  def create
+    @auth_token = AuthToken.new(auth_token_params)
+
+    if @auth_token.save
+      redirect_to @auth_token, notice: 'Auth token was successfully created.'
+    else
+      render :new
+    end
+  end
+
+  # PATCH/PUT /auth_tokens/1
+  def update
+    if @auth_token.update(auth_token_params)
+      redirect_to @auth_token, notice: 'Auth token was successfully updated.'
+    else
+      render :edit
+    end
+  end
+
+  # DELETE /auth_tokens/1
+  def destroy
+    @auth_token.destroy
+    redirect_to auth_tokens_url, notice: 'Auth token was successfully destroyed.'
+  end
+
+  private
+
+    # Use callbacks to share common setup or constraints between actions.
+    def set_auth_token
+      @auth_token = AuthToken.find(params[:id])
+    end
+
+    # Only allow a trusted parameter "white list" through.
+    def auth_token_params
+      params.require(:auth_token).permit(:label, group: [])
+    end
+end

app/controllers/collections_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 class CollectionsController < ApplicationController
   include Valhalla::ResourceController
+  include TokenAuth
   self.change_set_class = DynamicChangeSet
   self.resource_class = Collection
   self.change_set_persister = ::PlumChangeSetPersister.new(

app/controllers/concerns/token_auth.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+module TokenAuth
+  extend ActiveSupport::Concern
+
+  included do
+    def current_ability
+      Ability.new(current_user, auth_token: params[:auth_token])
+    end
+  end
+end

app/controllers/file_sets_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 class FileSetsController < ApplicationController
   include Valhalla::ResourceController
+  include TokenAuth
   self.change_set_class = DynamicChangeSet
   self.resource_class = FileSet
   self.change_set_persister = ::PlumChangeSetPersister.new(

app/controllers/scanned_resources_controller.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 class ScannedResourcesController < ApplicationController
   include Valhalla::ResourceController
+  include TokenAuth
   self.change_set_class = DynamicChangeSet
   self.resource_class = ScannedResource
   self.change_set_persister = ::PlumChangeSetPersister.new(

app/models/ability.rb

@@ -121,4 +121,60 @@ def roles
   def curation_concerns
     [ScannedResource]
   end
+
+  def auth_token
+    @auth_token ||= AuthToken.find_by(token: options[:auth_token]) || NilToken
+  end
+
+  class NilToken
+    def self.group
+      []
+    end
+  end
+
+  def current_user
+    TokenizedUser.new(super, auth_token)
+  end
+
+  class TokenizedUser < ::Draper::Decorator
+    attr_reader :auth_token
+    delegate_all
+
+    def initialize(user, auth_token)
+      @auth_token = auth_token
+      super(user)
+    end
+
+    def groups
+      @groups ||= super + auth_token.group
+    end
+
+    def ephemera_editor?
+      groups.include?('ephemera_editor')
+    end
+
+    def image_editor?
+      groups.include?('image_editor')
+    end
+
+    def editor?
+      groups.include?('editor')
+    end
+
+    def fulfiller?
+      groups.include?('fulfiller')
+    end
+
+    def curator?
+      groups.include?('curator')
+    end
+
+    def campus_patron?
+      persisted? && provider == "cas" || groups.include?('campus_patron')
+    end
+
+    def admin?
+      groups.include?('admin')
+    end
+  end
 end

app/models/auth_token.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+class AuthToken < ApplicationRecord
+  before_create :assign_token
+  before_save :clean_group
+  serialize :group, Array
+  validates :label, presence: true
+
+  private
+
+    def assign_token
+      self.token = SecureRandom.hex
+    end
+
+    def clean_group
+      self.group = group.select(&:present?)
+    end
+end

app/views/auth_tokens/_form.html.erb

@@ -0,0 +1,13 @@
+<%= simple_form_for(@auth_token) do |f| %>
+  <%= f.error_notification %>
+
+  <div class="form-inputs">
+    <%= f.input :label %>
+    <%= f.input :group, as: :multi_value %>
+    <%= f.input :token %>
+  </div>
+
+  <div class="form-actions">
+    <%= f.button :submit %>
+  </div>
+<% end %>

app/views/auth_tokens/edit.html.erb

@@ -0,0 +1,6 @@
+<h1>Editing Auth Token</h1>
+
+<%= render 'form', auth_token: @auth_token %>
+
+<%= link_to 'Show', @auth_token %> |
+<%= link_to 'Back', auth_tokens_path %>

app/views/auth_tokens/index.html.erb

@@ -0,0 +1,31 @@
+<p id="notice"><%= notice %></p>
+
+<h1>Auth Tokens</h1>
+
+<table>
+  <thead>
+    <tr>
+      <th>Label</th>
+      <th>Group</th>
+      <th>Token</th>
+      <th colspan="3"></th>
+    </tr>
+  </thead>
+
+  <tbody>
+    <% @auth_tokens.each do |auth_token| %>
+      <tr>
+        <td><%= auth_token.label %></td>
+        <td><%= auth_token.group %></td>
+        <td><%= auth_token.token %></td>
+        <td><%= link_to 'Show', auth_token %></td>
+        <td><%= link_to 'Edit', edit_auth_token_path(auth_token) %></td>
+        <td><%= link_to 'Destroy', auth_token, method: :delete, data: { confirm: 'Are you sure?' } %></td>
+      </tr>
+    <% end %>
+  </tbody>
+</table>
+
+<br>
+
+<%= link_to 'New Auth Token', new_auth_token_path %>

app/views/auth_tokens/new.html.erb

@@ -0,0 +1,5 @@
+<h1>New Auth Token</h1>
+
+<%= render 'form', auth_token: @auth_token %>
+
+<%= link_to 'Back', auth_tokens_path %>

app/views/auth_tokens/show.html.erb

@@ -0,0 +1,19 @@
+<p id="notice"><%= notice %></p>
+
+<p>
+  <strong>Label:</strong>
+  <%= @auth_token.label %>
+</p>
+
+<p>
+  <strong>Group:</strong>
+  <%= @auth_token.group %>
+</p>
+
+<p>
+  <strong>Token:</strong>
+  <%= @auth_token.token %>
+</p>
+
+<%= link_to 'Edit', edit_auth_token_path(@auth_token) %> |
+<%= link_to 'Back', auth_tokens_path %>

app/views/shared/_add_content.html.erb

@@ -18,6 +18,10 @@
         <li class="divider"></li>
         <li><%= link_to 'Manage Roles', role_management.roles_path, class: 'menu-heading manage-roles', role: 'menuitem' %></li>
       <% end %>
+      <% if can?(:create, AuthToken) %>
+        <li class="divider"></li>
+        <li><%= link_to 'Manage Auth Tokens', main_app.auth_tokens_path, class: 'menu-heading manage-auth-tokens', role: 'menuitem' %></li>
+      <% end %>
     </ul>
   </div>
 <% end %>

config/routes.rb

@@ -1,5 +1,6 @@
 # frozen_string_literal: true
 Rails.application.routes.draw do
+  resources :auth_tokens
   concern :exportable, Blacklight::Routes::Exportable.new
 
   resources :solr_documents, only: [:show], path: '/catalog', controller: 'catalog' do

db/migrate/20170831233259_create_auth_tokens.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+class CreateAuthTokens < ActiveRecord::Migration[5.1]
+  def change
+    create_table :auth_tokens do |t|
+      t.string :label
+      t.string :group
+      t.string :token
+
+      t.timestamps
+    end
+  end
+end

db/schema.rb

@@ -10,12 +10,20 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 20170807201421) do
+ActiveRecord::Schema.define(version: 20170831233259) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
   enable_extension "uuid-ossp"
 
+  create_table "auth_tokens", force: :cascade do |t|
+    t.string "label"
+    t.string "group"
+    t.string "token"
+    t.datetime "created_at", null: false
+    t.datetime "updated_at", null: false
+  end
+
   create_table "bookmarks", id: :serial, force: :cascade do |t|
     t.integer "user_id", null: false
     t.string "user_type"