16 files changed, 152 insertions, 53 deletions

diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
new file mode 100644
index 0000000..0aa9507
--- /dev/null
+++ b/app/controllers/api_controller.rb
@@ -0,0 +1,11 @@
+class ApiController < ApplicationController
+
+  skip_before_filter :verify_authenticity_token
+  respond_to :json
+
+  def require_login
+    require_token
+  end
+
+end
+
diff --git a/app/controllers/controller_extension/authentication.rb b/app/controllers/controller_extension/authentication.rb
index 1f73f38..e2b24f0 100644
--- a/app/controllers/controller_extension/authentication.rb
+++ b/app/controllers/controller_extension/authentication.rb
@@ -16,7 +16,7 @@ module ControllerExtension::Authentication
   end
 
   def require_login
-    access_denied unless logged_in?
+    login_required unless logged_in?
   end
 
   # some actions only make sense if you are not logged in yet.
@@ -26,21 +26,6 @@ module ControllerExtension::Authentication
     redirect_to home_url if logged_in?
   end
 
-  def access_denied
-    respond_to do |format|
-      format.html do
-        if logged_in?
-          redirect_to home_url, :alert => t(:not_authorized)
-        else
-          redirect_to login_url, :alert => t(:not_authorized_login)
-        end
-      end
-      format.json do
-        render :json => {'error' => t(:not_authorized)}, status: :unprocessable_entity
-      end
-    end
-  end
-
   def admin?
     current_user.is_admin?
   end
diff --git a/app/controllers/controller_extension/errors.rb b/app/controllers/controller_extension/errors.rb
new file mode 100644
index 0000000..8f8edde
--- /dev/null
+++ b/app/controllers/controller_extension/errors.rb
@@ -0,0 +1,34 @@
+module ControllerExtension::Errors
+  extend ActiveSupport::Concern
+
+  protected
+
+  def access_denied
+    respond_to_error :not_authorized, :forbidden, home_url
+  end
+
+  def login_required
+    # Warden will intercept the 401 response and call
+    # SessionController#unauthenticated instead.
+    respond_to_error :not_authorized_login, :unauthorized, login_url
+  end
+
+  def not_found
+    respond_to_error :not_found, :not_found, home_url
+  end
+
+
+  def respond_to_error(message, status=nil, redirect=nil)
+    error = message
+    message = t(message) if message.is_a?(Symbol)
+    respond_to do |format|
+      format.html do
+        redirect_to redirect, alert: message
+      end
+      format.json do
+        status ||= :unprocessable_entity
+        render json: {error: error, message: message}, status: status
+      end
+    end
+  end
+end
diff --git a/app/controllers/users_base_controller.rb b/app/controllers/controller_extension/fetch_user.rb
index 9becf0d..695d723 100644
--- a/app/controllers/users_base_controller.rb
+++ b/app/controllers/controller_extension/fetch_user.rb
@@ -1,8 +1,10 @@
 #
-# common base class for all user related controllers
+# fetch the user taking into account permissions.
+# While normal users can only change settings for themselves
+# admins can change things for all users.
 #
-
-class UsersBaseController < ApplicationController
+module ControllerExtension::FetchUser
+  extend ActiveSupport::Concern
 
   protected
 
diff --git a/app/controllers/controller_extension/json_file.rb b/app/controllers/controller_extension/json_file.rb
new file mode 100644
index 0000000..6be919a
--- /dev/null
+++ b/app/controllers/controller_extension/json_file.rb
@@ -0,0 +1,23 @@
+module ControllerExtension::JsonFile
+  extend ActiveSupport::Concern
+  include ControllerExtension::Errors
+
+  protected
+
+  def send_file
+    if stale?(:last_modified => @file.mtime)
+      response.content_type = 'application/json'
+      render :text => @file.read
+    end
+  end
+
+  def fetch_file
+    if File.exists?(@filename)
+      @file = File.new(@filename)
+    else
+      not_found
+    end
+  end
+
+end
+
diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb
index b0ed624..4ad1977 100644
--- a/app/controllers/controller_extension/token_authentication.rb
+++ b/app/controllers/controller_extension/token_authentication.rb
@@ -1,6 +1,8 @@
 module ControllerExtension::TokenAuthentication
   extend ActiveSupport::Concern
 
+  protected
+
   def token
     @token ||= authenticate_with_http_token do |token, options|
       Token.find_by_token(token)
@@ -12,7 +14,7 @@ module ControllerExtension::TokenAuthentication
   end
 
   def require_token
-    access_denied unless token_authenticate
+    login_required unless token_authenticate
   end
 
   def logout
diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 8919a4d..66eba40 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -16,6 +16,13 @@ class SessionsController < ApplicationController
   end
 
   #
+  # Warden will catch all 401s and run this instead:
+  #
+  def unauthenticated
+    login_required
+  end
+
+  #
   # this is a bad hack, but user_url(user) is not available
   # also, this doesn't work because the redirect happens as a PUT. no idea why.
   #
diff --git a/app/controllers/static_config_controller.rb b/app/controllers/static_config_controller.rb
index c669316..c78e006 100644
--- a/app/controllers/static_config_controller.rb
+++ b/app/controllers/static_config_controller.rb
@@ -2,23 +2,28 @@
 # This controller is responsible for returning some static config files, such as /provider.json
 #
 class StaticConfigController < ActionController::Base
+  include ControllerExtension::JsonFile
 
-  PROVIDER_JSON = File.join(Rails.root, 'config', 'provider', 'provider.json')
+  before_filter :set_minimum_client_version
+  before_filter :set_filename
+  before_filter :fetch_file
+
+  PROVIDER_JSON = Rails.root.join('config', 'provider', 'provider.json')
 
-  #
-  # return the provider.json, ensuring that the header X-Minimum-Client-Version is sent
-  # regardless if a 200 or 304 (not modified) response is sent.
-  #
   def provider
-    response.headers["X-Minimum-Client-Version"] = APP_CONFIG[:minimum_client_version].to_s
-    if File.exists?(PROVIDER_JSON)
-      if stale?(:last_modified => File.mtime(PROVIDER_JSON))
-        response.content_type = 'application/json'
-        render :text => File.read(PROVIDER_JSON)
-      end
-    else
-      render :text => 'not found', :status => 404
-    end
+    send_file
   end
 
-end
\ No newline at end of file
+  protected
+
+  # ensure that the header X-Minimum-Client-Version is sent
+  # regardless if a 200 or 304 (not modified) or 404 response is sent.
+  def set_minimum_client_version
+    response.headers["X-Minimum-Client-Version"] =
+      APP_CONFIG[:minimum_client_version].to_s
+  end
+
+  def set_filename
+    @filename = PROVIDER_JSON
+  end
+end
diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index 0f822cb..dcf7607 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -2,7 +2,8 @@
 # This is an HTML-only controller. For the JSON-only controller, see v1/users_controller.rb
 #
 
-class UsersController < UsersBaseController
+class UsersController < ApplicationController
+  include ControllerExtension::FetchUser
 
   before_filter :require_login, :except => [:new]
   before_filter :redirect_if_logged_in, :only => [:new]
diff --git a/app/controllers/v1/certs_controller.rb b/app/controllers/v1/certs_controller.rb
index b6d1d0b..68d6586 100644
--- a/app/controllers/v1/certs_controller.rb
+++ b/app/controllers/v1/certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::CertsController < ApplicationController
+class V1::CertsController < ApiController
 
   before_filter :require_login, :unless => :anonymous_certs_allowed?
 
diff --git a/app/controllers/v1/configs_controller.rb b/app/controllers/v1/configs_controller.rb
new file mode 100644
index 0000000..accdf5a
--- /dev/null
+++ b/app/controllers/v1/configs_controller.rb
@@ -0,0 +1,34 @@
+class V1::ConfigsController < ApiController
+  include ControllerExtension::JsonFile
+
+  before_filter :require_login
+  before_filter :sanitize_filename, only: :show
+  before_filter :fetch_file, only: :show
+
+  def index
+    render json: {services: service_paths}
+  end
+
+  def show
+    send_file
+  end
+
+  SERVICES = {
+    soledad: "soledad-service.json",
+    eip: "eip-service.json",
+    smtp: "smtp-service.json"
+  }
+
+  protected
+
+  def service_paths
+    Hash[SERVICES.map{|k,v| [k,"/1/configs/#{v}"] } ]
+  end
+
+  def sanitize_filename
+    @filename = params[:id].downcase
+    @filename += '.json' unless @filename.ends_with?('.json')
+    access_denied unless SERVICES.values.include? name
+    @filename = Rails.root.join('public', '1', 'config', @filename)
+  end
+end
diff --git a/app/controllers/v1/messages_controller.rb b/app/controllers/v1/messages_controller.rb
index 85156b7..a9b93a9 100644
--- a/app/controllers/v1/messages_controller.rb
+++ b/app/controllers/v1/messages_controller.rb
@@ -1,10 +1,7 @@
 module V1
-  class MessagesController < ApplicationController
+  class MessagesController < ApiController
 
-    skip_before_filter :verify_authenticity_token
-    before_filter :require_token
-
-    respond_to :json
+    before_filter :require_login
 
     def index
       render json: current_user.messages
diff --git a/app/controllers/v1/services_controller.rb b/app/controllers/v1/services_controller.rb
index 594940e..114870f 100644
--- a/app/controllers/v1/services_controller.rb
+++ b/app/controllers/v1/services_controller.rb
@@ -1,6 +1,4 @@
-class V1::ServicesController < ApplicationController
-
-  respond_to :json
+class V1::ServicesController < ApiController
 
   def show
     respond_with current_user.effective_service_level
diff --git a/app/controllers/v1/sessions_controller.rb b/app/controllers/v1/sessions_controller.rb
index d88fcdc..a343d9b 100644
--- a/app/controllers/v1/sessions_controller.rb
+++ b/app/controllers/v1/sessions_controller.rb
@@ -1,8 +1,7 @@
 module V1
-  class SessionsController < ApplicationController
+  class SessionsController < ApiController
 
-    skip_before_filter :verify_authenticity_token
-    before_filter :require_token, only: :destroy
+    before_filter :require_login, only: :destroy
 
     def new
       @session = Session.new
diff --git a/app/controllers/v1/smtp_certs_controller.rb b/app/controllers/v1/smtp_certs_controller.rb
index 377a49c..fa53b26 100644
--- a/app/controllers/v1/smtp_certs_controller.rb
+++ b/app/controllers/v1/smtp_certs_controller.rb
@@ -1,4 +1,4 @@
-class V1::SmtpCertsController < ApplicationController
+class V1::SmtpCertsController < ApiController
 
   before_filter :require_login
   before_filter :require_email_account
diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb
index abaefd8..bfa04fc 100644
--- a/app/controllers/v1/users_controller.rb
+++ b/app/controllers/v1/users_controller.rb
@@ -1,10 +1,10 @@
 module V1
-  class UsersController < UsersBaseController
+  class UsersController < ApiController
+    include ControllerExtension::FetchUser
 
-    skip_before_filter :verify_authenticity_token
     before_filter :fetch_user, :only => [:update]
     before_filter :require_admin, :only => [:index]
-    before_filter :require_token, :only => [:update]
+    before_filter :require_login, :only => [:index, :update]
     before_filter :require_registration_allowed, only: :create
 
     respond_to :json
@@ -29,11 +29,12 @@ module V1
       respond_with @user
     end
 
+    protected
+
     def require_registration_allowed
       unless APP_CONFIG[:allow_registration]
         head :forbidden
       end
     end
-
   end
 end