From c63791c7ffacb7c6cfc685e2654ffe66f0a6b185 Mon Sep 17 00:00:00 2001 From: elijah Date: Sun, 20 Mar 2016 01:13:24 -0700 Subject: api tokens: allow for special api tokens that work like session tokens but are configured in the static config, to be used for infrastructure monitoring. --- app/controllers/controller_extension/token_authentication.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb index 4ad1977..15ddef7 100644 --- a/app/controllers/controller_extension/token_authentication.rb +++ b/app/controllers/controller_extension/token_authentication.rb @@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication def token @token ||= authenticate_with_http_token do |token, options| - Token.find_by_token(token) + Token.find_by_token(token) || ApiToken.find_by_token(token) end end -- cgit v1.2.3 From 67b5aa4198e0f6ab2cd29767aedcb4bf5b5dc4d9 Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:52:21 -0700 Subject: api tokens - clarify terms: "monitors" are admins that authenticated via api token, "tmp" users are users that exist only in tmp db, "test" users are either tmp users or users named "test_user_x" --- app/controllers/controller_extension/errors.rb | 11 ++++++----- app/controllers/controller_extension/fetch_user.rb | 20 +++++++++++++++++--- 2 files changed, 23 insertions(+), 8 deletions(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/errors.rb b/app/controllers/controller_extension/errors.rb index 8f8edde..2b68955 100644 --- a/app/controllers/controller_extension/errors.rb +++ b/app/controllers/controller_extension/errors.rb @@ -4,21 +4,22 @@ module ControllerExtension::Errors protected def access_denied - respond_to_error :not_authorized, :forbidden, home_url + render_error :not_authorized, :forbidden, home_url end def login_required # Warden will intercept the 401 response and call # SessionController#unauthenticated instead. - respond_to_error :not_authorized_login, :unauthorized, login_url + render_error :not_authorized_login, :unauthorized, login_url end - def not_found - respond_to_error :not_found, :not_found, home_url + def not_found(msg=nil, url=nil) + render_error(msg || :not_found, :not_found, url || home_url) end + private - def respond_to_error(message, status=nil, redirect=nil) + def render_error(message, status=nil, redirect=nil) error = message message = t(message) if message.is_a?(Symbol) respond_to do |format| diff --git a/app/controllers/controller_extension/fetch_user.rb b/app/controllers/controller_extension/fetch_user.rb index 695d723..97f92fa 100644 --- a/app/controllers/controller_extension/fetch_user.rb +++ b/app/controllers/controller_extension/fetch_user.rb @@ -8,11 +8,25 @@ module ControllerExtension::FetchUser protected + # + # fetch @user from params, but enforce permissions: + # + # * admins may fetch any user + # * monitors may fetch test users + # * users may fetch themselves + # + # these permissions matter, it is what protects + # users from being updated or deleted by other users. + # def fetch_user @user = User.find(params[:user_id] || params[:id]) - if !@user && admin? - redirect_to users_url, :alert => t(:no_such_thing, :thing => 'user') - elsif !admin? && @user != current_user + if current_user.is_admin? || current_user.is_monitor? + if @user.nil? + not_found(t(:no_such_thing, :thing => 'user'), users_url) + elsif current_user.is_monitor? + access_denied unless @user.is_test? + end + elsif @user != current_user access_denied end end -- cgit v1.2.3 From e072ac2fa8bc93ed782df1ff95130f4794f9640f Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:55:19 -0700 Subject: api: added allow ability to limit what IPs can access api using a static configured auth token. --- app/controllers/controller_extension/token_authentication.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/token_authentication.rb b/app/controllers/controller_extension/token_authentication.rb index 15ddef7..c41d61b 100644 --- a/app/controllers/controller_extension/token_authentication.rb +++ b/app/controllers/controller_extension/token_authentication.rb @@ -5,7 +5,7 @@ module ControllerExtension::TokenAuthentication def token @token ||= authenticate_with_http_token do |token, options| - Token.find_by_token(token) || ApiToken.find_by_token(token) + Token.find_by_token(token) || ApiToken.find_by_token(token, request.headers['REMOTE_ADDR']) end end -- cgit v1.2.3 From 9a8577a2d19aa51318dce6ff9ffe1bd26f25c09e Mon Sep 17 00:00:00 2001 From: elijah Date: Mon, 28 Mar 2016 15:56:21 -0700 Subject: api: added get(:show) to identities and users, allow monitors to create/delete test & tmp users. --- .../controller_extension/authentication.rb | 6 +++ app/controllers/v1/identities_controller.rb | 12 +++++ app/controllers/v1/users_controller.rb | 51 ++++++++++++++++++---- 3 files changed, 61 insertions(+), 8 deletions(-) create mode 100644 app/controllers/v1/identities_controller.rb (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/authentication.rb b/app/controllers/controller_extension/authentication.rb index e2b24f0..63b9e5f 100644 --- a/app/controllers/controller_extension/authentication.rb +++ b/app/controllers/controller_extension/authentication.rb @@ -34,6 +34,12 @@ module ControllerExtension::Authentication access_denied unless admin? end + def require_monitor + unless current_user.is_monitor? || current_user.is_admin? + access_denied + end + end + def authentication_errors return unless attempted_login? errors = get_warden_errors diff --git a/app/controllers/v1/identities_controller.rb b/app/controllers/v1/identities_controller.rb new file mode 100644 index 0000000..1d8c542 --- /dev/null +++ b/app/controllers/v1/identities_controller.rb @@ -0,0 +1,12 @@ +module V1 + class IdentitiesController < ApiController + before_filter :token_authenticate + before_filter :require_monitor + + def show + @identity = Identity.find_by_address(params[:id]) + respond_with @identity + end + + end +end diff --git a/app/controllers/v1/users_controller.rb b/app/controllers/v1/users_controller.rb index 2e840d9..8296eb0 100644 --- a/app/controllers/v1/users_controller.rb +++ b/app/controllers/v1/users_controller.rb @@ -2,10 +2,12 @@ module V1 class UsersController < ApiController include ControllerExtension::FetchUser + # allow optional access to this controller using API auth tokens: + before_filter :token_authenticate + before_filter :fetch_user, :only => [:update, :destroy] - before_filter :require_admin, :only => [:index] + before_filter :require_monitor, :only => [:index, :show] before_filter :require_login, :only => [:index, :update, :destroy] - before_filter :require_registration_allowed, only: :create respond_to :json @@ -19,9 +21,27 @@ module V1 end end + def show + if params[:login] + @user = User.find_by_login(params[:login]) + elsif params[:id] + @user = User.find(params[:id]) + end + if @user + respond_with @user + else + not_found + end + end + def create - @user = Account.create(params[:user]) - respond_with @user # return ID instead? + if current_user.is_monitor? + create_test_account + elsif APP_CONFIG[:allow_registration] + create_account + else + head :forbidden + end end def update @@ -30,19 +50,34 @@ module V1 end def destroy - @user.account.destroy(params[:identities] == "destroy") + destroy_identity = current_user.is_monitor? || params[:identities] == "destroy" + @user.account.destroy(destroy_identity) if @user == current_user logout end render :json => {'success' => 'user deleted'} end - protected + private + + # tester auth can only create test users. + def create_test_account + if User::is_test?(params[:user][:login]) + @user = Account.create(params[:user]) + respond_with @user + else + head :forbidden + end + end - def require_registration_allowed - unless APP_CONFIG[:allow_registration] + def create_account + if APP_CONFIG[:allow_registration] + @user = Account.create(params[:user]) + respond_with @user # return ID instead? + else head :forbidden end end + end end -- cgit v1.2.3 From 48acca107b9bd7a59bacb1449b042eb753e63917 Mon Sep 17 00:00:00 2001 From: elijah Date: Wed, 30 Mar 2016 17:06:32 -0700 Subject: api: return proper 404 for GET /1/identities/:id.json --- app/controllers/controller_extension/errors.rb | 3 +++ app/controllers/v1/identities_controller.rb | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) (limited to 'app/controllers') diff --git a/app/controllers/controller_extension/errors.rb b/app/controllers/controller_extension/errors.rb index 2b68955..3d919b0 100644 --- a/app/controllers/controller_extension/errors.rb +++ b/app/controllers/controller_extension/errors.rb @@ -6,16 +6,19 @@ module ControllerExtension::Errors def access_denied render_error :not_authorized, :forbidden, home_url end + alias_method :render_access_denied, :access_denied def login_required # Warden will intercept the 401 response and call # SessionController#unauthenticated instead. render_error :not_authorized_login, :unauthorized, login_url end + alias_method :render_login_required, :login_required def not_found(msg=nil, url=nil) render_error(msg || :not_found, :not_found, url || home_url) end + alias_method :render_not_found, :not_found private diff --git a/app/controllers/v1/identities_controller.rb b/app/controllers/v1/identities_controller.rb index 1d8c542..4efd1f5 100644 --- a/app/controllers/v1/identities_controller.rb +++ b/app/controllers/v1/identities_controller.rb @@ -5,7 +5,11 @@ module V1 def show @identity = Identity.find_by_address(params[:id]) - respond_with @identity + if @identity + respond_with @identity + else + render_not_found + end end end -- cgit v1.2.3