[myexperiment-hackers] [2070] trunk: added HTTP basic access authentication to API

[noreply]

Revision

2070

Author

dgc

Date

2009-01-21 08:07:10 -0500 (Wed, 21 Jan 2009)

Log Message

added HTTP basic access authentication to API

Modified Paths

• trunk/app/controllers/api_controller.rb
• trunk/lib/rest.rb

Diff

Modified: trunk/app/controllers/api_controller.rb (2069 => 2070)

--- trunk/app/controllers/api_controller.rb	2009-01-21 12:25:59 UTC (rev 2069)
+++ trunk/app/controllers/api_controller.rb	2009-01-21 13:07:10 UTC (rev 2070)
@@ -13,6 +13,19 @@
 
   def process_request
 
+    auth = request.env["HTTP_AUTHORIZATION"]
+
+    if auth and auth.starts_with?("Basic ")
+      credentials = Base64.decode64(auth.sub(/^Basic /, '')).split(':')
+      current_user = User.authenticate(credentials[0], credentials[1])
+
+      if current_user.nil?
+        render :xml => rest_error_response(401, 'Not authorized').to_s
+        return
+      end
+
+    end
+
     query  = CGIMethods.parse_query_parameters(request.query_string)
     method = request.method.to_s.upcase
     uri    = params[:uri]
@@ -46,9 +59,9 @@
     end  
 
     case rules['Type']
-      when 'index'; doc = rest_index_request(rules, query)
-      when 'crud';  doc = rest_crud_request(rules)
-      when 'call';  doc = rest_call_request(rules, query)
+      when 'index'; doc = rest_index_request(rules, current_user, query)
+      when 'crud';  doc = rest_crud_request(rules, current_user)
+      when 'call';  doc = rest_call_request(rules, current_user, query)
       else;         bad_rest_request
     end
 

Modified: trunk/lib/rest.rb (2069 => 2070)

--- trunk/lib/rest.rb	2009-01-21 12:25:59 UTC (rev 2069)
+++ trunk/lib/rest.rb	2009-01-21 13:07:10 UTC (rev 2070)
@@ -51,7 +51,7 @@
   "#{request.protocol}#{request.host_with_port}#{path}"
 end
 
-def rest_get_request(ob, req_uri, uri, entity_name, query)
+def rest_get_request(ob, req_uri, user, uri, entity_name, query)
 
   if query['version']
     return rest_error_response(400, 'Resource not versioned') unless ob.respond_to?('versions')
@@ -96,7 +96,7 @@
         limited_ob = eval("ob.#{limited_to_user}")
       end
 
-      next if limited_ob != current_user
+      next if limited_ob != user
     end
 
     unless query['all_elements'] == 'yes'
@@ -141,7 +141,7 @@
 
         # filter out things that the user cannot see
         collection = collection.select do |c|
-          not c.respond_to?('contribution') or c.authorized?('view', current_user)
+          not c.respond_to?('contribution') or c.authorized?('view', user)
         end
 
         collection.each do |item|
@@ -207,7 +207,7 @@
   doc
 end
 
-def rest_crud_request(rules)
+def rest_crud_request(rules, user)
 
   query = CGIMethods.parse_query_parameters(request.query_string)
 
@@ -224,15 +224,15 @@
 
   case rules['Permission']
     when 'public'; # do nothing
-    when 'view'; return rest_error_response(403, 'Not authorized') if not perm_ob.authorized?("show", (logged_in? ? current_user : nil))
-    when 'owner'; return rest_error_response(403, 'Not authorized') if logged_in?.nil? or object_owner(perm_ob) != current_user
+    when 'view'; return rest_error_response(403, 'Not authorized') if not perm_ob.authorized?("show", (logged_in? ? user : nil))
+    when 'owner'; return rest_error_response(403, 'Not authorized') if logged_in?.nil? or object_owner(perm_ob) != user
   end
 
   response.content_type = "application/xml"
-  rest_get_request(ob, params[:uri], eval("rest_resource_uri(ob)"), rest_name, query)
+  rest_get_request(ob, params[:uri], user, eval("rest_resource_uri(ob)"), rest_name, query)
 end
 
-def rest_index_request(rules, query)
+def rest_index_request(rules, user, query)
 
   rest_name  = rules['REST Entity']
   model_name = rules['Model Entity']
@@ -284,7 +284,7 @@
   end
 
   # filter out ones they are not allowed to get
-  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", (logged_in? ? current_user : nil)) end)
+  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", user) end)
 
   produce_rest_list(rules, query, obs, rest_name.pluralize)
 end
@@ -435,11 +435,11 @@
 
 end
 
-def get_rest_uri(rules, query)
+def get_rest_uri(rules, user, query)
 
   return bad_rest_request if query['resource'].nil?
 
-  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", (logged_in? ? current_user : nil)) end)
+  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?("index", user) end)
   doc = REXML::Document.new("<?xml version=\"1.0\" encoding=\"UTF-8\"?><rest-uri/>")
   "bing"
 end
@@ -452,9 +452,9 @@
       :contributor => user)
 end
 
-def post_workflow(rules, query)
+def post_workflow(rules, user, query)
 
-  return rest_error_response(400, 'Bad Request') if current_user.nil?
+  return rest_error_response(400, 'Bad Request') if user.nil?
 
   title        = params["workflow"]["title"]
   description  = params["workflow"]["description"]
@@ -472,7 +472,7 @@
 
   contribution = Contribution.new(
       :contributor_type => 'User',
-      :contributor_id   => current_user.id)
+      :contributor_id   => user.id)
 
   workflow = Workflow.new(
       :title            => title,
@@ -481,7 +481,7 @@
       :content_type     => content_type,
       :content_blob     => ContentBlob.new(:data ="" content),
       :contributor_type => 'User',
-      :contributor_id   => current_user.id,
+      :contributor_id   => user.id,
       :contribution     => contribution)
 
   # Handle the preview and svg images.  If there's a preview supplied, use it.
@@ -513,14 +513,14 @@
     return rest_error_response(400, 'Bad Request')
   end
 
-  workflow.contribution.policy = create_default_policy(current_user)
+  workflow.contribution.policy = create_default_policy(user)
   workflow.contribution.save
 
-  rest_get_request(workflow, "workflow",
+  rest_get_request(workflow, "workflow", user,
       rest_resource_uri(workflow), "workflow", { "id" => workflow.id.to_s })
 end
 
-# def post_job(rules, query)
+# def post_job(rules, user, query)
 #
 #   title       = params["job"]["title"]
 #   description = params["job"]["description"]
@@ -540,14 +540,14 @@
 #   runner     = TavernaEnactor.find_by_id(runner_bits[1].to_i)
 #   runnable   = Workflow.find_by_id(runnable_bits[1].to_i)
 #
-#   return rest_error_response(400, 'Bad Request') if experiment.nil? or not experiment.authorized?("edit", current_user)
-#   return rest_error_response(400, 'Bad Request') if runner.nil?     or not runner.authorized?("download", current_user)
-#   return rest_error_response(400, 'Bad Request') if runnable.nil?   or not runnable.authorized?("view", current_user)
+#   return rest_error_response(400, 'Bad Request') if experiment.nil? or not experiment.authorized?("edit", user)
+#   return rest_error_response(400, 'Bad Request') if runner.nil?     or not runner.authorized?("download", user)
+#   return rest_error_response(400, 'Bad Request') if runnable.nil?   or not runnable.authorized?("view", user)
 #
 #   puts "#{params[:job]}"
 #
 #   job = Job.new(:title => title, :description => description, :runnable => runnable, 
-#       :experiment => experiment, :runner => runner, :user => current_user,
+#       :experiment => experiment, :runner => runner, :user => user,
 #       :runnable_version => runnable.versions.last.version)
 #
 #   inputs = { "Tags" => "aa,bb,aa,cc,aa" }
@@ -562,7 +562,7 @@
 #
 # end
 
-def search(rules, query)
+def search(rules, user, query)
 
   search_query = query['query']
 
@@ -595,8 +595,9 @@
   doc
 end
 
-def user_count(rules, query)
+def user_count(rules, user, query)
   
+  puts "user = #{user}"
   users = User.find(:all).select do |user| user.activated? end
 
   root = XML::Node.new('user-count')
@@ -608,7 +609,7 @@
   doc
 end
 
-def group_count(rules, query)
+def group_count(rules, user, query)
   
   groups = Network.find(:all)
 
@@ -620,7 +621,7 @@
   doc
 end
 
-def get_tagged(rules, query)
+def get_tagged(rules, user, query)
 
   return rest_error_response(400, 'Bad Request') if query['tag'].nil?
 
@@ -629,12 +630,12 @@
   obs = tag ? tag.tagged : []
 
   # filter out ones they are not allowed to get
-  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?('index', (logged_in? ? current_user : nil)) end)
+  obs = (obs.select do |c| c.respond_to?('contribution') == false or c.authorized?('index', user) end)
 
   produce_rest_list(rules, query, obs, 'tagged')
 end
 
-def tag_cloud(rules, query)
+def tag_cloud(rules, user, query)
 
   num  = 25
   type = nil
@@ -672,7 +673,7 @@
   doc
 end
 
-def post_comment(rules, query)
+def post_comment(rules, user, query)
 
   title    = params[:comment][:title]
   text     = params[:comment][:comment]
@@ -682,7 +683,7 @@
 
   resource_bits = parse_resource_uri(params["comment"]["resource"])
 
-  return rest_error_response(400, 'Bad Request') if current_user == 0
+  return rest_error_response(400, 'Bad Request') if user.nil?
   return rest_error_response(400, 'Bad Request') if text.nil? or text.length.zero?
   return rest_error_response(400, 'Bad Request') if resource_bits.nil?
 
@@ -690,16 +691,16 @@
 
   resource = eval(resource_bits[0]).find_by_id(resource_bits[1].to_i)
 
-  comment = Comment.create(:user => current_user, :comment => text)
+  comment = Comment.create(:user => user, :comment => text)
   resource.comments << comment
 
-  rest_get_request(comment, "comment", rest_resource_uri(comment), "comment", { "id" => comment.id.to_s })
+  rest_get_request(comment, "comment", user, rest_resource_uri(comment), "comment", { "id" => comment.id.to_s })
 end
 
-# def put_comment(rules, query)
+# def put_comment(rules, user, query)
 # end
 #
-# def delete_comment(rules, query)
+# def delete_comment(rules, user, query)
 #
 #   return rest_error_response(400, 'Bad Request') if query['id'].nil?
 #
@@ -708,12 +709,12 @@
 #   return rest_error_response(404, 'Resource Not Found') if resource.nil?
 #
 #   if resource.respond_to?('authorized?')
-#     return rest_error_response(403, 'Not Authorized') if not resource.authorized?('edit', current_user)
+#     return rest_error_response(403, 'Not Authorized') if not resource.authorized?('edit', user)
 #   end
 #
 # end
 
-def rest_call_request(rules, query)
-  eval("#{rules['Function']}(rules, query)")
+def rest_call_request(rules, user, query)
+  eval("#{rules['Function']}(rules, user, query)")
 end