4 files changed, 167 insertions, 0 deletions

diff --git a/actionpack/CHANGELOG b/actionpack/CHANGELOG
index 039ed8aa52..21df4be24a 100644
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
@@ -1,5 +1,7 @@
 *SVN*
 
+* Included the HttpAuthentication plugin as part of core (ActionController::HttpAuthentication::Basic) [DHH]
+
 * Modernize documentation for form helpers. [jeremymcanally]
 
 * Add brief introduction to REST to the resources documentation. [fearoffish]
diff --git a/actionpack/lib/action_controller.rb b/actionpack/lib/action_controller.rb
index a0bdf4995c..96192809e5 100755
--- a/actionpack/lib/action_controller.rb
+++ b/actionpack/lib/action_controller.rb
@@ -53,6 +53,7 @@ require 'action_controller/caching'
 require 'action_controller/verification'
 require 'action_controller/streaming'
 require 'action_controller/session_management'
+require 'action_controller/http_authentication'
 require 'action_controller/components'
 require 'action_controller/record_identifier'
 require 'action_controller/macros/auto_complete'
@@ -76,6 +77,7 @@ ActionController::Base.class_eval do
   include ActionController::Verification
   include ActionController::Streaming
   include ActionController::SessionManagement
+  include ActionController::HttpAuthentication::Basic::ControllerMethods
   include ActionController::Components
   include ActionController::RecordIdentifier
   include ActionController::Macros::AutoComplete
diff --git a/actionpack/lib/action_controller/http_authentication.rb b/actionpack/lib/action_controller/http_authentication.rb
new file mode 100644
index 0000000000..387fa4e695
--- /dev/null
+++ b/actionpack/lib/action_controller/http_authentication.rb
@@ -0,0 +1,121 @@
+require 'base64'
+
+module ActionController
+  module HttpAuthentication
+    # Makes it dead easy to do HTTP Basic authentication.
+    # 
+    # Simple Basic example:
+    # 
+    # class PostsController < ApplicationController
+    #   USER_NAME, PASSWORD = "dhh", "secret"
+    # 
+    #   before_filter :authenticate, :except => [ :index ]
+    # 
+    #   def index
+    #     render :text => "Everyone can see me!"
+    #   end
+    # 
+    #   def edit
+    #     render :text => "I'm only accessible if you know the password"
+    #   end
+    # 
+    #   private
+    #     def authenticate
+    #       authenticate_or_request_with_http_basic do |user_name, password| 
+    #         user_name == USER_NAME && password == PASSWORD
+    #       end
+    #     end
+    # end
+    # 
+    # 
+    # Here is a more advanced Basic example where only Atom feeds and the XML API is protected by HTTP authentication, 
+    # the regular HTML interface is protected by a session approach:
+    # 
+    # class ApplicationController < ActionController::Base
+    #   before_filter :set_account, :authenticate
+    # 
+    #   protected
+    #     def set_account
+    #       @account = Account.find_by_url_name(request.subdomains.first)
+    #     end
+    # 
+    #     def authenticate
+    #       case request.format
+    #       when Mime::XML, Mime::ATOM
+    #         if user = authenticate_with_http_basic { |u, p| @account.users.authenticate(u, p) }
+    #           @current_user = user
+    #         else
+    #           request_http_basic_authentication
+    #         end
+    #       else
+    #         if session_authenticated?
+    #           @current_user = @account.users.find(session[:authenticated][:user_id])
+    #         else
+    #           redirect_to(login_url) and return false
+    #         end
+    #       end
+    #     end
+    # end
+    # 
+    # 
+    # In your integration tests, you can do something like this:
+    # 
+    #   def test_access_granted_from_xml
+    #     get(
+    #       "/notes/1.xml", nil, 
+    #       :authorization => ActionController::HttpAuthentication::Basic.encode_credentials(users(:dhh).name, users(:dhh).password)
+    #     )
+    # 
+    #     assert_equal 200, status
+    #   end
+    module Basic
+      extend self
+
+      module ControllerMethods
+        def authenticate_or_request_with_http_basic(realm = "Application", &login_procedure)
+          authenticate_with_http_basic(&login_procedure) || request_http_basic_authentication(realm)
+        end
+
+        def authenticate_with_http_basic(&login_procedure)
+          HttpAuthentication::Basic.authenticate(self, &login_procedure)
+        end
+
+        def request_http_basic_authentication(realm = "Application")
+          HttpAuthentication::Basic.authentication_request(self, realm)
+        end
+      end
+
+      def authenticate(controller, &login_procedure)
+        if authorization(controller.request)
+          login_procedure.call(*user_name_and_password(controller.request))
+        else
+          false
+        end
+      end
+
+      def user_name_and_password(request)
+        decode_credentials(request).split(/:/, 2)
+      end
+  
+      def authorization(request)
+        request.env['HTTP_AUTHORIZATION']   ||
+        request.env['X-HTTP_AUTHORIZATION'] ||
+        request.env['X_HTTP_AUTHORIZATION']
+      end
+    
+      def decode_credentials(request)
+        Base64.decode64(authorization(request).split.last)
+      end
+
+      def encode_credentials(user_name, password)
+        "Basic #{Base64.encode64("#{user_name}:#{password}")}"
+      end
+
+      def authentication_request(controller, realm)
+        controller.headers["WWW-Authenticate"] = %(Basic realm="#{realm.gsub(/"/, "")}")
+        controller.render :text => "HTTP Basic: Access denied.\n", :status => :unauthorized
+        return false    
+      end
+    end
+  end
+end
\ No newline at end of file
diff --git a/actionpack/test/controller/http_authentication_test.rb b/actionpack/test/controller/http_authentication_test.rb
new file mode 100644
index 0000000000..e08bc7b94b
--- /dev/null
+++ b/actionpack/test/controller/http_authentication_test.rb
@@ -0,0 +1,42 @@
+require File.dirname(__FILE__) + '/../abstract_unit'
+
+class HttpBasicAuthenticationTest < Test::Unit::TestCase
+  include ActionController::HttpAuthentication::Basic
+  
+  def setup
+    @controller = Class.new do
+      attr_accessor :headers, :renders
+      
+      def initialize
+        @headers, @renders = {}, []
+      end
+      
+      def request
+        Class.new do
+          def env
+            { 'HTTP_AUTHORIZATION' => ActionController::HttpAuthentication::Basic.encode_credentials("dhh", "secret") }
+          end
+        end.new
+      end
+      
+      def render(options)
+        self.renders << options
+      end
+    end.new
+  end
+
+  def test_successful_authentication
+    assert authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret" }
+  end
+
+
+  def test_failing_authentication
+    assert !authenticate(@controller) { |user_name, password| user_name == "dhh" && password == "secret!!" }
+  end
+  
+  def test_authentication_request
+    authentication_request(@controller, "Megaglobalapp")
+    assert_equal 'Basic realm="Megaglobalapp"', @controller.headers["WWW-Authenticate"]
+    assert_equal :unauthorized, @controller.renders.first[:status]
+  end
+end