auth-proxy 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6ec8a799dae3f536a97750c0ec0557227796d3c4
+  data.tar.gz: 8b091ef9d05342311a9193828a739ac942b5c705
+SHA512:
+  metadata.gz: 5f48c6d8f308389a11e68282fdfcc6d85230233c34f43acaa68d0e62c5cbe40dc3f6edadb619f0f9d53bc3d0c48be23c0f633e659ea1eaa328d56ba836e90f22
+  data.tar.gz: 28ef27de81f690ba78dc29010427992290af057cbe0ec8bdfde54436104c43ef8ae7ff2121620896dca6f6ab25ee5a60e914da3c18514a3fe2ef536f16b34136

data/.gitignore

@@ -0,0 +1,8 @@
+example/
+.DS_Store
+/.bundle
+*.orig
+*.swp
+.powrc
+*.local
+pkg/

data/.rubocop.yml

@@ -0,0 +1,94 @@
+AllCops:
+  TargetRubyVersion: 2.3
+  # RuboCop has a bunch of cops enabled by default. This setting tells RuboCop
+  # to ignore them, so only the ones explicitly set in this file are enabled.
+  DisabledByDefault: true
+  Exclude:
+    - '**/templates/**/*'
+    - '**/vendor/**/*'
+
+# Prefer &&/|| over and/or.
+Style/AndOr:
+  Enabled: true
+
+# Do not use braces for hash literals when they are the last argument of a
+# method call.
+Style/BracesAroundHashParameters:
+  Enabled: true
+
+# Align `when` with `case`.
+Style/CaseIndentation:
+  Enabled: true
+
+# No extra empty lines.
+Style/EmptyLines:
+  Enabled: true
+
+# In a regular class definition, no empty lines around the body.
+Style/EmptyLinesAroundClassBody:
+  Enabled: true
+
+# In a regular module definition, no empty lines around the body.
+Style/EmptyLinesAroundModuleBody:
+  Enabled: true
+
+# Use Ruby >= 1.9 syntax for hashes. Prefer { a: :b } over { :a => :b }.
+Style/HashSyntax:
+  Enabled: true
+
+# Method definitions after `private` or `protected` isolated calls need one
+# extra level of indentation.
+Style/IndentationConsistency:
+  Enabled: true
+  EnforcedStyle: normal
+
+# Two spaces, no tabs (for indentation).
+Style/IndentationWidth:
+  Enabled: true
+
+# Defining a method with parameters needs parentheses.
+Style/MethodDefParentheses:
+  Enabled: true
+
+# Use `foo {}` not `foo{}`.
+Style/SpaceBeforeBlockBraces:
+  Enabled: true
+
+# Use `foo { bar }` not `foo {bar}`.
+Style/SpaceInsideBlockBraces:
+  Enabled: true
+
+# Use `{ a: 1 }` not `{a:1}`.
+Style/SpaceInsideHashLiteralBraces:
+  Enabled: true
+
+# Check quotes usage according to lint rule below.
+Style/StringLiterals:
+  Enabled: true
+  EnforcedStyle: double_quotes
+
+# Detect hard tabs, no hard tabs.
+Style/Tab:
+  Enabled: true
+
+# Blank lines should not have any spaces.
+Style/TrailingBlankLines:
+  Enabled: true
+
+# No trailing whitespace.
+Style/TrailingWhitespace:
+  Enabled: true
+
+# Use quotes for string literals when they are enough.
+Style/UnneededPercentQ:
+  Enabled: true
+
+# Align `end` with the matching keyword or starting expression except for
+# assignments, where it should be aligned with the LHS.
+Lint/EndAlignment:
+  Enabled: true
+  AlignWith: variable
+
+# Use my_method(my_arg) not my_method( my_arg ) or my_method my_arg.
+Lint/RequireParentheses:
+  Enabled: true

data/Gemfile

@@ -0,0 +1,7 @@
+source "https://rubygems.org"
+
+gem "omniauth-vsts"
+gem "better_errors"
+gem "binding_of_caller"
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,65 @@
+PATH
+  remote: .
+  specs:
+    auth-proxy (1.0.0)
+      json
+      sinatra
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    better_errors (2.1.1)
+      coderay (>= 1.0.0)
+      erubis (>= 2.6.6)
+      rack (>= 0.9.0)
+    binding_of_caller (0.7.2)
+      debug_inspector (>= 0.0.1)
+    coderay (1.1.1)
+    debug_inspector (0.0.2)
+    erubis (2.7.0)
+    faraday (0.9.2)
+      multipart-post (>= 1.2, < 3)
+    hashie (3.4.6)
+    json (2.0.2)
+    jwt (1.5.6)
+    multi_json (1.12.1)
+    multi_xml (0.6.0)
+    multipart-post (2.0.0)
+    oauth2 (1.2.0)
+      faraday (>= 0.8, < 0.10)
+      jwt (~> 1.0)
+      multi_json (~> 1.3)
+      multi_xml (~> 0.5)
+      rack (>= 1.2, < 3)
+    omniauth (1.3.1)
+      hashie (>= 1.2, < 4)
+      rack (>= 1.0, < 3)
+    omniauth-oauth2 (1.4.0)
+      oauth2 (~> 1.0)
+      omniauth (~> 1.2)
+    omniauth-vsts (0.1.0)
+      omniauth (~> 1.0)
+      omniauth-oauth2 (>= 1.1.1)
+    rack (1.6.5)
+    rack-protection (1.5.3)
+      rack
+    rake (10.5.0)
+    sinatra (1.4.7)
+      rack (~> 1.5)
+      rack-protection (~> 1.4)
+      tilt (>= 1.3, < 3)
+    tilt (2.0.5)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  auth-proxy!
+  better_errors
+  binding_of_caller
+  bundler (~> 1.13)
+  omniauth-vsts
+  rake (~> 10.0)
+
+BUNDLED WITH
+   1.13.6

data/README.md

@@ -0,0 +1,145 @@
+# Auth::Proxy
+
+External auth for your web services.
+
+IMPORTANT: This is still under development and untested
+
+## Usage
+
+Create a directorry for your auth-proxy app.
+
+Create a Gemfile and add the auth-proxy gem and any omniauth gems you want to use:
+
+```ruby
+gem "auth-proxy"
+gem "omniauth-facebook"
+gem "omniauth-twitter"
+```
+
+And then execute:
+
+    $ bundle install
+
+Create a config.ru file:
+
+```ruby
+require "auth-proxy"
+require "omniauth-facebook"
+
+AuthProxy.configure do |config|
+  config.ssl = true
+  config.register :facebook,
+    display_name: "Facebook",
+    app_id: "ID",
+    app_secret: "SECRET"
+end
+
+run AuthProxy.app
+```
+
+And then execute
+
+    $ AUTH_PROXY_APP_DOMAIN=auth.my.domain AUTH_PROXY_COOKIE_DOMAIN=my.domain rackup config.ru
+
+
+Now you can proxy requests through this app to be authenticated. One nice way of doing this is using nginx's
+`auth_request` directive. Assuming you have different services under ops.company.tld domain
+(service1.ops.company.tld service2.ops.company.tld etc) you would setup auth-proxy to run under
+auth.ops.company.tld and keep the cookies under ops.company.tld so they will be available on all services:
+
+    $ AUTH_PROXY_APP_DOMAIN=auth.ops.company.tld AUTH_PROXY_COOKIE_DOMAIN=ops.company.tld rackup -p 5000 config.ru
+
+In front of the auth-proxy you will have an nginx (or more nginx loadbalancers) with the following config:
+
+```
+worker_processes 1;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  upstream auth {
+    server 127.0.0.1:6000 fail_timeout=0;
+  }
+
+  server {
+    listen 80;
+    server_name auth.ops.company.tld;
+
+    location / {
+      proxy_pass http://auth;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+    }
+  }
+}
+```
+
+Now for each app that needs to be authenticated you will need a nginx in front of it with the following
+config:
+
+```
+worker_processes 1;
+
+events {
+  worker_connections  1024;
+}
+
+http {
+  upstream service1 {
+    server 127.0.0.1:7000 fail_timeout=0;
+  }
+
+
+  server {
+    listen 7000;
+    server_name service1.ops.company.tld;
+
+    auth_request /auth/try;
+
+    # optional - if you need to pass to your app headers set by the auth-proxy
+    auth_request_set $auth_proxy_user_name $upstream_http_x_auth_proxy_user_name;
+    auth_request_set $auth_proxy_user_email $upstream_http_x_auth_proxy_user_email;
+    auth_request_set $auth_proxy_user_id $upstream_http_x_auth_proxy_user_id;
+    auth_request_set $auth_proxy_user_provider $upstream_http_x_auth_proxy_user_provider;
+    auth_request_set $auth_proxy_user_token $upstream_http_x_auth_proxy_user_token;
+    # optional end
+
+    error_page 401 403 =200 @login;
+    location @login {
+      return 301 https://auth.ops.company.tld/login?return_to=https://$http_host$request_uri;
+    }
+
+    location = /auth/try {
+      proxy_pass http://auth..ops.company.tld;
+      proxy_pass_request_body off;
+      proxy_set_header Content-Length "";
+    }
+
+    location / {
+      proxy_pass http://service1;
+      proxy_set_header Host $http_host;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      # optional - if you need to pass to your app headers set by the auth-proxy
+      proxy_set_header X-Auth-Proxy-User-Name $auth_proxy_user_name;
+      proxy_set_header X-Auth-Proxy-User-Email $auth_proxy_user_email;
+      proxy_set_header X-Auth-Proxy-User-ID $auth_proxy_user_id;
+      proxy_set_header X-Auth-Proxy-User-provider $auth_proxy_user_provider;
+      proxy_set_header X-Auth-Proxy-User-token $auth_proxy_user_token;
+      # optional end
+    }
+  }
+
+}
+```
+
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/cristianbica/auth-proxy.
+

data/Rakefile

@@ -0,0 +1,2 @@
+require "bundler/gem_tasks"
+task :default => :spec

data/auth-proxy.gemspec

@@ -0,0 +1,25 @@
+# coding: utf-8
+lib = File.expand_path("../lib", __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require "auth_proxy/version"
+
+Gem::Specification.new do |spec|
+  spec.name          = "auth-proxy"
+  spec.version       = AuthProxy::VERSION
+  spec.authors       = ["Cristian Bica"]
+  spec.email         = ["cristian.bica@gmail.com"]
+
+  spec.summary       = "Auth Proxy App"
+  spec.description   = "Auth Proxy App (supports user / pass, oauth2)"
+  spec.homepage      = "https://github.com/cristianbica/auth-proxy"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.require_paths = ["lib"]
+
+  spec.add_dependency "sinatra"
+  spec.add_dependency "json"
+  spec.add_development_dependency "bundler", "~> 1.13"
+  spec.add_development_dependency "rake", "~> 10.0"
+end

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "auth_proxy"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IFS=$'\n\t'
+set -vx
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/lib/auth-proxy.rb

@@ -0,0 +1 @@
+require "auth_proxy"

data/lib/auth_proxy.rb

@@ -0,0 +1,59 @@
+require "auth_proxy/version"
+require "auth_proxy/config"
+require "auth_proxy/errors"
+require "auth_proxy/app"
+
+module AuthProxy
+  def self.configure(&block)
+    yield @config ||= AuthProxy::Config.new
+  end
+
+  def self.config
+    @config
+  end
+
+  configure do |config|
+    config.app_domain = ENV["AUTH_PROXY_APP_DOMAIN"]
+    config.cookie_domain = ENV["AUTH_PROXY_COOKIE_DOMAIN"]
+    config.ssl = false
+  end
+
+  def self.root_path
+    File.expand_path("../../", __FILE__)
+  end
+
+  def self.full_url
+    URI::Generic.build(
+      scheme: config.ssl ? "https" : "http",
+      host: config.app_domain
+    ).to_s
+  end
+
+  def self.validate_auth_request(provider, request)
+    validator = config.providers[provider.to_s][:validator]
+    validator.call(request) unless validator.nil?
+  end
+
+  def self.app
+    Sinatra.new(AuthProxy::App) do
+      use Rack::Session::Cookie, key: "rack.session",
+                                 domain: "." + AuthProxy.config.cookie_domain,
+                                 path: "/",
+                                 expire_after: 2592000,
+                                 secret: "a-secret"
+
+      set :views, AuthProxy.config.views_path || "#{AuthProxy.root_path}/views"
+
+      if AuthProxy.config.providers.any?
+        OmniAuth.config.full_host = AuthProxy.full_url
+        OmniAuth.config.failure_raise_out_environments = []
+        use OmniAuth::Builder do
+          AuthProxy.config.providers.each do |name, p|
+            provider p[:provider], p[:app_id], p[:app_secret], p[:options]
+          end
+        end
+      end
+    end
+  end
+
+end

data/lib/auth_proxy/app.rb

@@ -0,0 +1,72 @@
+require "sinatra/base"
+require "json"
+
+class AuthProxy::App < Sinatra::Base
+  if ENV["RACK_ENV"] == "development"
+    begin
+      require "better_errors"
+      use BetterErrors::Middleware
+      BetterErrors.application_root = __dir__
+    rescue
+    end
+
+    set :show_exceptions, :after_handler
+  end
+
+  get "/auth/:provider/callback" do
+    AuthProxy.validate_auth_request(params[:provider], request)
+    oauth = request.env["omniauth.auth"]
+    session[:authenticated] = "true"
+    session[:user_name] = oauth.info.name
+    session[:user_email] = oauth.info.email
+    session[:user_id] = oauth.uid
+    session[:user_provider] = params[:provider]
+    session[:user_token] = oauth.credentials.token
+    redirect session[:return_to] ? session.delete(:return_to) : "/"
+  end
+
+  get "/auth/failure" do
+    session[:alert] = params[:message]
+    redirect "/login"
+  end
+
+  get "/auth/try" do
+    if session[:authenticated] == "true"
+      auth_proxy_headers = {}
+      %i{user_name user_email user_id user_provider user_token}.each do |key|
+        auth_proxy_headers["x_auth_proxy_#{key}".gsub("_", "-")] = session[key]
+      end
+      headers auth_proxy_headers
+      halt 200
+    else
+      halt 401
+    end
+  end
+
+  get "/login" do
+    session[:return_to] = params[:return_to] if params[:return_to]
+    if session[:authenticated] == "true"
+      redirect session[:return_to] ? session.delete(:return_to) : "/"
+    else
+      erb :login, layout: :layout
+    end
+  end
+
+  get "/logout" do
+    session.clear
+    redirect request.referer || "/login"
+  end
+
+  get "/" do
+    if session[:authenticated] == "true"
+      erb "You're authenticated. Now navigate to your app"
+    else
+      redirect "/login"
+    end
+  end
+
+  error AuthProxy::ProviderValidationError do
+    session[:alert] = "Could not validate your credentials"
+    redirect "/login"
+  end
+end

data/lib/auth_proxy/config.rb

@@ -0,0 +1,23 @@
+class AuthProxy::Config
+  attr_accessor :app_domain
+  attr_accessor :cookie_domain
+  attr_accessor :providers
+  attr_accessor :ssl
+  attr_accessor :views_path
+
+  def initialize
+    self.providers = {}
+  end
+
+  def register(provider, display_name:, app_id:, app_secret:, options: {}, validator: nil)
+    options[:callback_path] ||= "/auth/#{provider}/callback"
+    providers[provider.to_s] = {
+      provider: provider,
+      display_name: display_name,
+      app_id: app_id,
+      app_secret: app_secret,
+      validator: validator,
+      options: options
+    }
+  end
+end

data/lib/auth_proxy/errors.rb

@@ -0,0 +1,3 @@
+module AuthProxy
+  class ProviderValidationError < StandardError;end
+end

data/lib/auth_proxy/version.rb

@@ -0,0 +1,3 @@
+module AuthProxy
+  VERSION = "1.0.0"
+end

data/views/layout.erb

@@ -0,0 +1,28 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta http-equiv="X-UA-Compatible" content="IE=edge">
+    <meta name="viewport" content="width=device-width, initial-scale=1.0, minimum-scale=1.0">
+    <title>Auth</title>
+    <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.5/css/bootstrap.min.css" integrity="sha384-AysaV+vQoT3kOAXZkl02PThvDr8HYKPZhNT5h/CXfBThSRXQ6jW5DO2ekP5ViFdi" crossorigin="anonymous">
+    <script src="https://code.jquery.com/jquery-3.1.1.js" integrity="sha256-16cdPddA6VdVInumRGo6IbivbERE8p7CQR3HzTBuELA=" crossorigin="anonymous"></script>
+    <script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0-alpha.5/js/bootstrap.min.js" integrity="sha384-BLiI7JTZm+JWlgKa0M0kGRpJbF2J8q+qreVrKBC47e3K6BW78kGLrCkeRX6I9RoK" crossorigin="anonymous"></script>
+  </head>
+  <body>
+    <div class="container pt-2">
+      <% { alert: :danger, notice: :success }.each do |flash_type, alert_class| %>
+        <% if flash_message = session.delete(flash_type) %>
+
+          <div class="alert alert-<%= alert_class %> alert-dismissible fade in mb-2" role="alert">
+            <button type="button" class="close" data-dismiss="alert" aria-label="Close">
+              <span aria-hidden="true">&times;</span>
+            </button>
+            <%= flash_message %>
+          </div>
+        <% end %>
+      <% end %>
+      <%= yield %>
+    </div>
+  </body>
+</html>

data/views/login.erb

@@ -0,0 +1,9 @@
+<div class="row">
+  <div class="col-xs-12 text-xs-center">
+    <% AuthProxy.config.providers.each do |name, provider| %>
+    <a href="/auth/<%= provider[:provider] %>" class="btn btn-primary">
+      Login with <%= provider[:display_name] %>
+    </a>
+    <% end %>
+  </div>
+</div>

metadata

@@ -0,0 +1,116 @@
+--- !ruby/object:Gem::Specification
+name: auth-proxy
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Cristian Bica
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2016-12-22 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: sinatra
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: json
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.13'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+description: Auth Proxy App (supports user / pass, oauth2)
+email:
+- cristian.bica@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rubocop.yml"
+- Gemfile
+- Gemfile.lock
+- README.md
+- Rakefile
+- auth-proxy.gemspec
+- bin/console
+- bin/setup
+- lib/auth-proxy.rb
+- lib/auth_proxy.rb
+- lib/auth_proxy/app.rb
+- lib/auth_proxy/config.rb
+- lib/auth_proxy/errors.rb
+- lib/auth_proxy/version.rb
+- views/layout.erb
+- views/login.erb
+homepage: https://github.com/cristianbica/auth-proxy
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: Auth Proxy App
+test_files: []