auther 1.2.0 → 1.3.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.md +28 -14
- data/app/assets/stylesheets/auther/auther.scss +0 -1
- data/app/controllers/auther/base_controller.rb +2 -2
- data/lib/auther.rb +1 -0
- data/lib/auther/engine.rb +4 -0
- data/lib/auther/gatekeeper.rb +47 -8
- data/lib/auther/null_logger.rb +25 -0
- data/lib/auther/version.rb +1 -1
- metadata +3 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 3aa8d5b9e69a0da12775b372eaeb59f432a55e81
|
4
|
+
data.tar.gz: 7520d5dec549472e751e7990180d96eb4e4900c6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 35a1ecbe6c0d2fe98b8453ed77b06fd1942c7a920519097a2cfcc17726a326ca86272813aa1770b026665751e16de37d791ac306ad5727de947406415400fd2d
|
7
|
+
data.tar.gz: 7da34db7c1e792ee3c40e7d6dfe2685745985bf26cc71968bbfb465b79d0863bb9647a8291413aacdcea4e09a192ef84db745c64c41ce578fddc55a4518ab455
|
checksums.yaml.gz.sig
CHANGED
Binary file
|
data.tar.gz.sig
CHANGED
Binary file
|
data/README.md
CHANGED
@@ -20,10 +20,11 @@ making for a pleasent user experience.
|
|
20
20
|
|
21
21
|
* Encrypted account credentials.
|
22
22
|
* Multiple account support with account specific blacklisted paths.
|
23
|
-
* Log filtering for account credentials (login and password).
|
24
23
|
* Auto-redirection to requested path (once credentials have been verified).
|
25
|
-
*
|
26
|
-
* Customizable
|
24
|
+
* Log filtering for account credentials (login and password).
|
25
|
+
* Customizable logger support.
|
26
|
+
* Customizable view support.
|
27
|
+
* Customizable controller support.
|
27
28
|
|
28
29
|
# Requirements
|
29
30
|
|
@@ -38,9 +39,12 @@ making for a pleasent user experience.
|
|
38
39
|
For a secure install, type the following from the command line (recommended):
|
39
40
|
|
40
41
|
gem cert --add <(curl -Ls http://www.redalchemist.com/gem-public.pem)
|
41
|
-
gem install auther --trust-policy
|
42
|
+
gem install auther --trust-policy MediumSecurity
|
43
|
+
|
44
|
+
NOTE: A HighSecurity trust policy would be best but MediumSecurity enables signed gem verification while
|
45
|
+
allowing the installation of unsigned dependencies since they are beyond the scope of this gem.
|
42
46
|
|
43
|
-
|
47
|
+
For an insecure install, type the following (not recommended):
|
44
48
|
|
45
49
|
gem install auther
|
46
50
|
|
@@ -70,7 +74,8 @@ Edit your application.rb as follows:
|
|
70
74
|
paths: ["/admin"]
|
71
75
|
],
|
72
76
|
secret: "vuKrwD9XWoYuv@s99?tR(9VqryiL,KV{W7wFnejUa4QcVBP+D{2rD4JfuD(mXgA=$tNK4Pfn#NeGs3o3TZ3CqNc^Qb",
|
73
|
-
auth_url: "/login"
|
77
|
+
auth_url: "/login",
|
78
|
+
logger: ActiveSupport::Logger.new("log/#{Rails.env}.log")
|
74
79
|
}
|
75
80
|
|
76
81
|
end
|
@@ -78,14 +83,15 @@ Edit your application.rb as follows:
|
|
78
83
|
|
79
84
|
The purpose of each setting is as follows:
|
80
85
|
|
81
|
-
* *title* - The HTML page title (as rendered within a browser tab).
|
82
|
-
* *label* - The page label (what would appear above the form).
|
83
|
-
* *accounts* - The array of accounts with different or similar access to the application.
|
84
|
-
* *login* - The encrypted account login. For example, the above decrypts to: *test@test.com*.
|
85
|
-
* *password* - The encrypted account password. For example, the above decrypts to: *password*.
|
86
|
-
* *paths* - The array of blacklisted paths for which only this account has access to.
|
87
|
-
* *secret* - The secret passphrase used to encrypt/decrypt account credentials.
|
88
|
-
* *auth_url* - The URL to redirect to when enforcing authentication to a blacklisted path.
|
86
|
+
* *title* - Optional. The HTML page title (as rendered within a browser tab). Default: "Authorization".
|
87
|
+
* *label* - Optional. The page label (what would appear above the form). Default: "Authorization".
|
88
|
+
* *accounts* - Required. The array of accounts with different or similar access to the application.
|
89
|
+
* *login* - Required. The encrypted account login. For example, the above decrypts to: *test@test.com*.
|
90
|
+
* *password* - Required. The encrypted account password. For example, the above decrypts to: *password*.
|
91
|
+
* *paths* - Required. The array of blacklisted paths for which only this account has access to.
|
92
|
+
* *secret* - Required. The secret passphrase used to encrypt/decrypt account credentials.
|
93
|
+
* *auth_url* - Required. The URL to redirect to when enforcing authentication to a blacklisted path.
|
94
|
+
* *logger* - Optional. The logger used to log path/account authorization messages. Default: Auther::NullLogger.
|
89
95
|
|
90
96
|
# Usage
|
91
97
|
|
@@ -148,6 +154,14 @@ As mentioned in the setup above, the routes can also be customized. Example:
|
|
148
154
|
delete "/logout", to: "auther/session#destroy"
|
149
155
|
end
|
150
156
|
|
157
|
+
## Logging
|
158
|
+
|
159
|
+
As mentioned in the setup above, the logger can be customized or removed completely. Examples:
|
160
|
+
|
161
|
+
Auther::NullLogger.new # This is the default logger (which is no logging at all).
|
162
|
+
ActiveSupport::Logger.new("log/#{Rails.env}.log") # Can be used to log to the environment log.
|
163
|
+
Logger.new($stdout) # Can be used to log to standard output.
|
164
|
+
|
151
165
|
# Tests
|
152
166
|
|
153
167
|
To test, do the following:
|
@@ -26,11 +26,11 @@ module Auther
|
|
26
26
|
private
|
27
27
|
|
28
28
|
def load_title
|
29
|
-
@title = settings
|
29
|
+
@title = settings.fetch :title, "Authorization"
|
30
30
|
end
|
31
31
|
|
32
32
|
def load_label
|
33
|
-
@label = settings
|
33
|
+
@label = settings.fetch :label, "Authorization"
|
34
34
|
end
|
35
35
|
|
36
36
|
def settings
|
data/lib/auther.rb
CHANGED
data/lib/auther/engine.rb
CHANGED
@@ -10,6 +10,10 @@ module Auther
|
|
10
10
|
jquery_gem_path = Gem.loaded_specs["jquery-rails"].full_gem_path
|
11
11
|
app.config.assets.paths << "#{jquery_gem_path}/vendor/assets/javascripts"
|
12
12
|
|
13
|
+
# Add Modernizr assets.
|
14
|
+
modernizr_gem_path = Gem.loaded_specs["modernizr-rails"].full_gem_path
|
15
|
+
app.config.assets.paths << "#{modernizr_gem_path}/vendor/assets/javascripts"
|
16
|
+
|
13
17
|
# Add Zurb Foundation assets.
|
14
18
|
foundation_gem_path = Gem.loaded_specs["foundation-rails"].full_gem_path
|
15
19
|
app.config.assets.paths << "#{foundation_gem_path}/vendor/assets/stylesheets"
|
data/lib/auther/gatekeeper.rb
CHANGED
@@ -1,10 +1,11 @@
|
|
1
1
|
module Auther
|
2
2
|
class Gatekeeper
|
3
|
-
attr_reader :application, :environment, :settings
|
3
|
+
attr_reader :application, :environment, :settings, :logger
|
4
4
|
|
5
5
|
def initialize application, settings = []
|
6
6
|
@application = application
|
7
7
|
@settings = settings
|
8
|
+
@logger = @settings.fetch :logger, Auther::NullLogger.new(STDOUT)
|
8
9
|
end
|
9
10
|
|
10
11
|
def call environment
|
@@ -35,19 +36,45 @@ module Auther
|
|
35
36
|
Rack::Response.new body, status, headers
|
36
37
|
end
|
37
38
|
|
39
|
+
def info message
|
40
|
+
id = "[#{Auther::Keymaster.namespace}]"
|
41
|
+
logger.info [id, message].join(": ")
|
42
|
+
end
|
43
|
+
|
38
44
|
def find_account
|
39
45
|
session["auther_init"] = true # Force session to initialize.
|
40
46
|
account_name = Auther::Keymaster.get_account_name session
|
41
|
-
settings.fetch(:accounts).
|
47
|
+
account = settings.fetch(:accounts).detect { |account| account.fetch(:name) == account_name }
|
48
|
+
|
49
|
+
account ? info("Account found.") : info("Account unknown.")
|
50
|
+
account
|
51
|
+
end
|
52
|
+
|
53
|
+
def clean_paths paths
|
54
|
+
paths.map { |path| path.chomp '/' }
|
55
|
+
end
|
56
|
+
|
57
|
+
def blacklisted_paths accounts
|
58
|
+
paths = accounts.map { |account| clean_paths account.fetch(:paths) }
|
59
|
+
paths.flatten.uniq
|
42
60
|
end
|
43
61
|
|
44
|
-
def
|
45
|
-
|
46
|
-
|
62
|
+
def blacklisted_matched_paths accounts, path
|
63
|
+
paths = blacklisted_paths accounts
|
64
|
+
paths.select { |blacklisted_path| path.include? blacklisted_path }
|
47
65
|
end
|
48
66
|
|
49
67
|
def blacklisted_account? account, path
|
50
|
-
account.fetch(:paths)
|
68
|
+
paths = clean_paths account.fetch(:paths)
|
69
|
+
blacklisted = paths.include? path
|
70
|
+
|
71
|
+
if blacklisted
|
72
|
+
info %(Authorization failed! Requested path "#{request.path}" blacklisted by "#{account.fetch :name}" account blacklist: #{paths}.)
|
73
|
+
else
|
74
|
+
info %(Authorization passed. Requested path "#{request.path}" allowed for "#{account.fetch :name}" account blacklist: #{paths}.)
|
75
|
+
end
|
76
|
+
|
77
|
+
blacklisted
|
51
78
|
end
|
52
79
|
|
53
80
|
def authenticated? account
|
@@ -59,15 +86,27 @@ module Auther
|
|
59
86
|
session_password = cipher.decrypt session[keymaster.password_key]
|
60
87
|
account_login = cipher.decrypt account.fetch(:login)
|
61
88
|
account_password = cipher.decrypt account.fetch(:password)
|
89
|
+
authenticated = session_login == account_login && session_password == account_password
|
90
|
+
|
91
|
+
if authenticated
|
92
|
+
info %(Authentication passed for "#{account.fetch :name}" account.)
|
93
|
+
else
|
94
|
+
info %(Authentication failed for "#{account.fetch :name}" account!)
|
95
|
+
end
|
62
96
|
|
63
|
-
|
97
|
+
authenticated
|
64
98
|
rescue ActiveSupport::MessageVerifier::InvalidSignature => error
|
99
|
+
info %(Authentication failed! Invalid credential(s) for "#{account.fetch :name}" account.)
|
65
100
|
false
|
66
101
|
end
|
67
102
|
end
|
68
103
|
|
69
104
|
def authorized? path
|
70
|
-
|
105
|
+
accounts = settings.fetch :accounts
|
106
|
+
all_blacklisted_paths = blacklisted_paths settings.fetch(:accounts)
|
107
|
+
|
108
|
+
if blacklisted_matched_paths(accounts, path).any?
|
109
|
+
info %(Requested path "#{request.path}" found in blacklisted paths: #{all_blacklisted_paths}.)
|
71
110
|
account = find_account
|
72
111
|
account && authenticated?(account) && !blacklisted_account?(account, path)
|
73
112
|
else
|
@@ -0,0 +1,25 @@
|
|
1
|
+
module Auther
|
2
|
+
# The default logger which purposefully does nothing at all.
|
3
|
+
class NullLogger
|
4
|
+
def initialize(*)
|
5
|
+
end
|
6
|
+
|
7
|
+
def info(*)
|
8
|
+
end
|
9
|
+
|
10
|
+
def info(*)
|
11
|
+
end
|
12
|
+
|
13
|
+
def warn(*)
|
14
|
+
end
|
15
|
+
|
16
|
+
def error(*)
|
17
|
+
end
|
18
|
+
|
19
|
+
def fatal(*)
|
20
|
+
end
|
21
|
+
|
22
|
+
def debug(*)
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
data/lib/auther/version.rb
CHANGED
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: auther
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.3.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Brooke Kuhlmann
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
30
30
|
SJpzzzZ8gO6BKn4fhd+ENNQ333Qy3nuNk07TVIaNnlgeHhowUDuD9T7Z8Lka0pt3
|
31
31
|
4PteiTppsf0SSVAM9zSO5IuFngXMRwWgvjOfXE70f43RDuUVTCSyylc=
|
32
32
|
-----END CERTIFICATE-----
|
33
|
-
date: 2014-
|
33
|
+
date: 2014-05-27 00:00:00.000000000 Z
|
34
34
|
dependencies:
|
35
35
|
- !ruby/object:Gem::Dependency
|
36
36
|
name: pry-byebug
|
@@ -285,6 +285,7 @@ files:
|
|
285
285
|
- lib/auther/engine.rb
|
286
286
|
- lib/auther/gatekeeper.rb
|
287
287
|
- lib/auther/keymaster.rb
|
288
|
+
- lib/auther/null_logger.rb
|
288
289
|
- lib/auther/version.rb
|
289
290
|
homepage: https://github.com/bkuhlmann/auther
|
290
291
|
licenses:
|
metadata.gz.sig
CHANGED
Binary file
|