auther 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- checksums.yaml.gz.sig +0 -0
- data.tar.gz.sig +0 -0
- data/README.md +28 -14
- data/app/assets/stylesheets/auther/auther.scss +0 -1
- data/app/controllers/auther/base_controller.rb +2 -2
- data/lib/auther.rb +1 -0
- data/lib/auther/engine.rb +4 -0
- data/lib/auther/gatekeeper.rb +47 -8
- data/lib/auther/null_logger.rb +25 -0
- data/lib/auther/version.rb +1 -1
- metadata +3 -2
- metadata.gz.sig +0 -0
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 3aa8d5b9e69a0da12775b372eaeb59f432a55e81
|
|
4
|
+
data.tar.gz: 7520d5dec549472e751e7990180d96eb4e4900c6
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 35a1ecbe6c0d2fe98b8453ed77b06fd1942c7a920519097a2cfcc17726a326ca86272813aa1770b026665751e16de37d791ac306ad5727de947406415400fd2d
|
|
7
|
+
data.tar.gz: 7da34db7c1e792ee3c40e7d6dfe2685745985bf26cc71968bbfb465b79d0863bb9647a8291413aacdcea4e09a192ef84db745c64c41ce578fddc55a4518ab455
|
checksums.yaml.gz.sig
CHANGED
|
Binary file
|
data.tar.gz.sig
CHANGED
|
Binary file
|
data/README.md
CHANGED
|
@@ -20,10 +20,11 @@ making for a pleasent user experience.
|
|
|
20
20
|
|
|
21
21
|
* Encrypted account credentials.
|
|
22
22
|
* Multiple account support with account specific blacklisted paths.
|
|
23
|
-
* Log filtering for account credentials (login and password).
|
|
24
23
|
* Auto-redirection to requested path (once credentials have been verified).
|
|
25
|
-
*
|
|
26
|
-
* Customizable
|
|
24
|
+
* Log filtering for account credentials (login and password).
|
|
25
|
+
* Customizable logger support.
|
|
26
|
+
* Customizable view support.
|
|
27
|
+
* Customizable controller support.
|
|
27
28
|
|
|
28
29
|
# Requirements
|
|
29
30
|
|
|
@@ -38,9 +39,12 @@ making for a pleasent user experience.
|
|
|
38
39
|
For a secure install, type the following from the command line (recommended):
|
|
39
40
|
|
|
40
41
|
gem cert --add <(curl -Ls http://www.redalchemist.com/gem-public.pem)
|
|
41
|
-
gem install auther --trust-policy
|
|
42
|
+
gem install auther --trust-policy MediumSecurity
|
|
43
|
+
|
|
44
|
+
NOTE: A HighSecurity trust policy would be best but MediumSecurity enables signed gem verification while
|
|
45
|
+
allowing the installation of unsigned dependencies since they are beyond the scope of this gem.
|
|
42
46
|
|
|
43
|
-
|
|
47
|
+
For an insecure install, type the following (not recommended):
|
|
44
48
|
|
|
45
49
|
gem install auther
|
|
46
50
|
|
|
@@ -70,7 +74,8 @@ Edit your application.rb as follows:
|
|
|
70
74
|
paths: ["/admin"]
|
|
71
75
|
],
|
|
72
76
|
secret: "vuKrwD9XWoYuv@s99?tR(9VqryiL,KV{W7wFnejUa4QcVBP+D{2rD4JfuD(mXgA=$tNK4Pfn#NeGs3o3TZ3CqNc^Qb",
|
|
73
|
-
auth_url: "/login"
|
|
77
|
+
auth_url: "/login",
|
|
78
|
+
logger: ActiveSupport::Logger.new("log/#{Rails.env}.log")
|
|
74
79
|
}
|
|
75
80
|
|
|
76
81
|
end
|
|
@@ -78,14 +83,15 @@ Edit your application.rb as follows:
|
|
|
78
83
|
|
|
79
84
|
The purpose of each setting is as follows:
|
|
80
85
|
|
|
81
|
-
* *title* - The HTML page title (as rendered within a browser tab).
|
|
82
|
-
* *label* - The page label (what would appear above the form).
|
|
83
|
-
* *accounts* - The array of accounts with different or similar access to the application.
|
|
84
|
-
* *login* - The encrypted account login. For example, the above decrypts to: *test@test.com*.
|
|
85
|
-
* *password* - The encrypted account password. For example, the above decrypts to: *password*.
|
|
86
|
-
* *paths* - The array of blacklisted paths for which only this account has access to.
|
|
87
|
-
* *secret* - The secret passphrase used to encrypt/decrypt account credentials.
|
|
88
|
-
* *auth_url* - The URL to redirect to when enforcing authentication to a blacklisted path.
|
|
86
|
+
* *title* - Optional. The HTML page title (as rendered within a browser tab). Default: "Authorization".
|
|
87
|
+
* *label* - Optional. The page label (what would appear above the form). Default: "Authorization".
|
|
88
|
+
* *accounts* - Required. The array of accounts with different or similar access to the application.
|
|
89
|
+
* *login* - Required. The encrypted account login. For example, the above decrypts to: *test@test.com*.
|
|
90
|
+
* *password* - Required. The encrypted account password. For example, the above decrypts to: *password*.
|
|
91
|
+
* *paths* - Required. The array of blacklisted paths for which only this account has access to.
|
|
92
|
+
* *secret* - Required. The secret passphrase used to encrypt/decrypt account credentials.
|
|
93
|
+
* *auth_url* - Required. The URL to redirect to when enforcing authentication to a blacklisted path.
|
|
94
|
+
* *logger* - Optional. The logger used to log path/account authorization messages. Default: Auther::NullLogger.
|
|
89
95
|
|
|
90
96
|
# Usage
|
|
91
97
|
|
|
@@ -148,6 +154,14 @@ As mentioned in the setup above, the routes can also be customized. Example:
|
|
|
148
154
|
delete "/logout", to: "auther/session#destroy"
|
|
149
155
|
end
|
|
150
156
|
|
|
157
|
+
## Logging
|
|
158
|
+
|
|
159
|
+
As mentioned in the setup above, the logger can be customized or removed completely. Examples:
|
|
160
|
+
|
|
161
|
+
Auther::NullLogger.new # This is the default logger (which is no logging at all).
|
|
162
|
+
ActiveSupport::Logger.new("log/#{Rails.env}.log") # Can be used to log to the environment log.
|
|
163
|
+
Logger.new($stdout) # Can be used to log to standard output.
|
|
164
|
+
|
|
151
165
|
# Tests
|
|
152
166
|
|
|
153
167
|
To test, do the following:
|
|
@@ -26,11 +26,11 @@ module Auther
|
|
|
26
26
|
private
|
|
27
27
|
|
|
28
28
|
def load_title
|
|
29
|
-
@title = settings
|
|
29
|
+
@title = settings.fetch :title, "Authorization"
|
|
30
30
|
end
|
|
31
31
|
|
|
32
32
|
def load_label
|
|
33
|
-
@label = settings
|
|
33
|
+
@label = settings.fetch :label, "Authorization"
|
|
34
34
|
end
|
|
35
35
|
|
|
36
36
|
def settings
|
data/lib/auther.rb
CHANGED
data/lib/auther/engine.rb
CHANGED
|
@@ -10,6 +10,10 @@ module Auther
|
|
|
10
10
|
jquery_gem_path = Gem.loaded_specs["jquery-rails"].full_gem_path
|
|
11
11
|
app.config.assets.paths << "#{jquery_gem_path}/vendor/assets/javascripts"
|
|
12
12
|
|
|
13
|
+
# Add Modernizr assets.
|
|
14
|
+
modernizr_gem_path = Gem.loaded_specs["modernizr-rails"].full_gem_path
|
|
15
|
+
app.config.assets.paths << "#{modernizr_gem_path}/vendor/assets/javascripts"
|
|
16
|
+
|
|
13
17
|
# Add Zurb Foundation assets.
|
|
14
18
|
foundation_gem_path = Gem.loaded_specs["foundation-rails"].full_gem_path
|
|
15
19
|
app.config.assets.paths << "#{foundation_gem_path}/vendor/assets/stylesheets"
|
data/lib/auther/gatekeeper.rb
CHANGED
|
@@ -1,10 +1,11 @@
|
|
|
1
1
|
module Auther
|
|
2
2
|
class Gatekeeper
|
|
3
|
-
attr_reader :application, :environment, :settings
|
|
3
|
+
attr_reader :application, :environment, :settings, :logger
|
|
4
4
|
|
|
5
5
|
def initialize application, settings = []
|
|
6
6
|
@application = application
|
|
7
7
|
@settings = settings
|
|
8
|
+
@logger = @settings.fetch :logger, Auther::NullLogger.new(STDOUT)
|
|
8
9
|
end
|
|
9
10
|
|
|
10
11
|
def call environment
|
|
@@ -35,19 +36,45 @@ module Auther
|
|
|
35
36
|
Rack::Response.new body, status, headers
|
|
36
37
|
end
|
|
37
38
|
|
|
39
|
+
def info message
|
|
40
|
+
id = "[#{Auther::Keymaster.namespace}]"
|
|
41
|
+
logger.info [id, message].join(": ")
|
|
42
|
+
end
|
|
43
|
+
|
|
38
44
|
def find_account
|
|
39
45
|
session["auther_init"] = true # Force session to initialize.
|
|
40
46
|
account_name = Auther::Keymaster.get_account_name session
|
|
41
|
-
settings.fetch(:accounts).
|
|
47
|
+
account = settings.fetch(:accounts).detect { |account| account.fetch(:name) == account_name }
|
|
48
|
+
|
|
49
|
+
account ? info("Account found.") : info("Account unknown.")
|
|
50
|
+
account
|
|
51
|
+
end
|
|
52
|
+
|
|
53
|
+
def clean_paths paths
|
|
54
|
+
paths.map { |path| path.chomp '/' }
|
|
55
|
+
end
|
|
56
|
+
|
|
57
|
+
def blacklisted_paths accounts
|
|
58
|
+
paths = accounts.map { |account| clean_paths account.fetch(:paths) }
|
|
59
|
+
paths.flatten.uniq
|
|
42
60
|
end
|
|
43
61
|
|
|
44
|
-
def
|
|
45
|
-
|
|
46
|
-
|
|
62
|
+
def blacklisted_matched_paths accounts, path
|
|
63
|
+
paths = blacklisted_paths accounts
|
|
64
|
+
paths.select { |blacklisted_path| path.include? blacklisted_path }
|
|
47
65
|
end
|
|
48
66
|
|
|
49
67
|
def blacklisted_account? account, path
|
|
50
|
-
account.fetch(:paths)
|
|
68
|
+
paths = clean_paths account.fetch(:paths)
|
|
69
|
+
blacklisted = paths.include? path
|
|
70
|
+
|
|
71
|
+
if blacklisted
|
|
72
|
+
info %(Authorization failed! Requested path "#{request.path}" blacklisted by "#{account.fetch :name}" account blacklist: #{paths}.)
|
|
73
|
+
else
|
|
74
|
+
info %(Authorization passed. Requested path "#{request.path}" allowed for "#{account.fetch :name}" account blacklist: #{paths}.)
|
|
75
|
+
end
|
|
76
|
+
|
|
77
|
+
blacklisted
|
|
51
78
|
end
|
|
52
79
|
|
|
53
80
|
def authenticated? account
|
|
@@ -59,15 +86,27 @@ module Auther
|
|
|
59
86
|
session_password = cipher.decrypt session[keymaster.password_key]
|
|
60
87
|
account_login = cipher.decrypt account.fetch(:login)
|
|
61
88
|
account_password = cipher.decrypt account.fetch(:password)
|
|
89
|
+
authenticated = session_login == account_login && session_password == account_password
|
|
90
|
+
|
|
91
|
+
if authenticated
|
|
92
|
+
info %(Authentication passed for "#{account.fetch :name}" account.)
|
|
93
|
+
else
|
|
94
|
+
info %(Authentication failed for "#{account.fetch :name}" account!)
|
|
95
|
+
end
|
|
62
96
|
|
|
63
|
-
|
|
97
|
+
authenticated
|
|
64
98
|
rescue ActiveSupport::MessageVerifier::InvalidSignature => error
|
|
99
|
+
info %(Authentication failed! Invalid credential(s) for "#{account.fetch :name}" account.)
|
|
65
100
|
false
|
|
66
101
|
end
|
|
67
102
|
end
|
|
68
103
|
|
|
69
104
|
def authorized? path
|
|
70
|
-
|
|
105
|
+
accounts = settings.fetch :accounts
|
|
106
|
+
all_blacklisted_paths = blacklisted_paths settings.fetch(:accounts)
|
|
107
|
+
|
|
108
|
+
if blacklisted_matched_paths(accounts, path).any?
|
|
109
|
+
info %(Requested path "#{request.path}" found in blacklisted paths: #{all_blacklisted_paths}.)
|
|
71
110
|
account = find_account
|
|
72
111
|
account && authenticated?(account) && !blacklisted_account?(account, path)
|
|
73
112
|
else
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
module Auther
|
|
2
|
+
# The default logger which purposefully does nothing at all.
|
|
3
|
+
class NullLogger
|
|
4
|
+
def initialize(*)
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
def info(*)
|
|
8
|
+
end
|
|
9
|
+
|
|
10
|
+
def info(*)
|
|
11
|
+
end
|
|
12
|
+
|
|
13
|
+
def warn(*)
|
|
14
|
+
end
|
|
15
|
+
|
|
16
|
+
def error(*)
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
def fatal(*)
|
|
20
|
+
end
|
|
21
|
+
|
|
22
|
+
def debug(*)
|
|
23
|
+
end
|
|
24
|
+
end
|
|
25
|
+
end
|
data/lib/auther/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: auther
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.
|
|
4
|
+
version: 1.3.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Brooke Kuhlmann
|
|
@@ -30,7 +30,7 @@ cert_chain:
|
|
|
30
30
|
SJpzzzZ8gO6BKn4fhd+ENNQ333Qy3nuNk07TVIaNnlgeHhowUDuD9T7Z8Lka0pt3
|
|
31
31
|
4PteiTppsf0SSVAM9zSO5IuFngXMRwWgvjOfXE70f43RDuUVTCSyylc=
|
|
32
32
|
-----END CERTIFICATE-----
|
|
33
|
-
date: 2014-
|
|
33
|
+
date: 2014-05-27 00:00:00.000000000 Z
|
|
34
34
|
dependencies:
|
|
35
35
|
- !ruby/object:Gem::Dependency
|
|
36
36
|
name: pry-byebug
|
|
@@ -285,6 +285,7 @@ files:
|
|
|
285
285
|
- lib/auther/engine.rb
|
|
286
286
|
- lib/auther/gatekeeper.rb
|
|
287
287
|
- lib/auther/keymaster.rb
|
|
288
|
+
- lib/auther/null_logger.rb
|
|
288
289
|
- lib/auther/version.rb
|
|
289
290
|
homepage: https://github.com/bkuhlmann/auther
|
|
290
291
|
licenses:
|
metadata.gz.sig
CHANGED
|
Binary file
|