balrog 0.1.0 → 2.0.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d547df9399a56595525e88ceedc04c00d5cb8f85cee27416207936a073c7dd1a
-  data.tar.gz: '075180b9db86f64cc1f158d03e9b7207979b9cf0641af2d849f1cdc64b7117b8'
+  metadata.gz: c908a9916866b576a2914041573fed0ae64555a1956b3a94a3c36e37476e7cf6
+  data.tar.gz: 814d65c1b25cfe3e3a561daed8091643694ce81a70eb543eaa40c09939689183
 SHA512:
-  metadata.gz: 8b2232fc4ef9d7f6f520e6b38f9d495d192258429451fe664ba526f49859f089682219b998dcc0ae5f1d3170cb3943a048a5638475d7869162f2ed63b44f3612
-  data.tar.gz: b7a2f314a0b1cd7afd0ff667c2d6799f760ac0c91be8e1f204c108a2a10ffb09df9f99aa594e161168782f03926c95ae012f02b508c1e2fe62bd88e2b8169fc3
+  metadata.gz: 58872926e04fd6bafd1bdb12915d5a3e0aad33a7e79a82ac074cad45bd8da011cd1f760aae6cb6a8035fd2f1beb2d4a6f16cc2b2c4e3a1ec78718eef4f61b732
+  data.tar.gz: b1c7fd33821672a9f59818fe5a543fca3c5d14221d1fac6ff23b5566ec53e63cc2d8f07323057793094edbb7bf5673c72f64bd802cc97febda0973eb5169e7d3

data/.circleci/config.yml

@@ -0,0 +1,56 @@
+version: 2.1
+
+jobs:
+  build:
+    docker:
+      - image: circleci/ruby:2.6.2-node-browsers
+      - image: circleci/redis:5.0.4
+
+    working_directory: ~/repo/spec/dummy-rails-app
+
+    steps:
+      - checkout:
+          path: ~/repo
+
+      # Download and cache dependencies
+      - restore_cache:
+          name: Restore Rubygems cache
+          keys:
+          - v1-rubygems-{{ checksum "Gemfile.lock" }}
+          # fallback to using the latest cache if no exact match is found
+          - v1-rubygems-
+
+      - run:
+          name: Install bundler
+          command: |
+            gem install bundler:2.0.1
+      - run:
+          name: Install Ruby dependencies
+          command: |
+            bundle install --jobs=4 --retry=3 --path vendor/bundle
+
+      - save_cache:
+          name: Save Rubygems cache
+          paths:
+            - ./vendor/bundle
+          key: v1-rubygems-{{ checksum "Gemfile.lock" }}
+
+      # run tests!
+      - run:
+          name: run tests
+          command: |
+            mkdir /tmp/test-results
+            TEST_FILES="$(circleci tests glob "spec/**/*_spec.rb" | circleci tests split --split-by=timings)"
+            
+            bundle exec rspec --format progress \
+                              --format RspecJunitFormatter \
+                              --out /tmp/test-results/rspec.xml \
+                              --format progress \
+                              $TEST_FILES
+
+      # collect reports
+      - store_test_results:
+          path: /tmp/test-results
+      - store_artifacts:
+          path: /tmp/test-results
+          destination: test-results

data/.gitignore

@@ -11,3 +11,5 @@
 .rspec_status
 
 .DS_Store
+
+**/dump.rdb

data/CHANGELOG.md

@@ -0,0 +1,27 @@
+# 2.0.0
+
+- Enhancements
+  - added support for single sign-on.
+
+- BREAKING
+  - Balrog can no longer be initialized via `Rails.application.config.middleware.use Balrog::Middleware`. Instead, you need to configure Balrog with `Balrog::Middleware.setup`. See the [README](https://github.com/pixielabs/balrog#Upgrading-from-1.1-to-2.0) for more info.
+  - The instance method `Balrog::Middleware#password_hash` has been converted into a class method `Balrog::Middleware.set_password_hash`. See the [README](https://github.com/pixielabs/balrog#Upgrading-from-1.1-to-2.0) for more info.
+  - The instance method `Balrog::Middleware#set_session_expiry` has been converted into a class method `Balrog::Middleware.set_session_expiry`. See the [README](https://github.com/pixielabs/balrog#Upgrading-from-1.1-to-2.0) for more info.
+
+# 1.1.0
+
+- added `Balrog::Middleware#set_session_expiry`, which would force end users to login again after a certain period of time.
+- added `balrog:view` generator, enabling users to modify their Balrog gate view.
+
+# 1.0.0
+
+- added `Balrog::RoutesMiddleware` module, which can be used to protect mounted Rack applications.
+- dropped support for Rails < 5.
+
+# 0.2.0
+
+- added `balrog_logout_button` view helper method.
+
+# 0.1.0
+
+- initial release.

data/Gemfile.lock

@@ -1,28 +1,151 @@
 PATH
   remote: .
   specs:
-    balrog (0.1.0)
+    balrog (2.0.1)
       bcrypt (~> 3.0)
+      rails (>= 5)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    bcrypt (3.1.12)
+    actioncable (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      nio4r (~> 2.0)
+      websocket-driver (>= 0.6.1)
+    actionmailbox (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      activejob (= 6.0.2.2)
+      activerecord (= 6.0.2.2)
+      activestorage (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+      mail (>= 2.7.1)
+    actionmailer (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      actionview (= 6.0.2.2)
+      activejob (= 6.0.2.2)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (6.0.2.2)
+      actionview (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+      rack (~> 2.0, >= 2.0.8)
+      rack-test (>= 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.2.0)
+    actiontext (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      activerecord (= 6.0.2.2)
+      activestorage (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+      nokogiri (>= 1.8.5)
+    actionview (6.0.2.2)
+      activesupport (= 6.0.2.2)
+      builder (~> 3.1)
+      erubi (~> 1.4)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.1, >= 1.2.0)
+    activejob (6.0.2.2)
+      activesupport (= 6.0.2.2)
+      globalid (>= 0.3.6)
+    activemodel (6.0.2.2)
+      activesupport (= 6.0.2.2)
+    activerecord (6.0.2.2)
+      activemodel (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+    activestorage (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      activejob (= 6.0.2.2)
+      activerecord (= 6.0.2.2)
+      marcel (~> 0.3.1)
+    activesupport (6.0.2.2)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 0.7, < 2)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+      zeitwerk (~> 2.2)
+    bcrypt (3.1.13)
+    builder (3.2.4)
+    concurrent-ruby (1.1.6)
+    crass (1.0.6)
     diff-lcs (1.3)
+    erubi (1.9.0)
+    globalid (0.4.2)
+      activesupport (>= 4.2.0)
+    i18n (1.8.2)
+      concurrent-ruby (~> 1.0)
+    loofah (2.5.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.5.9)
+    mail (2.7.1)
+      mini_mime (>= 0.1.1)
+    marcel (0.3.3)
+      mimemagic (~> 0.3.2)
+    method_source (1.0.0)
+    mimemagic (0.3.4)
+    mini_mime (1.0.2)
+    mini_portile2 (2.4.0)
+    minitest (5.14.0)
+    nio4r (2.5.2)
+    nokogiri (1.10.9)
+      mini_portile2 (~> 2.4.0)
+    rack (2.2.2)
+    rack-test (1.1.0)
+      rack (>= 1.0, < 3)
+    rails (6.0.2.2)
+      actioncable (= 6.0.2.2)
+      actionmailbox (= 6.0.2.2)
+      actionmailer (= 6.0.2.2)
+      actionpack (= 6.0.2.2)
+      actiontext (= 6.0.2.2)
+      actionview (= 6.0.2.2)
+      activejob (= 6.0.2.2)
+      activemodel (= 6.0.2.2)
+      activerecord (= 6.0.2.2)
+      activestorage (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+      bundler (>= 1.3.0)
+      railties (= 6.0.2.2)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.3)
+      activesupport (>= 4.2.0)
+      nokogiri (>= 1.6)
+    rails-html-sanitizer (1.3.0)
+      loofah (~> 2.3)
+    railties (6.0.2.2)
+      actionpack (= 6.0.2.2)
+      activesupport (= 6.0.2.2)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.20.3, < 2.0)
     rake (10.5.0)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec (3.9.0)
+      rspec-core (~> 3.9.0)
+      rspec-expectations (~> 3.9.0)
+      rspec-mocks (~> 3.9.0)
+    rspec-core (3.9.0)
+      rspec-support (~> 3.9.0)
+    rspec-expectations (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-mocks (3.9.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-support (3.8.0)
+      rspec-support (~> 3.9.0)
+    rspec-support (3.9.0)
+    sprockets (4.0.0)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.1)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (1.0.1)
+    thread_safe (0.3.6)
+    tzinfo (1.2.7)
+      thread_safe (~> 0.1)
+    websocket-driver (0.7.1)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.4)
+    zeitwerk (2.3.0)
 
 PLATFORMS
   ruby

data/README.md

@@ -2,22 +2,35 @@
 
 ![Balrog logo](https://user-images.githubusercontent.com/32128719/55335192-9566a000-5492-11e9-9449-746de68fbe94.png)
 
-Balrog is a lightweight authorization library for Ruby on Rails that can
-protect your routes with a single username & password combination.
-
-Balrog is an alternative to `http_basic_authentication_with` that provides some
-advantages:
-
-* Uses a password hash instead of a plaintext password.
-* Provides a lightweight HTML form instead of inconsistent basic
-  authentication.
-* Better support for password managers (which often don't support basic
-  authentication dialog boxes).
-
-## Requirements
-
-Balrog is designed to be used with Ruby on Rails applications, and has been
-tested against Ruby on Rails 5.
+[![Gem Version](https://badge.fury.io/rb/balrog.svg)](https://badge.fury.io/rb/balrog)
+[![CircleCI](https://circleci.com/gh/pixielabs/balrog.svg?style=svg)](https://circleci.com/gh/pixielabs/balrog)
+
+Balrog is a lightweight authorization library for Ruby on Rails >= 5 written by
+[Pixie Labs](https://pixielabs.io) that can protect your routes. Balrog can be 
+configured to authorize users using a simple password or single sign-on or both.
+
+- If you choose to protect your routes with a password, the password will be 
+ stored as a password hash, not plain text, and Balrog provides a lightweight 
+ HTML form that can be styled and used with password managers.
+- If you choose to configure Balrog to use SSO, you can whitelist multiple email 
+domains, allowing groups of users access parts of your app, without circulating
+a password.
+- Balrog's authentication can and should be configured to expire, requiring 
+users to sign-in again in accordance with [OWASP](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#session-expiration) best practices.
+- Balrog can also be used to restrict access to [mounted Rack applications](#Restricting-access-to-mounted-Rack-applications-within-config/routes.rb) like Sidekiq.
+
+## Table of Contents
+
+- [Installation](#Installation)
+- [Regenerating a password hash](#Regenerating-a-password-hash)
+- [Restricting access in a controller](#Restricting-access-in-a-controller)
+- [Restricting access to mounted Rack applications](#Restricting-access-to-mounted-Rack-applications-within-config/routes.rb)
+- [Logout button](#Logout-button)
+- [Changing session expiry length](#Changing-session-expiry-length)
+- [Configuring the Balrog gate view](#Configuring-the-Balrog-gate-view)
+- [Single Sign On](#Single-Sign-On)
+- [Upgrading from 1.1 to 2.0](#Upgrading-from-1.1-to-2.0)
+- [Contributing](#Contributing)
 
 ## Installation
 
@@ -29,10 +42,10 @@ gem 'balrog'
 
 Run the installer to generate an initializer:
 
-```
+```shell
 $ bundle exec rails generate balrog:install
-Enter New Password:
-Confirm New Password:
+Enter New Password: 
+Confirm New Password: 
       create  config/initializers/balrog.rb
 $
 ```
@@ -60,8 +73,169 @@ class AdminController < ApplicationController
 end
 ```
 
+## Restricting access to mounted Rack applications within config/routes.rb
+
+Use the `.use` [method](https://www.rubydoc.info/gems/rack/Rack%2FBuilder:use) to add Balrog to the 'stack'. 
+
+For example with Sidekiq::Web...
+
+```ruby
+# Then we tell SideKiq to use Balrog::RoutesMiddleware
+Sidekiq::Web.use Balrog::RoutesMiddleware
+
+mount Sidekiq::Web => '/sidekiq'
+```
+
+N.B. If you are mounting Sidekiq Web, you need to [disable Sidekiq Web's session in config/initializers/sidekiq.rb](https://github.com/mperham/sidekiq/issues/3377#issuecomment-381254940).
+
+```ruby
+require 'sidekiq/web'
+
+# In order to force sidekiq to use the rails app's session,
+# we need to disable the Sidekiq's session.
+Sidekiq::Web.disable(:sessions)
+```
+
+## Logout button
+
+To add a logout button, you can call the `balrog_logout_button` view helper
+method and pass in a hash of HTML options to style it. After logout, the user
+will be redirected to the root of the app.
+
+For example, in your view:
+
+```erb
+<ul class='nav'>
+  <li>....</li>
+  <li><%= balrog_logout_button 'Admin Logout' %></li>
+  <li>....</li>
+</ul>
+```
+
+Other usage examples:
+
+```erb
+<%= balrog_logout_button %>
+<%= balrog_logout_button "Leave this place" %>
+<%= balrog_logout_button "Click me", class: 'fancy-button--with-custom-text' %>
+<%= balrog_logout_button class: 'fancy-button--with-default-text' %>
+```
+
+## Changing session expiry length
+
+`set_session_expiry` requires the user to login again after a period of time.
+To customise this value, open `config/initializers/balrog.rb` after running `balrog:install`
+and change the argument being passed to `set_session_expiry`.
+
+The argument passed to `set_session_expiry` can be any of the
+[Rails time extensions](https://api.rubyonrails.org/classes/Numeric.html).
+
+If you don't want sessions to expire, remove `set_session_expiry`
+from the initializer completely.
+
+```ruby
+Balrog::Middleware.setup do |config|
+  config.password_hash '$2a$12$BLz7XCFdG9YfwL64KlTgY.T3FY55aQk8SZEzHfpHfw15F2uN1kuSi'
+  config.set_session_expiry 30.minutes
+end
+```
+
+## Configuring the Balrog gate view
+
+We built Balrog to have a default view and stylesheet so that you can drop 
+Balrog into your project and everything should “just work”.
+However, we don't want to be in your way if you needed to customise 
+your Balrog gate view.
+
+If you want to customise the Balrog view, you can run the `balrog:view` 
+generator, which will copy the required view and layout to your application:
+
+```shell
+$ rails generate balrog:view
+```
+
+After running the generator, you can now add elements and classes to the 
+`views/balrog/gate.html.erb`, add styles to the 
+`assets/stylesheets/application.css` and import the application stylesheet in 
+`app/views/layouts/balrog.html.erb`. For an example, see the 
+[dummy-rails-app](https://github.com/pixielabs/balrog/tree/master/spec/dummy-rails-app) in the spec folder.
+
+## Single Sign On
+
+To add single sign on you will need to add the [omniauth gem](https://github.com/omniauth/omniauth)
+to your gem file, along with the omniauth gem for your chosen
+[provider](https://github.com/omniauth/omniauth/wiki/List-of-Strategies).
+
+In `config/initializers/balrog.rb`, call `config.set_omniauth` in the setup block.
+`.set_omniauth` takes the same arguments as the `OmniAuth::Builder#provider`
+[method](https://github.com/omniauth/omniauth#getting-started),
+a provider and any required keys.
+
+To whitelist any email addresses with a specific domain, call
+`config.set_domain_whitelist`in the setup block and pass in the domain.
+If you want to whitelist multiple domains, you can pass multiple domains
+to the `.set_domain_whitelist`.
+
+Balrog does not require a password to be set if you wish to use single sign-on only. 
+
+```ruby
+Balrog::Middleware.setup do |config|
+  credentials = Rails.application.credentials
+  config.set_omniauth :google_oauth2, credentials.google_client_id, credentials.google_client_secret
+  config.set_domain_whitelist 'pixielabs.io', 'the_fellowship.com'
+end
+```
+**Please note:** there is currently a CSRF vulnerability which affects OmniAuth 
+(designated [CVE-2015-9284](https://nvd.nist.gov/vuln/detail/CVE-2015-9284)) 
+that requires mitigation at the application level. More details on how to do 
+this can be found on the [Omniauth Wiki](https://github.com/omniauth/omniauth/wiki/Resolving-CVE-2015-9284).
+
+## Upgrading from 1.1 to 2.0
+
+To upgrade, you will need to change your Balrog initializer. 
+
+1. Instead of calling `Rails.application.config.middleware.use Balrog::Middleware`, you will now need to call `Balrog::Middleware.setup`. 
+
+2. Change the block you pass into these methods. `#password_hash` and `#set_session_expiry` now need to called on a block parameter, e.g `set_session_expiry 30.minutes` needs to be changed to `config.set_session_expiry 30.minutes`.
+
+See below for code examples.
+
+```ruby
+# Balrog 1.1
+Rails.application.config.middleware.use Balrog::Middleware do
+  password_hash '$2a$12$I8Fp3e2GfSdM7KFyoMx56.BVdHeeyk9DQWKkdsxw7USvU/mC8a8.q'
+  set_session_expiry 30.minutes
+end
+```
+
+```ruby
+# Balrog 2.0
+Balrog::Middleware.setup do |config|
+  config.set_password_hash '$2a$12$9lquJW6mVYYS1pD1xYMGzulyC6sEDuLIUfkA/Y7F3RQ8psLNYyLeO'
+  config.set_session_expiry 30.minutes
+end
+```
+
 ## Contributing
 
+### Running the tests
+
+Tests are part of the dummy Rails app within the spec folder. To run the tests:
+
+```
+$ cd spec/dummy-rails-app
+$ bundle
+$ rails generate active_record:session_migration
+$ redis-server
+```
+
+Then in a different terminal:
+
+```
+$ cd spec/dummy-rails-app
+$ rspec
+```
+
 Before contributing, please read the [code of conduct](CODE_OF_CONDUCT.md).
 - Check out the latest master to make sure the feature hasn't been implemented
   or the bug hasn't been fixed yet.
@@ -74,11 +248,7 @@ Before contributing, please read the [code of conduct](CODE_OF_CONDUCT.md).
   want to have your own version, or is otherwise necessary, that is fine, but
   please isolate to its own commit so we can cherry-pick around it.
 
-
 ## TODO
 
  * Restricting access via `routes.rb`
- * Logout
  * Test coverage
- * Check it's OK with Ruby on Rails 6
- * Expire sessions

data/app/assets/stylesheets/balrog/gate.css

@@ -27,8 +27,7 @@ footer {
   align-self: center;
 }
 
-button {
-  -webkit-appearance: button;
+.button_background {
   overflow: visible;
   text-transform: none;
   -webkit-transition-duration: 0.4s;
@@ -39,13 +38,25 @@ button {
   font-size: 20px;
   font-family: 'Helvetica Neue', 'Helvetica', Calibri, 'Trebuchet MS', sans-serif;
   cursor: pointer;
-  padding: 8px 10px;
   border: 0;
   font-weight: 100;
   letter-spacing: 1px;
+  margin: 5px 0px;
+}
+
+button {
+  -webkit-appearance: button;
+  padding: 8px 10px;
+}
+
+.sso_button {
+  display: inline-block;
+  text-decoration: none;
+  padding: 8px 0px;
+  width: 305.438px;
 }
 
-button:hover {
+button:hover, .sso_button:hover {
   background-color: rgb(201, 41, 41);
 }
 

data/app/views/balrog/gate.html.erb

@@ -1,26 +1,17 @@
-<!doctype html>
-<html lang=en>
-<head>
-  <meta charset=utf-8>
-  <title>Login</title>
-  <%= stylesheet_link_tag "balrog/gate" %>
-</head>
-
-<body>
-
-  <section>
-    <form action='/balrog/signin' method='POST'>
-      <input autofocus type='password' name='password' placeholder='Password'>
-      <button type='submit'>Login</button>
-    </form>
-  </section>
-
-  <footer>
-    <a href="https://github.com/pixielabs/balrog" target="_blank">
-      <%= image_tag "balrog/logo.png", class: 'logo' %>
-    </a>
-  </footer>
-
-</body>
-
-</html>
+<section>
+  <div>
+    <% if show_balrog_password_prompt? %>
+      <form action='/balrog/signin' method='POST'>
+        <input autofocus type='password' name='password' placeholder='Password'>
+        <button type='submit' class="button_background">Login</button>
+      </form>
+    <% end %>
+    <% if balrog_omniauth_configured? %>
+      <%= button_to(
+        "Sign in with SSO",
+        "/auth/#{Balrog::Middleware.omniauth_config[:provider]}",
+        class: 'button_background sso_button'
+      ) %>
+    <% end %>
+  </div>
+</section>

data/app/views/layouts/balrog.html.erb

@@ -0,0 +1,22 @@
+<!doctype html>
+<html lang=en>
+<head>
+  <meta charset=utf-8>
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Login</title>
+  <%= stylesheet_link_tag "balrog/gate" %>
+</head>
+
+<body>
+
+  <%= yield %>
+
+  <footer>
+    <a href="https://github.com/pixielabs/balrog" target="_blank">
+      <%= image_tag "balrog/logo.png", class: 'logo' %>
+    </a>
+  </footer>
+
+</body>
+
+</html>

data/balrog.gemspec

@@ -24,6 +24,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "bcrypt", "~> 3.0"
+  spec.add_dependency "rails", ">=5"
 
   spec.add_development_dependency "bundler", "~> 2.0"
   spec.add_development_dependency "rake", "~> 10.0"

data/bin/console

@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby
 
 require "bundler/setup"
-require "balrog"
+require_relative "../lib/balrog"
 
 # You can add fixtures and/or initialization code here to make experimenting
 # with your gem easier. You can also use a different console, if you like.

data/lib/balrog.rb

@@ -1,6 +1,9 @@
-require_relative "balrog/version"
+require 'rails'
+
 module Balrog 
+  require_relative 'balrog/version'
   require_relative 'balrog/middleware'
+  require_relative 'balrog/routes_middleware'
   require_relative 'balrog/engine'
   require_relative 'balrog/rake_tasks'
   require_relative 'balrog/generators'

data/lib/balrog/engine.rb

@@ -1,13 +1,20 @@
-require_relative 'helpers'
-
 class Balrog::Engine < Rails::Engine
-  # Make the Balrog helpers available in any controller.
-  initializer "balrog.configure_rails_initialization" do 
+  # Make authenticate_with_balrog! available.
+  initializer "balrog.action_controller" do 
     ActiveSupport.on_load(:action_controller) do
+      require_relative 'helpers'
       include Balrog::Helpers
     end
   end
 
+  # Add balrog_logout_button as a global view helper.
+  initializer "balrog.action_view" do
+    ActiveSupport.on_load(:action_view) do
+      require_relative 'view_helpers'
+      include Balrog::ViewHelpers
+    end
+  end
+
   # Precompile the Balrog assets
   initializer "balrog.assets.precompile" do |app|
     app.config.assets.precompile += %w( 
@@ -15,4 +22,16 @@ class Balrog::Engine < Rails::Engine
       balrog/logo.png
     )
   end
+
+  # Insert Balrog into middleware stack.
+  initializer "Balrog.middleware", after: :load_config_initializers, before: :build_middleware_stack do |app|
+    # If OmniAuth configured, insert OmniAuth into middleware stack.
+    omniauth_config = Balrog::Middleware.omniauth_config
+    if omniauth_config
+      app.middleware.use OmniAuth::Builder do
+        provider omniauth_config[:provider], *omniauth_config[:args]
+      end
+    end
+    app.middleware.use Balrog::Middleware
+  end
 end

data/lib/balrog/generators.rb

@@ -1,6 +1,6 @@
 # This Railtie makes the Balrog Generators available from the command line.
 class Balrog::Generators < Rails::Railtie
   generators do
-    require File.join(File.dirname(__FILE__), 'generators', 'install_generator')
+    Dir[File.join(__dir__, 'generators', '*.rb')].each { |file| require file }
   end
 end

data/lib/balrog/generators/install_generator.rb

@@ -6,8 +6,9 @@ class Balrog::InstallGenerator < Rails::Generators::Base
   def create_initializer_file
     password_hash = PasswordHasher.encrypt_password
     contents = <<~EOF
-      Rails.application.config.middleware.use Balrog::Middleware do
-        password_hash '#{password_hash}'
+      Balrog::Middleware.setup do |config|
+        config.set_password_hash '#{password_hash}'
+        config.set_session_expiry 30.minutes
       end
     EOF
     create_file "config/initializers/balrog.rb", contents

data/lib/balrog/generators/view_generator.rb

@@ -0,0 +1,25 @@
+class Balrog::ViewGenerator < Rails::Generators::Base
+
+  desc "Copies the Balrog gate view and layout into your application, where you can edit and style them."
+  def copy_gate_view
+    gate_view = File.open(
+      File.join(__dir__, '../../../', 'app/views/balrog/gate.html.erb'),
+      'r')
+
+    content = gate_view.read
+    gate_view.close
+
+    create_file "app/views/balrog/gate.html.erb", content
+  end
+
+  def copy_layout
+    gate_view = File.open(
+      File.join(__dir__, '../../../', 'app/views/layouts/balrog.html.erb'),
+      'r')
+
+    content = gate_view.read
+    gate_view.close
+
+    create_file "app/views/layouts/balrog.html.erb", content
+  end
+end

data/lib/balrog/guard.rb

@@ -0,0 +1,24 @@
+# Contains authentication logic to check the user has been authenticated,
+# and that the session hasn't expired.
+module Balrog::Guard
+  def authenticated?(balrog_session)
+    @balrog_session = balrog_session&.with_indifferent_access
+    previously_authenticated? && still_valid?
+  end
+
+  private
+
+  # A method to check that the user has been authenticated before.
+  def previously_authenticated?
+    return false unless @balrog_session
+    @balrog_session[:value] == 'authenticated'
+  end
+
+  # A method to check that the authentication has not expired.
+  def still_valid?
+    # If the user did not set configured the Balrog session 
+    # to expire, the cookie is valid.
+    return true unless @balrog_session[:expiry_date]
+    DateTime.current < @balrog_session[:expiry_date]
+  end
+end

data/lib/balrog/helpers.rb

@@ -1,8 +1,12 @@
+require_relative 'guard'
+
 # Helpers methods are made available in all controllers by the code in engine.rb.
 module Balrog::Helpers
+  include Balrog::Guard
+
   def authenticate_with_balrog!
-    unless session[:balrog] == 'authenticated'
-      render 'balrog/gate', layout: nil
+    unless authenticated?(session[:balrog])
+      render 'balrog/gate', layout: 'balrog'
     end
   end
 end

data/lib/balrog/middleware.rb

@@ -1,4 +1,5 @@
 require 'bcrypt'
+require_relative 'middleware/controller'
 
 # Public: Balrog middleware that handles form submissions, checking the
 # password against the configured hash, and setting a session variable if
@@ -7,60 +8,73 @@ require 'bcrypt'
 # This is typically set up in an initialize when you run
 # `rails g balrog:install`, and looks a bit like this:
 #
-#    Rails.application.config.middleware.use Balrog::Middleware do
-#      password_hash '<bcrypt hash>'
-#    end
+#  Balrog::Middleware.setup do |config|
+#    config.set_password_hash '<bcrypt hash>'
+#  end
+
 class Balrog::Middleware
-  def initialize(app, &block)
+  include Controller
+
+  mattr_reader :password_hash
+  mattr_reader :session_length
+  mattr_reader :omniauth_config
+  mattr_reader :domain_whitelist
+
+  def initialize(app)
     @app = app
-    instance_eval(&block) if block_given?
   end
 
   def call(env)
     path = env["PATH_INFO"]
     method = env["REQUEST_METHOD"]
-    if method == 'POST' && path == '/balrog/signin'
-      handle_login(env)
+    if login_request?(path, method)
+      password_login(env)
+    elsif omniauth_request?(path, method)
+      omniauthentication(env)
+    elsif logout_request?(path, method)
+      logout(env)
     else
       @app.call(env)
     end
   end
 
-  private
-
-  def password_hash(input)
-    @password_hash = BCrypt::Password.new(input)
+  def self.setup
+    yield self
   end
 
-  def handle_login(env)
-    if env['rack.request.form_hash']
-      submitted_password = env['rack.request.form_hash']['password']
-    end
-
-    unless submitted_password
-      return [302, {"Location" => referer}, [""]]
-    end
+  private
 
-    unless @password_hash
-      warn <<~EOF
+  def self.set_password_hash(input)
+    @@password_hash = BCrypt::Password.new(input)
+  end
 
-        !! Balrog has not been configured with a password_hash. You shall not
-        !! pass! When adding Balrog::Middleware to your middleware stack, pass
-        !! in a block and call `password_hash` passing in a bcrypt hash.
-        !!
-        !! Check out https://github.com/pixielabs/balrog for more information.
+  def self.set_omniauth(provider, *args)
+    @@omniauth_config = {
+      provider: provider,
+      args: args
+    }
+  end
 
-      EOF
-    end
+  def self.set_domain_whitelist(*domains)
+    @@domain_whitelist = domains
+  end
 
-    if @password_hash == submitted_password
-      env['rack.session'][:balrog] = 'authenticated'
-    end
+  def self.set_session_expiry(time_period)
+    @@session_length = time_period
+  end
 
-    referer = env["HTTP_REFERER"] || '/'
+  def login_request?(path, method)
+    method == 'POST' && path == '/balrog/signin'
+  end
 
-    [302, {"Location" => referer}, [""]]
+  def omniauth_request?(path, method)
+    omniauth_config &&
+      method == "GET" &&
+      path == "/auth/#{omniauth_config[:provider]}/callback"
   end
 
+  def logout_request?(path, method)
+    method == "DELETE" && path == '/balrog/logout'
+  end
 end
 

data/lib/balrog/middleware/controller.rb

@@ -0,0 +1,106 @@
+# Methods that are called in response to specific application requests.
+class Balrog::Middleware
+  module Controller
+
+    # This method is called if a user attempts to sign in with a password
+    # and will authenticate the user if the password is correct.
+    def password_login(env)
+      # Extract the submitted_password from the rack request hash.
+      if env['rack.request.form_hash']
+        submitted_password = env['rack.request.form_hash']['password']
+      end
+
+      # If there is no submitted_password, redirect the user before authentication.
+      unless submitted_password
+        return [302, {"Location" => referer}, [""]]
+      end
+
+      # If there is no password_hash, alert the developer.
+      unless password_hash
+        warn <<~EOF
+
+          !! Balrog has not been configured with a password_hash. You shall not
+          !! pass! When adding Balrog::Middleware to your middleware stack, pass
+          !! in a block and call `password_hash` passing in a bcrypt hash.
+          !!
+          !! Check out https://github.com/pixielabs/balrog for more information.
+
+        EOF
+      end
+
+      # Authenticate the user if the submitted_password matches the password_hash.
+      if password_hash == submitted_password
+        authenticate_user(env)
+      end
+
+      referer = env["HTTP_REFERER"] || '/'
+
+      [302, {"Location" => referer}, [""]]
+    end
+
+
+    # This method is called if a user attempts to sign in with Single Sign-on
+    # and will authenticate the user if email domain has been whitelisted.
+    def omniauthentication(env)
+      # Extract the email domain from the omniauth hash.
+      if env['omniauth.auth']['info']['email']
+        user_email = env['omniauth.auth']['info']['email']
+        email_domain = user_email.split("@").last
+      end
+      
+      # If there is no email domain, redirect the user before authentication.
+      unless email_domain
+        return [302, {"Location" => referer}, [""]]
+      end
+
+      # If there is no domain_whitelist, alert the developer.
+      unless domain_whitelist
+        warn <<~EOF
+
+          !! Balrog has not been configured with a domain_whitelist. You shall not
+          !! pass! When setting up Balrog::Middleware, pass in a block and
+          !! call `set_domain_whitelist` passing in an omniauth provider and
+          !! required keys.
+          !!
+          !! Check out https://github.com/pixielabs/balrog for more information.
+
+        EOF
+        return [302, {"Location" => referer}, [""]]
+      end
+
+      # Authenticate the user if the user's email domain is whitelisted.
+      if domain_whitelist.include?(email_domain)
+        authenticate_user(env)
+      end
+
+      referer = env["omniauth.origin"] || '/'
+
+      [302, {"Location" => referer}, [""]]
+    end
+
+
+    # This method is called if a user logs out using a balrog logout button.
+    # It will achieve this by removing all balrog data from the session.
+    def logout(env)
+      env['rack.session'].delete(:balrog)
+      [302, {"Location" => '/'}, [""]]
+    end
+
+    private
+
+    # This method marks the user as 'authenicated'.
+    def authenticate_user(env)
+      session_data = { value: 'authenticated' }
+      add_expiry_date!(session_data)
+      env['rack.session'][:balrog] = session_data
+    end
+
+    # If the user configured the Balrog session to expire, add the 
+    # expiry_date to the Balrog session.
+    def add_expiry_date!(session_data)
+      if session_length
+        session_data[:expiry_date] = DateTime.current + session_length
+      end
+    end
+  end
+end

data/lib/balrog/routes_middleware.rb

@@ -0,0 +1,30 @@
+require_relative 'guard'
+
+# Public: Balrog routes middleware that redirects the user to a security
+# gate unless the session includes { 'balrog' => 'authenticated' }.
+# 
+# In order to protect SideKiq Web you would do something like this: 
+#
+# require 'sidekiq/web'
+#
+# Sidekiq::Web.disable(:sessions)
+# Sidekiq::Web.use Balrog::RoutesMiddleware
+#
+# mount Sidekiq::Web => '/sidekiq'
+
+class Balrog::RoutesMiddleware
+  include Balrog::Guard
+
+  def initialize(app)
+    @app = app
+  end
+
+  def call(env)
+    unless authenticated?(env['rack.session']['balrog'])
+      html = ApplicationController.renderer.render 'balrog/gate', layout: 'balrog'
+      return [200, {"Content-Type" => "text/html"}, [html]]  
+    end
+    @app.call(env)
+  end
+end
+

data/lib/balrog/version.rb

@@ -1,3 +1,3 @@
 module Balrog
-  VERSION = "0.1.0"
+  VERSION = "2.0.1"
 end

data/lib/balrog/view_helpers.rb

@@ -0,0 +1,24 @@
+# ViewHelpers methods are made available in all views by the code in engine.rb.
+module Balrog::ViewHelpers
+  def balrog_logout_button(options = nil, html_options = nil)
+    name = 'Logout'
+    html_options ||= {}
+    html_options[:method] = 'delete'
+
+    if options.is_a?(String)
+      name = options
+    elsif options.is_a?(Hash)
+      html_options = html_options.merge(options)
+    end 
+
+    button_to(name, '/balrog/logout', html_options)
+  end
+
+  def show_balrog_password_prompt?
+    !!Balrog::Middleware.password_hash || !Balrog::Middleware.omniauth_config
+  end
+
+  def balrog_omniauth_configured?
+    !!Balrog::Middleware.omniauth_config
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: balrog
 version: !ruby/object:Gem::Version
-  version: 0.1.0
+  version: 2.0.1
 platform: ruby
 authors:
 - Pixie Labs
-autorequire: 
+autorequire:
 bindir: exe
 cert_chain: []
-date: 2019-04-01 00:00:00.000000000 Z
+date: 2020-09-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bcrypt
@@ -24,6 +24,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '3.0'
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -74,9 +88,11 @@ executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
+- CHANGELOG.md
 - CODE_OF_CONDUCT.md
 - Gemfile
 - Gemfile.lock
@@ -86,6 +102,7 @@ files:
 - app/assets/images/balrog/logo.png
 - app/assets/stylesheets/balrog/gate.css
 - app/views/balrog/gate.html.erb
+- app/views/layouts/balrog.html.erb
 - balrog.gemspec
 - bin/console
 - bin/setup
@@ -93,17 +110,22 @@ files:
 - lib/balrog/engine.rb
 - lib/balrog/generators.rb
 - lib/balrog/generators/install_generator.rb
+- lib/balrog/generators/view_generator.rb
+- lib/balrog/guard.rb
 - lib/balrog/helpers.rb
 - lib/balrog/middleware.rb
+- lib/balrog/middleware/controller.rb
 - lib/balrog/password_hasher.rb
 - lib/balrog/rake_tasks.rb
+- lib/balrog/routes_middleware.rb
 - lib/balrog/tasks/generate_hash.rake
 - lib/balrog/version.rb
+- lib/balrog/view_helpers.rb
 homepage: https://github.com/pixielabs/balrog
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -118,8 +140,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.2
-signing_key: 
+rubygems_version: 3.0.3
+signing_key:
 specification_version: 4
 summary: An alternative to HTTP basic auth
 test_files: []