bowtie-io 1.0.9 → 1.0.10

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 2987e1107e9d726edcbb60495a4be2befad6bf18
-  data.tar.gz: 34e884d22998a46cce60242c80fb098b59194aae
+  metadata.gz: b07ca123fc9b68ead6a3dd5c5a918dbc622f517d
+  data.tar.gz: 5adb7f910c10e14cb2cf82180c9fc2b628ac480d
 SHA512:
-  metadata.gz: a56993e3f15c799905feaee1436abbbaf3785df79f8259e3f48cb4d4551730532e7da1cd6abef3bb1816150742c6df019aae305cb69c0119c682b7329a139aef
-  data.tar.gz: 4b6d57854d16a7c5af4b44bcb1d65068164b6a8aa69be03c39df1634a5442913fbb43bbc31db8345a28ebaab4fc5a9132d01728fb95ecab64a32b2078d5a449e
+  metadata.gz: 19237df1aefb5f8d1291b31939135db3f86828219b1d5f7831ff698b9e4db7ba12e8086589c1ab609fcc71f985653246dd9197bab4fd3f3a27f8239c90d17a48
+  data.tar.gz: 8e6940e20ff58f6b9610d6bc87dc60447e4fc86e89c672e4d8c386614a31ade8c13528787c70be2c8373338238a7696589b52826ebaa473c1cc558a1e8ca13ce

data/lib/bowtie.rb

@@ -3,12 +3,15 @@ require 'json'
 require 'jekyll'
 require 'rack'
 require 'rack/streaming_proxy'
+require 'restclient'
 
 module Bowtie
   module Middleware
-    autoload :Proxy,    'bowtie/middleware/proxy'
-    autoload :Static,   'bowtie/middleware/static'
-    autoload :Rewrite,  'bowtie/middleware/rewrite'
+    autoload :Proxy       , 'bowtie/middleware/proxy'
+    autoload :Static      , 'bowtie/middleware/static'
+    autoload :Rewrite     , 'bowtie/middleware/rewrite'
+    autoload :PolicyCheck , 'bowtie/middleware/policy_check'
+    autoload :Session     , 'bowtie/middleware/session'
   end
 
   autoload :Settings,  'bowtie/settings'
@@ -17,3 +20,4 @@ end
 
 require 'bowtie/command'
 require 'bowtie/commands/serve'
+require 'bowtie/errors'

data/lib/bowtie/commands/serve.rb

@@ -17,6 +17,8 @@ module Bowtie
         end
 
         def process(options)
+          Bowtie::Middleware::PolicyCheck.watch!
+
           Rack::Server.start(app: application(options),
                              Port: options['port'] || 4000,
                              Host: options['host'],
@@ -30,10 +32,14 @@ module Bowtie
           Rack::Builder.new do
             use Rack::CommonLogger
             use Rack::ShowExceptions
+            use Rack::Session::Cookie, key: 'client.session',
+              secret: '_bowtie_client_local'
+
             use Bowtie::Middleware::Rewrite, options
 
             # User management provided by BowTie /users/*
             map '/users' do
+              use Bowtie::Middleware::Session
               use Bowtie::Middleware::Proxy
             end
 
@@ -42,6 +48,9 @@ module Bowtie
               use Bowtie::Middleware::Proxy
             end
 
+            # Policy checks
+            use Bowtie::Middleware::PolicyCheck
+
             # Static file server
             use Bowtie::Middleware::Static, urls: [''],
               root: options['destination'],

data/lib/bowtie/errors.rb

@@ -0,0 +1,7 @@
+module Bowtie
+  class ProjectSecretKeyMissing < RuntimeError
+    def initialize(msg='You need "project": { "secret_key": "XYZ" } defined in `settings.json`')
+      super
+    end
+  end
+end

data/lib/bowtie/middleware/policy_check.rb

@@ -0,0 +1,250 @@
+# Checks .bowtie.yml policy definitions to permit or deny access
+# to the requested resource.
+
+require 'listen'
+
+module Bowtie::Middleware
+  class PolicyCheck
+    def self.watch!
+      source = Jekyll.configuration['source']
+
+      # Initialize our policies with current source
+      Policy.load_policies!(source)
+
+      # Watch for policy file changes and reload policies on change
+      Listen.to(source, only: /\.bowtie\.yml/){
+        begin
+          Policy.load_policies!(source)
+        rescue => e
+          puts e.inspect
+          puts e.backtrace.join("\n")
+        end
+      }.start
+    end
+
+    def initialize(app)
+      @app               = app
+
+    end
+
+    def call(env)
+      rack_request = Rack::Request.new(env)
+      status, headers, response = @app.call(env)
+
+      if Policy.permits?(rack_request)
+        [status, headers, response]
+      else
+        [403, {}, ["Request not permitted by defined policies"]]
+      end
+    end
+
+    private
+    module Loader
+      extend self
+
+      CONFIG_FILE_NAME   = '.bowtie.yml'
+      CONFIG_BLOCK_KEY   = 'permits'
+      CONFIG_METHODS_KEY = 'method'
+      CONFIG_PLANS_KEY   = 'plans'
+      CONFIG_PATH_KEY    = 'path'
+      CONFIG_PROFILE_KEY = 'profile'
+
+      def branch; 'development' end
+
+      def policy_records(source)
+        records = Dir["#{source}/**/.bowtie.yml"].collect { |path|
+          policy_records_for_path(path.gsub(source, ''), File.read(path))
+        }.compact.flatten
+
+        records << default_permit_all if records.length == 0
+
+        records
+      end
+
+      def default_permit_all
+        Policy.new(branch,
+                   '',
+                   nil,
+                   nil,
+                   0,
+                   nil)
+      end
+
+      def policy_records_for_path(path, content)
+        base_path = path.gsub(CONFIG_FILE_NAME, '')
+        base_path = "/#{base_path}" unless base_path.start_with? '/'
+        base_path = base_path[0..-2] if base_path.end_with? '/'
+
+        branch_config = YAML.load(content)[branch] || {}
+
+        permitted_section_configs = branch_config[CONFIG_BLOCK_KEY] || []
+        permitted_section_configs = [permitted_section_configs] unless permitted_section_configs.is_a? Array
+
+        policy_records_from_permitted_section_configs(base_path, permitted_section_configs)
+      end
+
+      def policy_records_from_permitted_section_configs(base_path, configs)
+        records = []
+
+        configs.each do |config|
+          records += policy_records_from_permitted_section_config(base_path, config)
+        end
+
+        return records
+      end
+
+      def policy_records_from_permitted_section_config(base_path, config)
+        path_extension = config[CONFIG_PATH_KEY]
+        path_extension = path_extension[1..-1] if path_extension && path_extension.start_with?('/')
+
+        policy_path = [base_path, path_extension].compact.join('/')
+
+        methods = methods_from_permitted_section_config(config)
+        plans   = plans_from_permitted_section_config(config)
+        profile_restrictions = profile_restrictions_from_permitted_section_config(config)
+
+        records = []
+
+        methods.each do |method|
+          plans.each do |plan|
+            records << Policy.new(branch,
+                                  policy_path,
+                                  method,
+                                  plan,
+                                  policy_path.length,
+                                  profile_restrictions)
+          end
+        end
+
+        return records
+      end
+
+      def methods_from_permitted_section_config(config)
+        method_config = config[CONFIG_METHODS_KEY]
+
+        if method_config.nil? || method_config == '*'
+          [nil]
+        else
+          if method_config.is_a? Array
+            method_config.map(&:upcase)
+          elsif method_config.is_a? String
+            [method_config].map(&:upcase)
+          else
+            []
+          end
+        end
+      end
+
+      def plans_from_permitted_section_config(config)
+        plan_config = config[CONFIG_PLANS_KEY]
+
+        if plan_config.nil? || plan_config == '*'
+          [nil]
+        else
+          if plan_config.is_a? Array
+            plan_config
+          else
+            [plan_config]
+          end
+        end
+      end
+
+      def profile_restrictions_from_permitted_section_config(config)
+        _profile_restrictions_config = config[CONFIG_PROFILE_KEY]
+      end
+
+    end
+
+    Policy = Struct.new(:branch,
+                        :path,
+                        :request_method,
+                        :plan,
+                        :weight,
+                        :profile_restrictions) do
+      class << self
+        attr_reader :all
+
+        def load_policies!(source)
+          @all = Loader.policy_records(source)
+        end
+
+        def permits?(rack_request)
+          policies = applicable_for(rack_request)
+
+          # When there's no applicable policy, the request is not permitted
+          return false if policies.length == 0
+
+          !!policies.detect { |policy|
+            policy.permits?(rack_request)
+          }
+        end
+
+        def applicable_for(rack_request)
+          applicable_to_request = all.select { |policy|
+            policy.branch == 'development' &&
+              rack_request.path.start_with?(policy.path)
+          }.sort_by!(&:weight).reverse
+
+          heaviest = applicable_to_request.first
+
+          applicable_to_request.select { |policy|
+            policy.weight >= heaviest.weight
+          }
+        end
+      end
+
+      def permits?(rack_request)
+        request_method_permitted?(rack_request) &&
+          plan_permitted?(rack_request) &&
+          profile_permitted?(rack_request)
+      end
+
+      private
+      def request_method_permitted?(rack_request)
+        request_method.nil? ||
+          request_method == rack_request.request_method
+      end
+
+      def plan_permitted?(rack_request)
+        plan.nil? ||
+          (rack_request.env['rack.session']['user']['stripe_plan_id'] rescue nil) == plan
+      end
+
+      def profile_permitted?(rack_request)
+        if profile_restrictions.nil?
+          true
+        else
+          profile_restrictions.each do |scope,values|
+            profile = user_profile(rack_request, scope)
+            return false if profile.nil?
+
+            values.each do |key, value|
+              return false if profile[key] != value
+            end
+          end
+
+          return true
+        end
+      end
+
+      def user_profile(rack_request, scope)
+        user_id = rack_request.env['rack.session']['user']['id'] rescue nil
+        return nil if user_id.nil?
+
+        response = RestClient.get(user_profile_endpoint_url(user_id, scope))
+        JSON.parse(response.body)
+      end
+
+      def user_profile_endpoint_url(user_id, scope)
+        secret_key = Bowtie::Settings['project']['secret_key']
+        raise SecretKeyMissingError.new if secret_key.nil?
+
+        URI::HTTPS.build(host: Bowtie::Settings['project']['fqdn']['development'],
+                         userinfo: "#{Bowtie::Settings['project']['secret_key']}:",
+                         path: "/bowtie/api/users/#{user_id}/profile.json",
+                         query: "scope=#{scope}").to_s
+      end
+    end
+  end
+end
+

data/lib/bowtie/middleware/session.rb

@@ -0,0 +1,17 @@
+module Bowtie::Middleware
+  class Session
+    def initialize(app)
+      @app = app
+    end
+
+    def call(env)
+      status, headers, response = @app.call(env)
+
+      if headers['X-Bowtie-Client-Session']
+        env['rack.session']['user'] = JSON.parse(headers['X-Bowtie-Client-Session'])
+      end
+
+      [status, headers, response]
+    end
+  end
+end

data/lib/bowtie/version.rb

@@ -1,3 +1,3 @@
 module Bowtie
-  VERSION = '1.0.9'
+  VERSION = '1.0.10'
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: bowtie-io
 version: !ruby/object:Gem::Version
-  version: 1.0.9
+  version: 1.0.10
 platform: ruby
 authors:
 - James Kassemi
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-07-24 00:00:00.000000000 Z
+date: 2015-07-29 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: jekyll
@@ -52,6 +52,20 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '2.0'
+- !ruby/object:Gem::Dependency
+  name: rest-client
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.8.0
 - !ruby/object:Gem::Dependency
   name: sass
   requirement: !ruby/object:Gem::Requirement
@@ -78,8 +92,11 @@ files:
 - lib/bowtie.rb
 - lib/bowtie/command.rb
 - lib/bowtie/commands/serve.rb
+- lib/bowtie/errors.rb
+- lib/bowtie/middleware/policy_check.rb
 - lib/bowtie/middleware/proxy.rb
 - lib/bowtie/middleware/rewrite.rb
+- lib/bowtie/middleware/session.rb
 - lib/bowtie/middleware/static.rb
 - lib/bowtie/settings.rb
 - lib/bowtie/version.rb