bunto-auth 2.1.0

data/lib/bunto_auth/auth_site.rb

@@ -0,0 +1,42 @@
+class BuntoAuth
+  class AuthSite < Sinatra::Base
+    configure :production do
+      require "rack-ssl-enforcer"
+      use Rack::SslEnforcer if BuntoAuth.ssl?
+    end
+
+    use Rack::Session::Cookie,       :http_only => true,
+                                     :secret    => ENV["SESSION_SECRET"] || SecureRandom.hex
+
+    set :github_options, :scopes => "read:org"
+
+    ENV["WARDEN_GITHUB_VERIFIER_SECRET"] ||= SecureRandom.hex
+    register Sinatra::Auth::Github
+
+    use Rack::Logger
+
+    include BuntoAuth::Helpers
+
+    before do
+      pass if whitelisted?
+
+      logger.info "Authentication strategy: #{authentication_strategy}"
+
+      case authentication_strategy
+      when :team
+        github_team_authenticate! ENV["GITHUB_TEAM_ID"]
+      when :teams
+        github_teams_authenticate! ENV["GITHUB_TEAM_IDS"].split(",")
+      when :org
+        github_organization_authenticate! ENV["GITHUB_ORG_NAME"]
+      else
+        raise BuntoAuth::ConfigError
+      end
+    end
+
+    get "/logout" do
+      logout!
+      redirect "/"
+    end
+  end
+end

data/lib/bunto_auth/bunto_site.rb

@@ -0,0 +1,13 @@
+class BuntoAuth
+  class BuntoSite < Sinatra::Base
+    register Sinatra::Index
+    set :public_folder, File.expand_path("_site", Dir.pwd)
+    use_static_index "index.html"
+
+    not_found do
+      status 404
+      four_oh_four = File.expand_path("_site/404.html", Dir.pwd)
+      File.read(four_oh_four) if File.exist?(four_oh_four)
+    end
+  end
+end

data/lib/bunto_auth/commands.rb

@@ -0,0 +1,72 @@
+class BuntoAuth
+  class Commands
+    FILES = %w(Rakefile config.ru .gitignore .env).freeze
+    VARS  = %w(client_id client_secret team_id org_name).freeze
+
+    def self.source
+      @source ||= File.expand_path("../../templates", File.dirname(__FILE__))
+    end
+
+    def self.destination
+      @destination ||= Dir.pwd
+    end
+
+    def self.changed?
+      !execute_command("git", "status", destination, "--porcelain").empty?
+    rescue
+      false
+    end
+
+    def self.execute_command(*args)
+      output, status = Open3.capture2e(*args)
+      raise "Command `#{args.join(" ")}` failed: #{output}" unless status.exitstatus.zero?
+      output
+    end
+
+    def self.copy_templates
+      FILES.each do |file|
+        if File.exist? "#{destination}/#{file}"
+          puts "* #{destination}/#{file} already exists... skipping."
+        else
+          puts "* creating #{destination}/#{file}"
+          FileUtils.cp "#{source}/#{file}", "#{destination}/#{file}"
+        end
+      end
+    end
+
+    def self.team_id(org, team)
+      client = Octokit::Client.new :access_token => ENV["GITHUB_TOKEN"]
+      client.auto_paginate = true
+      teams = client.organization_teams org
+      found = teams.find { |t| t[:slug] == team }
+      found[:id] if found
+    end
+
+    def self.env_var_set?(var)
+      !ENV[var].to_s.blank?
+    end
+
+    def self.init_repo
+      execute_command "git", "init", destination
+      FILES.each do |file|
+        next if file == ".env"
+        execute_command("git", "add", "--", "#{destination}/#{file}")
+      end
+    end
+
+    def self.initial_commit
+      execute_command "git", "commit", "-m", "'[Bunto Auth] Initial setup'"
+    end
+
+    def self.heroku_remote_set?
+      remotes = execute_command "git", "remote", "-v"
+      !!(remotes =~ %r!^heroku\s!)
+    end
+
+    def self.configure_heroku(options)
+      VARS.each do |var|
+        execute_command "heroku", "config:set", "GITHUB_#{var.upcase}=#{options[var]}" if options[var]
+      end
+    end
+  end
+end

data/lib/bunto_auth/config.rb

@@ -0,0 +1,23 @@
+class BuntoAuth
+  def self.config_file
+    File.join(Dir.pwd, "_config.yml")
+  end
+
+  def self.config
+    @config ||= begin
+      config = YAML.safe_load_file(config_file)
+      config["bunto_auth"] || {}
+    rescue
+      {}
+    end
+  end
+
+  def self.whitelist
+    whitelist = BuntoAuth.config["whitelist"]
+    Regexp.new(whitelist.join("|")) unless whitelist.nil?
+  end
+
+  def self.ssl?
+    !!BuntoAuth.config["ssl"]
+  end
+end

data/lib/bunto_auth/config_error.rb

@@ -0,0 +1,7 @@
+class BuntoAuth
+  class ConfigError < RuntimeError
+    def message
+      "Bunto Auth is refusing to serve your site because your oauth credentials are not properly configured."
+    end
+  end
+end

data/lib/bunto_auth/helpers.rb

@@ -0,0 +1,18 @@
+class BuntoAuth
+  module Helpers
+    def whitelisted?
+      return true if request.path_info == "/logout"
+      !!(BuntoAuth.whitelist && BuntoAuth.whitelist.match(request.path_info))
+    end
+
+    def authentication_strategy
+      if !ENV["GITHUB_TEAM_ID"].to_s.blank?
+        :team
+      elsif !ENV["GITHUB_TEAM_IDS"].to_s.blank?
+        :teams
+      elsif !ENV["GITHUB_ORG_NAME"].to_s.blank?
+        :org
+      end
+    end
+  end
+end

data/lib/bunto_auth/sinatra/auth/github.rb

@@ -0,0 +1,13 @@
+module Sinatra
+  module Auth
+    module Github
+      module Helpers
+        # Like the native github_team_authenticate! but accepts an array of team ids
+        def github_teams_authenticate!(teams)
+          authenticate!
+          halt([401, "Unauthorized User"]) unless teams.any? { |team_id| github_team_access?(team_id) }
+        end
+      end
+    end
+  end
+end

data/lib/bunto_auth/version.rb

@@ -0,0 +1,3 @@
+class BuntoAuth
+  VERSION = "2.1.0".freeze
+end

data/script/bootstrap

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+echo "Let's get set up here..."
+bundle install
+echo "Boom."

data/script/cibuild

@@ -0,0 +1,13 @@
+#!/bin/sh
+# Test that all dependencies resolve, and that the thing actually fires
+
+set -e
+
+export GITHUB_CLIENT_ID=FOO
+export GITHUB_CLIENT_SECRET=BAR
+export GITHUB_ORG_NAME="bunto"
+
+bundle exec rake spec
+bundle exec rubocop
+bundle exec gem build bunto-auth.gemspec
+bundle exec bunto-auth --version

data/script/console

@@ -0,0 +1 @@
+bundle exec pry -r "./lib/bunto-auth"

data/script/release

@@ -0,0 +1,38 @@
+#!/bin/sh
+# Tag and push a release.
+
+set -e
+
+# Make sure we're in the project root.
+
+cd $(dirname "$0")/..
+
+# Build a new gem archive.
+
+rm -rf bunto-auth-*.gem
+gem build -q bunto-auth.gemspec
+
+# Make sure we're on the master branch.
+
+(git branch | grep -q '* master') || {
+  echo "Only release from the master branch."
+  exit 1
+}
+
+# Figure out what version we're releasing.
+
+tag=v`ls bunto-auth-*.gem | sed 's/^bunto-auth-\(.*\)\.gem$/\1/'`
+
+# Make sure we haven't released this version before.
+
+git fetch -t origin
+
+(git tag -l | grep -q "$tag") && {
+  echo "Whoops, there's already a '${tag}' tag."
+  exit 1
+}
+
+# Tag it and bag it.
+
+gem push bunto-auth-*.gem && git tag "$tag" &&
+  git push origin master && git push origin "$tag"

data/script/server

@@ -0,0 +1,3 @@
+#! /bin/sh
+
+bundle exec rake site

data/script/setup

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+bundle exec bunto-auth setup

data/spec/bunto_auth_auth_site_spec.rb

@@ -0,0 +1,74 @@
+require "spec_helper"
+
+describe "logged in user" do
+  include Rack::Test::Methods
+
+  def app
+    BuntoAuth.site
+  end
+
+  before(:each) do
+    setup_tmp_dir
+    @user = make_user("login" => "buntotest")
+    login_as @user
+
+    ENV["GITHUB_ORG_NAME"] = "balter-test-org"
+
+    stub_request(:get, "https://api.github.com/orgs/#{ENV["GITHUB_ORG_NAME"]}/members/buntotest")
+      .to_return(:status => 200)
+  end
+
+  it "shows the securocat when github returns an oauth error" do
+    get "/auth/github/callback?error=redirect_uri_mismatch"
+    expect(last_response.body).to match(%r!securocat\.png!)
+  end
+
+  it "logs the user out" do
+    get "/logout"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to eql("http://example.org/")
+
+    get "/"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to match(%r!^https://github\.com/login/oauth/authorize!)
+  end
+end
+
+describe "logged out user" do
+  include Rack::Test::Methods
+
+  def app
+    BuntoAuth.site
+  end
+
+  before do
+    ENV["GITHUB_ORG_NAME"] = "balter-test-org"
+  end
+
+  it "doesn't let you view indexes" do
+    get "/"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to match(%r!^https://github\.com/login/oauth/authorize!)
+
+    get "/some_dir"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to match(%r!^https://github\.com/login/oauth/authorize!)
+  end
+
+  it "doesn't let you view files" do
+    get "/index.html"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to match(%r!^https://github\.com/login/oauth/authorize!)
+
+    get "/some_dir/index.html"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers["Location"]).to match(%r!^https://github\.com/login/oauth/authorize!)
+  end
+
+  it "refuses to serve the site without an authentication strategy" do
+    ENV["GITHUB_ORG_NAME"] = nil
+    ENV["GITHUB_TEAM_ID"] = nil
+    ENV["GITHUB_TEAMS_ID"] = nil
+    expect { get "/" }.to raise_error(BuntoAuth::ConfigError)
+  end
+end

data/spec/bunto_auth_bin_spec.rb

@@ -0,0 +1,43 @@
+require "spec_helper"
+
+describe "bin" do
+  before(:each) do
+    setup_tmp_dir
+  end
+
+  it "spits out the help do" do
+    env = { "GITHUB_TOKEN" => nil }
+    output = execute_bin(env, "--help")
+    expect(output).to match(%r!A simple way to use Github OAuth to serve a protected bunto site to your GitHub organization!)
+  end
+
+  describe "team id" do
+    it "errors if no token is given" do
+      env = { "GITHUB_TOKEN" => nil }
+      expect { execute_bin(env, "team_id", "--org", "balter-test-org", "--team", "1") }.to raise_error(RuntimeError)
+        .with_message(%r!prefix the bunto-auth command with GITHUB_TOKEN!)
+    end
+
+    it "errors if no team_id or org_name is given" do
+      env = { "GITHUB_TOKEN" => "1234" }
+      expect { execute_bin(env, "team_id") }.to raise_error(RuntimeError)
+        .with_message(%r!An org name and team ID are required!)
+    end
+  end
+
+  it "initializes a new site" do
+    `git init`
+    `git add .`
+    `git commit -m 'initial commit'`
+    execute_bin({ "RACK_ENV" => "TEST" }, "new")
+    expect(File).to exist("#{tmp_dir}/config.ru")
+    expect(File).to exist("#{tmp_dir}/Rakefile")
+    expect(File).to exist("#{tmp_dir}/.gitignore")
+    expect(File).to exist("#{tmp_dir}/.env")
+  end
+
+  it "builds the site" do
+    execute_bin({}, "build")
+    expect(File).to exist("#{tmp_dir}/_site/index.html")
+  end
+end

data/spec/bunto_auth_bunto_site_spec.rb

@@ -0,0 +1,43 @@
+require "spec_helper"
+
+describe "bunto site" do
+  include Rack::Test::Methods
+
+  def app
+    BuntoAuth::BuntoSite
+  end
+
+  before do
+    setup_tmp_dir
+    File.write File.expand_path("_config.yml", tmp_dir), "foo: bar"
+    `bundle exec bunto build`
+  end
+
+  it "serves the index" do
+    get "/"
+    expect(last_response.body).to eql("My awesome site")
+  end
+
+  it "serves a page" do
+    get "/index.html"
+    expect(last_response.body).to eql("My awesome site")
+  end
+
+  it "serves a directory index" do
+    get "/some_dir"
+    expect(last_response.body).to eql("My awesome directory")
+  end
+
+  it "serves the default 404" do
+    get "/a-bad-path"
+    expect(last_response.status).to eql(404)
+    expect(last_response.body).to eql("<h1>Not Found</h1>")
+  end
+
+  it "serves a custom 404" do
+    File.write File.expand_path("_site/404.html", tmp_dir), "My custom 404"
+    get "/a-bad-path"
+    expect(last_response.status).to eql(404)
+    expect(last_response.body).to eql("My custom 404")
+  end
+end

data/spec/bunto_auth_commands_spec.rb

@@ -0,0 +1,75 @@
+require "spec_helper"
+
+describe "commands" do
+  before do
+    setup_tmp_dir
+  end
+
+  it "should find the template directory" do
+    expect(File.directory?(BuntoAuth::Commands.source)).to eql(true)
+    expect(File).to exist("#{BuntoAuth::Commands.source}/config.ru")
+  end
+
+  it "should know the destination directory" do
+    expect(BuntoAuth::Commands.destination).to eql(tmp_dir)
+  end
+
+  it "should execute a command" do
+    expect(BuntoAuth::Commands.execute_command("ls")).to match(%r!index\.html!)
+  end
+
+  it "should retrieve a team's ID" do
+    stub_request(:get, "https://api.github.com/orgs/batler-test-org/teams?per_page=100")
+      .to_return(:status => 204, :body => [{ :slug => "test-team", :id => 1 }])
+    expect(BuntoAuth::Commands.team_id("batler-test-org", "test-team")).to eql(1)
+  end
+
+  it "should copy the template files" do
+    expect(File).to_not exist("#{tmp_dir}/config.ru")
+    BuntoAuth::Commands.copy_templates
+    expect(File).to exist("#{tmp_dir}/config.ru")
+    expect(File).to exist("#{tmp_dir}/Rakefile")
+    expect(File).to exist("#{tmp_dir}/.gitignore")
+  end
+
+  it "should know when a directory's changed" do
+    `git init`
+    `git add .`
+    `git commit -m 'initial commit'`
+    expect(BuntoAuth::Commands.changed?).to eql(false)
+    `touch config.ru`
+    expect(BuntoAuth::Commands.changed?).to eql(true)
+  end
+
+  it "knows when env vars are set" do
+    var = "SOME_ENV_VAR"
+
+    ENV.delete(var)
+    expect(BuntoAuth::Commands.env_var_set?(var)).to eql(false)
+
+    ENV[var] = "bar"
+    expect(BuntoAuth::Commands.env_var_set?(var)).to eql(true)
+
+    ENV[var] = ""
+    expect(BuntoAuth::Commands.env_var_set?(var)).to eql(false)
+
+    ENV[var] = nil
+    expect(BuntoAuth::Commands.env_var_set?(var)).to eql(false)
+  end
+
+  it "knows when there's a heroku remote" do
+    `git init`
+    expect(BuntoAuth::Commands.heroku_remote_set?).to eql(false)
+    `git remote add heroku https://example.com`
+    expect(BuntoAuth::Commands.heroku_remote_set?).to eql(true)
+  end
+
+  it "should make an initial commit" do
+    `git init`
+    `touch foo.md`
+    `git add foo.md`
+    BuntoAuth::Commands.initial_commit
+    output = BuntoAuth::Commands.execute_command "git", "log"
+    expect(output).to match(%r!\[Bunto Auth\] Initial setup!)
+  end
+end