ehsso 0.5.0 → 0.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/.github/workflows/{ci.yml → 01_test.yml} +5 -17
- data/.github/workflows/{cd.yml → 02_release.yml} +5 -6
- data/CHANGELOG.md +4 -0
- data/LICENSE +21 -0
- data/README.md +143 -11
- data/ehsso.gemspec +2 -2
- data/lib/ehsso/version.rb +1 -1
- metadata +10 -9
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: d41ec655415b6806e4294ff6e28d4b4a178b9dd88aca2662cf8dfdb7382e5324
|
|
4
|
+
data.tar.gz: e659665ea07cd9e34ef5390222f874265fe964fd58dc45cd3416c4134dd25791
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 31ef14c4188888bbfb01fa4dd73469a16346703f554eb59f365deacc047204b1eb73e15f1a2a20ce3ad7e828610278bcfab62dde61c9fec8573655c4e5966205
|
|
7
|
+
data.tar.gz: 4fe87a8e2fb5a05db5dbc456910a31d483d49208e56f5f5f0f83221b3fa4dad1fc01ebe630fb7593899ab41350ac796b5e6467803251a609e4e9a4974c5f46ac
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
name:
|
|
1
|
+
name: 01 - Test
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
push:
|
|
@@ -16,18 +16,16 @@ on:
|
|
|
16
16
|
workflow_dispatch:
|
|
17
17
|
|
|
18
18
|
jobs:
|
|
19
|
-
|
|
19
|
+
test:
|
|
20
20
|
runs-on: ubuntu-latest
|
|
21
|
-
env:
|
|
22
|
-
CC_TEST_REPORTER_ID: ${{ secrets.CC_TEST_REPORTER_ID }}
|
|
23
21
|
strategy:
|
|
24
22
|
fail-fast: false
|
|
25
23
|
matrix:
|
|
26
|
-
ruby: [ '3.4', '3.3', '3.2'
|
|
24
|
+
ruby: [ '3.4', '3.3', '3.2']
|
|
27
25
|
|
|
28
26
|
name: Ruby ${{ matrix.ruby }}
|
|
29
27
|
steps:
|
|
30
|
-
- uses: actions/checkout@
|
|
28
|
+
- uses: actions/checkout@v5
|
|
31
29
|
|
|
32
30
|
- name: Set up Ruby
|
|
33
31
|
uses: ruby/setup-ruby@v1
|
|
@@ -37,16 +35,6 @@ jobs:
|
|
|
37
35
|
bundler-cache: true
|
|
38
36
|
cache-version: 1
|
|
39
37
|
|
|
40
|
-
- name:
|
|
41
|
-
run: |
|
|
42
|
-
curl -L https://codeclimate.com/downloads/test-reporter/test-reporter-latest-linux-amd64 > ./cc-test-reporter
|
|
43
|
-
chmod +x ./cc-test-reporter
|
|
44
|
-
./cc-test-reporter before-build
|
|
45
|
-
|
|
46
|
-
- name: Run default task
|
|
38
|
+
- name: Run tests
|
|
47
39
|
run: |
|
|
48
40
|
bundle exec rake
|
|
49
|
-
|
|
50
|
-
- name: Code Climate publish test coverage
|
|
51
|
-
run: |
|
|
52
|
-
./cc-test-reporter after-build
|
|
@@ -1,16 +1,15 @@
|
|
|
1
|
-
name:
|
|
1
|
+
name: 02 - Release
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
workflow_dispatch:
|
|
5
5
|
|
|
6
6
|
jobs:
|
|
7
|
-
|
|
8
|
-
build:
|
|
7
|
+
release:
|
|
9
8
|
runs-on: ubuntu-latest
|
|
10
9
|
|
|
11
10
|
steps:
|
|
12
11
|
- name: Checkout current code
|
|
13
|
-
uses: actions/checkout@
|
|
12
|
+
uses: actions/checkout@v5
|
|
14
13
|
|
|
15
14
|
- name: Set up Ruby
|
|
16
15
|
uses: ruby/setup-ruby@v1
|
|
@@ -20,7 +19,7 @@ jobs:
|
|
|
20
19
|
bundler-cache: true
|
|
21
20
|
cache-version: 1
|
|
22
21
|
|
|
23
|
-
- name:
|
|
22
|
+
- name: Release to RubyGems
|
|
24
23
|
env:
|
|
25
24
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
26
25
|
run: |
|
|
@@ -30,4 +29,4 @@ jobs:
|
|
|
30
29
|
echo -e "---\n:rubygems_api_key: ${{ secrets.RUBYGEMS_API_KEY }}" > ~/.gem/credentials
|
|
31
30
|
chmod 600 ~/.gem/credentials
|
|
32
31
|
bundle exec rake release
|
|
33
|
-
rm ~/.gem/credentials
|
|
32
|
+
rm ~/.gem/credentials
|
data/CHANGELOG.md
CHANGED
data/LICENSE
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2025 ikey.ch
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
data/README.md
CHANGED
|
@@ -1,21 +1,31 @@
|
|
|
1
1
|
[](https://badge.fury.io/rb/ehsso)
|
|
2
|
-
[](https://github.com/thomis/ehsso/actions/workflows/ci.yml)
|
|
2
|
+
[](https://github.com/thomis/ehsso/actions/workflows/01_test.yml)
|
|
3
|
+
[](https://github.com/thomis/ehsso/actions/workflows/02_release.yml)
|
|
5
4
|
|
|
6
5
|
# ehsso
|
|
7
6
|
|
|
8
|
-
|
|
7
|
+
A Rails authorization gem that integrates with company-specific Single Sign-On (SSO) infrastructure. It extracts user identity from HTTP request headers and queries a configured authorization service to retrieve user roles for your application.
|
|
8
|
+
|
|
9
|
+
## How it works
|
|
10
|
+
|
|
11
|
+
1. **Identity Extraction**: Reads user information from specific HTTP headers injected by your SSO infrastructure
|
|
12
|
+
2. **Authorization Query**: Sends the user identity along with your application's module key to a central authorization service
|
|
13
|
+
3. **Role Management**: Receives and manages user roles specific to your application/module
|
|
14
|
+
4. **Access Control**: Provides simple role-checking methods for implementing authorization logic in your Rails app
|
|
15
|
+
|
|
16
|
+
This gem handles the authorization aspect of SSO - determining what an already authenticated user is allowed to do in your specific application based on their assigned roles.
|
|
9
17
|
|
|
10
18
|
## Supported Ruby Versions
|
|
11
19
|
|
|
12
20
|
Currently supported and tested ruby versions are:
|
|
13
21
|
|
|
14
|
-
- 3.
|
|
15
|
-
- 3.
|
|
16
|
-
- 3.
|
|
17
|
-
|
|
18
|
-
|
|
22
|
+
- 3.4 (EOL 31 Mar 2028)
|
|
23
|
+
- 3.3 (EOL 31 Mar 2027)
|
|
24
|
+
- 3.2 (EOL 31 Mar 2026)
|
|
25
|
+
|
|
26
|
+
Ruby versions not tested anymore:
|
|
27
|
+
|
|
28
|
+
- 3.1 (EOL 31 Mar 2025)
|
|
19
29
|
|
|
20
30
|
## Installation
|
|
21
31
|
|
|
@@ -34,7 +44,7 @@ Ehsso.configure do |config|
|
|
|
34
44
|
# Application reference
|
|
35
45
|
config.module_key = 'my_module_key'
|
|
36
46
|
|
|
37
|
-
#
|
|
47
|
+
# Authorization service endpoint with HTTP Basic Auth
|
|
38
48
|
config.base_url = 'http://{host}:{port}'
|
|
39
49
|
config.username_and_password = 'username:password'
|
|
40
50
|
end
|
|
@@ -42,8 +52,130 @@ end
|
|
|
42
52
|
|
|
43
53
|
## Usage
|
|
44
54
|
|
|
45
|
-
|
|
55
|
+
The authorization service typically returns roles like:
|
|
56
|
+
- **ADMINISTRATOR** - Full system access
|
|
57
|
+
- **OPERATOR** - Manage and modify resources
|
|
58
|
+
- **USER** - Standard access, read-only
|
|
59
|
+
- **GUEST** - Limited access, pending approval
|
|
60
|
+
|
|
61
|
+
Note: The actual roles returned depend on your authorization service configuration. The gem dynamically handles any role names returned by the service.
|
|
62
|
+
|
|
63
|
+
### Basic Controller Integration
|
|
64
|
+
|
|
65
|
+
```ruby
|
|
66
|
+
class ApplicationController < ActionController::Base
|
|
67
|
+
before_action :authorize_user
|
|
68
|
+
|
|
69
|
+
private
|
|
70
|
+
|
|
71
|
+
def authorize_user
|
|
72
|
+
@current_user = Ehsso::Person.parse_from_request_header(request.headers)
|
|
73
|
+
|
|
74
|
+
if @current_user.valid?
|
|
75
|
+
@current_user.fetch # Retrieve roles from authorization service
|
|
76
|
+
|
|
77
|
+
unless @current_user.valid?
|
|
78
|
+
render plain: 'Authorization service unavailable', status: :service_unavailable
|
|
79
|
+
end
|
|
80
|
+
else
|
|
81
|
+
render plain: 'Unauthorized', status: :unauthorized
|
|
82
|
+
end
|
|
83
|
+
end
|
|
84
|
+
|
|
85
|
+
def current_user
|
|
86
|
+
@current_user
|
|
87
|
+
end
|
|
88
|
+
end
|
|
89
|
+
```
|
|
90
|
+
|
|
91
|
+
### Role-Based Access Control
|
|
92
|
+
|
|
93
|
+
```ruby
|
|
94
|
+
class AdminController < ApplicationController
|
|
95
|
+
before_action :require_admin
|
|
96
|
+
|
|
97
|
+
def dashboard
|
|
98
|
+
# Administrator-only content
|
|
99
|
+
end
|
|
100
|
+
|
|
101
|
+
private
|
|
102
|
+
|
|
103
|
+
def require_admin
|
|
104
|
+
unless @current_user.administrator?
|
|
105
|
+
render plain: 'Access denied', status: :forbidden
|
|
106
|
+
end
|
|
107
|
+
end
|
|
108
|
+
end
|
|
109
|
+
|
|
110
|
+
class ResourcesController < ApplicationController
|
|
111
|
+
def index
|
|
112
|
+
# All authenticated users can view (even guests)
|
|
113
|
+
@resources = Resource.all
|
|
114
|
+
end
|
|
115
|
+
|
|
116
|
+
def show
|
|
117
|
+
# Users, operators, and administrators can view details
|
|
118
|
+
if @current_user.user? || @current_user.operator? || @current_user.administrator?
|
|
119
|
+
@resource = Resource.find(params[:id])
|
|
120
|
+
else
|
|
121
|
+
render plain: 'Guest access limited', status: :forbidden
|
|
122
|
+
end
|
|
123
|
+
end
|
|
124
|
+
|
|
125
|
+
def edit
|
|
126
|
+
# Operators and administrators can edit
|
|
127
|
+
if @current_user.operator? || @current_user.administrator?
|
|
128
|
+
@resource = Resource.find(params[:id])
|
|
129
|
+
else
|
|
130
|
+
render plain: 'Access denied', status: :forbidden
|
|
131
|
+
end
|
|
132
|
+
end
|
|
133
|
+
|
|
134
|
+
def destroy
|
|
135
|
+
# Only administrators can delete
|
|
136
|
+
if @current_user.administrator?
|
|
137
|
+
@resource = Resource.find(params[:id])
|
|
138
|
+
@resource.destroy
|
|
139
|
+
redirect_to resources_path
|
|
140
|
+
else
|
|
141
|
+
render plain: 'Access denied - Administrator only', status: :forbidden
|
|
142
|
+
end
|
|
143
|
+
end
|
|
144
|
+
end
|
|
145
|
+
```
|
|
146
|
+
|
|
147
|
+
### Auto-Registration for New Users
|
|
148
|
+
|
|
149
|
+
```ruby
|
|
150
|
+
class ApplicationController < ActionController::Base
|
|
151
|
+
before_action :authorize_or_register_user
|
|
152
|
+
|
|
153
|
+
private
|
|
154
|
+
|
|
155
|
+
def authorize_or_register_user
|
|
156
|
+
@current_user = Ehsso::Person.parse_from_request_header(request.headers)
|
|
157
|
+
|
|
158
|
+
if @current_user.valid?
|
|
159
|
+
# This will create user with 'GUEST' role if they don't exist yet
|
|
160
|
+
@current_user.fetch_or_create
|
|
161
|
+
|
|
162
|
+
if @current_user.guest?
|
|
163
|
+
redirect_to pending_approval_path
|
|
164
|
+
elsif @current_user.user? || @current_user.operator? || @current_user.administrator?
|
|
165
|
+
# User has been granted proper access
|
|
166
|
+
return true
|
|
167
|
+
end
|
|
168
|
+
else
|
|
169
|
+
render plain: 'Missing SSO headers', status: :unauthorized
|
|
170
|
+
end
|
|
171
|
+
end
|
|
172
|
+
end
|
|
173
|
+
```
|
|
46
174
|
|
|
47
175
|
## Contributing
|
|
48
176
|
|
|
49
177
|
Bug reports and pull requests are welcome on GitHub at https://github.com/thomis/ehsso.
|
|
178
|
+
|
|
179
|
+
## License
|
|
180
|
+
|
|
181
|
+
The gem is available as open source under the terms of the [MIT License](https://opensource.org/licenses/MIT).
|
data/ehsso.gemspec
CHANGED
|
@@ -30,6 +30,6 @@ Gem::Specification.new do |spec|
|
|
|
30
30
|
spec.add_development_dependency "simplecov", "~> 0.21"
|
|
31
31
|
|
|
32
32
|
spec.add_runtime_dependency("typhoeus", "~> 1.3")
|
|
33
|
-
spec.add_runtime_dependency("logger", "~> 1.
|
|
34
|
-
spec.add_runtime_dependency("bigdecimal", "~> 3.
|
|
33
|
+
spec.add_runtime_dependency("logger", "~> 1.7")
|
|
34
|
+
spec.add_runtime_dependency("bigdecimal", "~> 3.2")
|
|
35
35
|
end
|
data/lib/ehsso/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ehsso
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.6.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Thomas Steiner
|
|
8
8
|
bindir: exe
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date:
|
|
10
|
+
date: 1980-01-02 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: bundler
|
|
@@ -113,28 +113,28 @@ dependencies:
|
|
|
113
113
|
requirements:
|
|
114
114
|
- - "~>"
|
|
115
115
|
- !ruby/object:Gem::Version
|
|
116
|
-
version: 1.
|
|
116
|
+
version: '1.7'
|
|
117
117
|
type: :runtime
|
|
118
118
|
prerelease: false
|
|
119
119
|
version_requirements: !ruby/object:Gem::Requirement
|
|
120
120
|
requirements:
|
|
121
121
|
- - "~>"
|
|
122
122
|
- !ruby/object:Gem::Version
|
|
123
|
-
version: 1.
|
|
123
|
+
version: '1.7'
|
|
124
124
|
- !ruby/object:Gem::Dependency
|
|
125
125
|
name: bigdecimal
|
|
126
126
|
requirement: !ruby/object:Gem::Requirement
|
|
127
127
|
requirements:
|
|
128
128
|
- - "~>"
|
|
129
129
|
- !ruby/object:Gem::Version
|
|
130
|
-
version: 3.
|
|
130
|
+
version: '3.2'
|
|
131
131
|
type: :runtime
|
|
132
132
|
prerelease: false
|
|
133
133
|
version_requirements: !ruby/object:Gem::Requirement
|
|
134
134
|
requirements:
|
|
135
135
|
- - "~>"
|
|
136
136
|
- !ruby/object:Gem::Version
|
|
137
|
-
version: 3.
|
|
137
|
+
version: '3.2'
|
|
138
138
|
description: EH Single Sign On
|
|
139
139
|
email:
|
|
140
140
|
- thomas.steiner@ikey.ch
|
|
@@ -143,12 +143,13 @@ extensions: []
|
|
|
143
143
|
extra_rdoc_files: []
|
|
144
144
|
files:
|
|
145
145
|
- ".github/dependabot.yml"
|
|
146
|
-
- ".github/workflows/
|
|
147
|
-
- ".github/workflows/
|
|
146
|
+
- ".github/workflows/01_test.yml"
|
|
147
|
+
- ".github/workflows/02_release.yml"
|
|
148
148
|
- ".gitignore"
|
|
149
149
|
- ".rspec"
|
|
150
150
|
- CHANGELOG.md
|
|
151
151
|
- Gemfile
|
|
152
|
+
- LICENSE
|
|
152
153
|
- README.md
|
|
153
154
|
- Rakefile
|
|
154
155
|
- ehsso.gemspec
|
|
@@ -175,7 +176,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
175
176
|
- !ruby/object:Gem::Version
|
|
176
177
|
version: '0'
|
|
177
178
|
requirements: []
|
|
178
|
-
rubygems_version: 3.6.
|
|
179
|
+
rubygems_version: 3.6.9
|
|
179
180
|
specification_version: 4
|
|
180
181
|
summary: EH Single Sign On
|
|
181
182
|
test_files: []
|