escher-rack_middleware 0.2.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +9 -0
- data/VERSION +1 -0
- data/escher-rack_middleware.gemspec +2 -5
- data/lib/escher/rack_middleware/default_options.rb +17 -0
- data/lib/escher/rack_middleware/include_path.rb +18 -0
- data/lib/escher/rack_middleware/include_paths/helper.rb +17 -0
- data/lib/escher/rack_middleware/version.rb +2 -1
- data/lib/escher/rack_middleware.rb +35 -10
- data/spec/escher/rack_middleware_spec.rb +29 -0
- data/spec/spec_helper.rb +100 -0
- metadata +26 -4
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: be0496a2d9fffdce4c6390d4e6d21994dccdcda2
|
|
4
|
+
data.tar.gz: a2ca061cbb91af559d81d39a14b7a4685bb0866a
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: cc25a4f9901ec663bd4b0e54bc12a67fc623a498ea3b17e49606b66ddef5f5e3c28e84829de0914738b6085c3048f89933167a6458179dbdd37e035a1709ff90
|
|
7
|
+
data.tar.gz: d9beafe02fd7f23a4d225a28913e4340df0139ddb64267b05b4cfde4fcbcb03bacf3c5d5d8d1cff4f0b3bea01b62fa0e2ec02e847915855f532fca961f10703b
|
data/README.md
CHANGED
|
@@ -33,9 +33,18 @@ Escher::RackMiddleware.config do |c|
|
|
|
33
33
|
# this will be triggered every time a request hit your appication
|
|
34
34
|
c.add_credential_updater{ Escher::Keypool.new.get_key_db }
|
|
35
35
|
|
|
36
|
+
# autorization defaults to all paths
|
|
36
37
|
# this help you exclude path(s) if you dont want require authorization for every endpoint
|
|
37
38
|
c.add_exclude_path(/^\/*monitoring\//)
|
|
38
39
|
|
|
40
|
+
# Alternatively, you can just authorize some paths:
|
|
41
|
+
# this help you just include certain paths for authorization
|
|
42
|
+
# c.add_include_path(/^\/*integrations\//)
|
|
43
|
+
|
|
44
|
+
# NOTE: You can either use excluded paths or included_paths, using both will throw an
|
|
45
|
+
# exception.
|
|
46
|
+
|
|
47
|
+
|
|
39
48
|
end
|
|
40
49
|
|
|
41
50
|
use Escher::RackMiddleware
|
data/VERSION
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
0.3.1
|
|
@@ -1,12 +1,8 @@
|
|
|
1
1
|
# coding: utf-8
|
|
2
|
-
lib = File.expand_path('../lib', __FILE__)
|
|
3
|
-
$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
|
|
4
|
-
require 'escher/rack_middleware/version'
|
|
5
|
-
|
|
6
2
|
Gem::Specification.new do |spec|
|
|
7
3
|
|
|
8
4
|
spec.name = 'escher-rack_middleware'
|
|
9
|
-
spec.version =
|
|
5
|
+
spec.version = File.read(File.join(File.dirname(__FILE__),'VERSION'))
|
|
10
6
|
spec.authors = ['Adam Luzsi']
|
|
11
7
|
spec.email = ['aluzsi@emarsys.com']
|
|
12
8
|
spec.summary = %q{Escher authorization for rack based http servers}
|
|
@@ -23,6 +19,7 @@ Gem::Specification.new do |spec|
|
|
|
23
19
|
spec.add_development_dependency 'rake'
|
|
24
20
|
spec.add_development_dependency 'spec'
|
|
25
21
|
|
|
22
|
+
spec.add_dependency 'rack'
|
|
26
23
|
spec.add_dependency 'escher', '>= 0.3.3'
|
|
27
24
|
|
|
28
25
|
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module Escher::RackMiddleware::DefaultOptions
|
|
2
|
+
|
|
3
|
+
protected
|
|
4
|
+
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
def default_options
|
|
8
|
+
{
|
|
9
|
+
:logger => Escher::RackMiddleware.logger,
|
|
10
|
+
:excluded_paths => Escher::RackMiddleware.excluded_paths,
|
|
11
|
+
:included_paths => Escher::RackMiddleware.included_paths,
|
|
12
|
+
:escher_authenticators => Escher::RackMiddleware.escher_authenticators,
|
|
13
|
+
:credentials => Escher::RackMiddleware.credentials
|
|
14
|
+
}
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
end
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
module Escher::RackMiddleware::IncludePath
|
|
2
|
+
|
|
3
|
+
require 'escher/rack_middleware/include_paths/helper'
|
|
4
|
+
def self.extended(klass)
|
|
5
|
+
klass.__send__(:include, self::Helper)
|
|
6
|
+
end
|
|
7
|
+
|
|
8
|
+
def add_include_paths(*paths)
|
|
9
|
+
included_paths.push(*paths)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
alias add_include_path add_include_paths
|
|
13
|
+
|
|
14
|
+
def included_paths
|
|
15
|
+
@included_paths ||= []
|
|
16
|
+
end
|
|
17
|
+
|
|
18
|
+
end
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
module Escher::RackMiddleware::IncludePath::Helper
|
|
2
|
+
|
|
3
|
+
def included_paths
|
|
4
|
+
@included_paths ||= self.class.included_paths.dup
|
|
5
|
+
end
|
|
6
|
+
|
|
7
|
+
def included_path?(path)
|
|
8
|
+
included_paths.any? do |matcher|
|
|
9
|
+
if matcher.is_a?(Regexp)
|
|
10
|
+
!!(path =~ matcher)
|
|
11
|
+
else
|
|
12
|
+
path == matcher.to_s
|
|
13
|
+
end
|
|
14
|
+
end
|
|
15
|
+
end
|
|
16
|
+
|
|
17
|
+
end
|
|
@@ -5,25 +5,28 @@ class Escher::RackMiddleware
|
|
|
5
5
|
require 'escher/rack_middleware/logging'
|
|
6
6
|
require 'escher/rack_middleware/credential'
|
|
7
7
|
require 'escher/rack_middleware/exclude_path'
|
|
8
|
+
require 'escher/rack_middleware/include_path'
|
|
8
9
|
require 'escher/rack_middleware/authenticator'
|
|
10
|
+
require 'escher/rack_middleware/default_options'
|
|
9
11
|
|
|
10
12
|
extend Logging
|
|
11
13
|
extend Credential
|
|
12
14
|
extend ExcludePath
|
|
15
|
+
extend IncludePath
|
|
13
16
|
extend Authenticator
|
|
17
|
+
include DefaultOptions
|
|
14
18
|
|
|
15
|
-
def initialize(app)
|
|
19
|
+
def initialize(app,options={})
|
|
16
20
|
@app = app
|
|
21
|
+
@options = default_options.merge(options)
|
|
17
22
|
end
|
|
18
23
|
|
|
19
24
|
def call(request_env)
|
|
20
|
-
|
|
21
|
-
unless excluded_path?(request_env['REQUEST_URI'])
|
|
25
|
+
if authorize_path?(::Rack::Utils.clean_path_info(request_env[::Rack::PATH_INFO]))
|
|
22
26
|
return unauthorized_response unless authorized?(request_env)
|
|
23
27
|
end
|
|
24
28
|
|
|
25
29
|
@app.call(request_env)
|
|
26
|
-
|
|
27
30
|
end
|
|
28
31
|
|
|
29
32
|
protected
|
|
@@ -35,13 +38,35 @@ class Escher::RackMiddleware
|
|
|
35
38
|
response.finish
|
|
36
39
|
end
|
|
37
40
|
|
|
38
|
-
def env_dump_string(request_env)
|
|
39
|
-
require 'yaml' unless defined?(YAML)
|
|
40
|
-
YAML.dump(request_env)
|
|
41
|
-
end
|
|
42
|
-
|
|
43
41
|
def self.config(&block)
|
|
44
42
|
block.call(self)
|
|
45
43
|
end
|
|
46
44
|
|
|
47
|
-
|
|
45
|
+
def authorize_path?(path)
|
|
46
|
+
case true
|
|
47
|
+
|
|
48
|
+
when paths_of(:included_paths, include: path)
|
|
49
|
+
true
|
|
50
|
+
|
|
51
|
+
when paths_of(:excluded_paths, include: path)
|
|
52
|
+
false
|
|
53
|
+
|
|
54
|
+
else
|
|
55
|
+
true
|
|
56
|
+
|
|
57
|
+
end
|
|
58
|
+
end
|
|
59
|
+
|
|
60
|
+
def paths_of(option_key, h)
|
|
61
|
+
path = h[:include]
|
|
62
|
+
@options[option_key].any? do |matcher|
|
|
63
|
+
if matcher.is_a?(Regexp)
|
|
64
|
+
!!(path =~ matcher)
|
|
65
|
+
else
|
|
66
|
+
path == matcher.to_s
|
|
67
|
+
end
|
|
68
|
+
end
|
|
69
|
+
end
|
|
70
|
+
|
|
71
|
+
|
|
72
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
describe Escher::RackMiddleware do
|
|
4
|
+
|
|
5
|
+
let(:escher_rack_middleware) { described_class }
|
|
6
|
+
|
|
7
|
+
it 'serves correct, Escher signed requests only' do
|
|
8
|
+
expect(get('/any_path').status).to eq 401
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
it 'allow pass on valid request' do
|
|
12
|
+
expect(escher_signed_get('/').status).to eq 200
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
it 'should exclude the excluded paths' do
|
|
16
|
+
expect(get('/not_protected').status).to eq 200
|
|
17
|
+
end
|
|
18
|
+
|
|
19
|
+
it 'should include the included paths alike' do
|
|
20
|
+
expect(get('/protected').status).to eq 401
|
|
21
|
+
expect(escher_signed_get('/protected').status).to eq 200
|
|
22
|
+
end
|
|
23
|
+
|
|
24
|
+
it 'should include the included paths even on partial matching with exclude paths' do
|
|
25
|
+
expect(get('/unprotected_namespace/except_this_endpoint_which_is_included').status).to eq 401
|
|
26
|
+
expect(escher_signed_get('/unprotected_namespace/except_this_endpoint_which_is_included').status).to eq 200
|
|
27
|
+
end
|
|
28
|
+
|
|
29
|
+
end
|
data/spec/spec_helper.rb
ADDED
|
@@ -0,0 +1,100 @@
|
|
|
1
|
+
require 'rspec'
|
|
2
|
+
require 'rack'
|
|
3
|
+
$LOAD_PATH.unshift(File.join(File.dirname(File.dirname(__FILE__)), 'lib'))
|
|
4
|
+
require 'escher/rack_middleware'
|
|
5
|
+
|
|
6
|
+
CREDENTIAL_SCOPE = 'a/b/c'
|
|
7
|
+
|
|
8
|
+
AUTH_OPTIONS = {
|
|
9
|
+
algo_prefix: 'AWS',
|
|
10
|
+
vendor_key: 'AWS',
|
|
11
|
+
auth_header_name: 'X-AWS-Auth',
|
|
12
|
+
date_header_name: 'X-AWS-Date'
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
require 'logger'
|
|
16
|
+
SPEC_LOGGER = Logger.new($stdout)
|
|
17
|
+
SPEC_LOGGER.level= Logger::Severity::UNKNOWN
|
|
18
|
+
|
|
19
|
+
Escher::RackMiddleware.config do |global_settings|
|
|
20
|
+
|
|
21
|
+
global_settings.logger = SPEC_LOGGER
|
|
22
|
+
|
|
23
|
+
global_settings.add_exclude_path '/not_protected', '/endpoint', /^\/unprotected_namespace/
|
|
24
|
+
global_settings.add_include_path '/protected', '/endpoint_path', '/unprotected_namespace/except_this_endpoint_which_is_included'
|
|
25
|
+
|
|
26
|
+
global_settings.add_credential_updater { {"a_b_v1" => "development_secret"} }
|
|
27
|
+
global_settings.add_escher_authenticator { Escher::Auth.new(CREDENTIAL_SCOPE, AUTH_OPTIONS) }
|
|
28
|
+
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
|
|
32
|
+
module SpecRackHelpers
|
|
33
|
+
|
|
34
|
+
def escher_signed_get(uri, opts={})
|
|
35
|
+
|
|
36
|
+
request_hash = {}
|
|
37
|
+
request_hash[:method] = 'GET'
|
|
38
|
+
request_hash[:uri] = uri
|
|
39
|
+
request_hash[:headers] = ({'host' => 'localhost'}.merge(opts[:headers] || {})).to_a
|
|
40
|
+
request_hash[:body] = opts[:body]
|
|
41
|
+
|
|
42
|
+
client = {:api_key_id => "a_b_v1", :api_secret => "development_secret"}
|
|
43
|
+
escher.sign!(request_hash, client)
|
|
44
|
+
|
|
45
|
+
env = {}
|
|
46
|
+
request_hash[:headers].each do |key, value|
|
|
47
|
+
env["HTTP_#{key.to_s.upcase}"]= value
|
|
48
|
+
end
|
|
49
|
+
|
|
50
|
+
env[:input]= request_hash[:body]
|
|
51
|
+
env['REQUEST_URI'] = uri
|
|
52
|
+
env['REQUEST_PATH'] = uri
|
|
53
|
+
env['REQUEST_METHOD'] = 'GET'
|
|
54
|
+
|
|
55
|
+
get(uri, env)
|
|
56
|
+
|
|
57
|
+
end
|
|
58
|
+
|
|
59
|
+
def escher
|
|
60
|
+
Escher::Auth.new(CREDENTIAL_SCOPE, AUTH_OPTIONS)
|
|
61
|
+
end
|
|
62
|
+
|
|
63
|
+
def get(*args)
|
|
64
|
+
::Rack::MockRequest.new(app).get(*args)
|
|
65
|
+
end
|
|
66
|
+
|
|
67
|
+
def app
|
|
68
|
+
builder = Rack::Builder.new
|
|
69
|
+
builder.use(escher_rack_middleware)
|
|
70
|
+
builder.run(rack_app)
|
|
71
|
+
builder.to_app
|
|
72
|
+
end
|
|
73
|
+
|
|
74
|
+
def rack_app
|
|
75
|
+
Proc.new do |env|
|
|
76
|
+
|
|
77
|
+
resp = Rack::Response.new
|
|
78
|
+
case env[::Rack::PATH_INFO]
|
|
79
|
+
|
|
80
|
+
when '/'
|
|
81
|
+
resp.write('default')
|
|
82
|
+
|
|
83
|
+
when '/protected', '/endpoint_path', '/unprotected_namespace/except_this_endpoint_which_is_included'
|
|
84
|
+
resp.write('included')
|
|
85
|
+
|
|
86
|
+
when '/not_protected', '/endpoint', /^\/unprotected_namespace/
|
|
87
|
+
resp.write('excluded')
|
|
88
|
+
|
|
89
|
+
else
|
|
90
|
+
resp.status = 404
|
|
91
|
+
|
|
92
|
+
end
|
|
93
|
+
resp.finish
|
|
94
|
+
|
|
95
|
+
end
|
|
96
|
+
end
|
|
97
|
+
|
|
98
|
+
end
|
|
99
|
+
|
|
100
|
+
RSpec.configuration.include(SpecRackHelpers)
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: escher-rack_middleware
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.3.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Adam Luzsi
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2016-05-12 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|
|
@@ -52,6 +52,20 @@ dependencies:
|
|
|
52
52
|
- - ">="
|
|
53
53
|
- !ruby/object:Gem::Version
|
|
54
54
|
version: '0'
|
|
55
|
+
- !ruby/object:Gem::Dependency
|
|
56
|
+
name: rack
|
|
57
|
+
requirement: !ruby/object:Gem::Requirement
|
|
58
|
+
requirements:
|
|
59
|
+
- - ">="
|
|
60
|
+
- !ruby/object:Gem::Version
|
|
61
|
+
version: '0'
|
|
62
|
+
type: :runtime
|
|
63
|
+
prerelease: false
|
|
64
|
+
version_requirements: !ruby/object:Gem::Requirement
|
|
65
|
+
requirements:
|
|
66
|
+
- - ">="
|
|
67
|
+
- !ruby/object:Gem::Version
|
|
68
|
+
version: '0'
|
|
55
69
|
- !ruby/object:Gem::Dependency
|
|
56
70
|
name: escher
|
|
57
71
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -79,17 +93,23 @@ files:
|
|
|
79
93
|
- LICENSE.txt
|
|
80
94
|
- README.md
|
|
81
95
|
- Rakefile
|
|
96
|
+
- VERSION
|
|
82
97
|
- escher-rack_middleware.gemspec
|
|
83
98
|
- lib/escher/rack_middleware.rb
|
|
84
99
|
- lib/escher/rack_middleware/authenticator.rb
|
|
85
100
|
- lib/escher/rack_middleware/authenticator/helper.rb
|
|
86
101
|
- lib/escher/rack_middleware/credential.rb
|
|
87
102
|
- lib/escher/rack_middleware/credential/helper.rb
|
|
103
|
+
- lib/escher/rack_middleware/default_options.rb
|
|
88
104
|
- lib/escher/rack_middleware/exclude_path.rb
|
|
89
105
|
- lib/escher/rack_middleware/exclude_paths/helper.rb
|
|
106
|
+
- lib/escher/rack_middleware/include_path.rb
|
|
107
|
+
- lib/escher/rack_middleware/include_paths/helper.rb
|
|
90
108
|
- lib/escher/rack_middleware/logging.rb
|
|
91
109
|
- lib/escher/rack_middleware/logging/helper.rb
|
|
92
110
|
- lib/escher/rack_middleware/version.rb
|
|
111
|
+
- spec/escher/rack_middleware_spec.rb
|
|
112
|
+
- spec/spec_helper.rb
|
|
93
113
|
homepage: https://github.com/emartech/escher-rack_middleware-ruby
|
|
94
114
|
licenses:
|
|
95
115
|
- MIT
|
|
@@ -110,8 +130,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
|
110
130
|
version: '0'
|
|
111
131
|
requirements: []
|
|
112
132
|
rubyforge_project:
|
|
113
|
-
rubygems_version: 2.
|
|
133
|
+
rubygems_version: 2.4.8
|
|
114
134
|
signing_key:
|
|
115
135
|
specification_version: 4
|
|
116
136
|
summary: Escher authorization for rack based http servers
|
|
117
|
-
test_files:
|
|
137
|
+
test_files:
|
|
138
|
+
- spec/escher/rack_middleware_spec.rb
|
|
139
|
+
- spec/spec_helper.rb
|