heimdall_auth 1.6.0 → 1.8.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +23 -0
- data/app/controllers/heimdall_auth/sessions_controller.rb +5 -5
- data/lib/heimdall_auth/authentication_additions.rb +48 -0
- data/lib/heimdall_auth/controller_additions.rb +2 -46
- data/lib/heimdall_auth/rails/routes.rb +16 -0
- data/lib/heimdall_auth/route_constraint.rb +45 -0
- data/lib/heimdall_auth/user.rb +11 -1
- data/lib/heimdall_auth/version.rb +1 -1
- data/lib/heimdall_auth.rb +3 -0
- metadata +7 -5
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 62917a5dfbec560e91964ae280d362973e51c3fd7aec9fa39012fcba2053fb96
|
4
|
+
data.tar.gz: d902146d018ba779759c7bef16e7807266d1960a49127961d587a791f131ee41
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b47b0dfd4f6db45ab8a1d5a34626e1529dcba2811901c36e3ba9a1534e5a814b7c163a4ed433198c66462575feb2eadbd60792ac604f53703381c88cf0282cbc
|
7
|
+
data.tar.gz: 97c6c1a896670c6e224725d848e30340cf30baeecca65a24d7f12275d8040ad1ebdd1bc75156295eda8b94c847901a34802e0542145a2a02a75fdc09a38de91a
|
data/README.md
CHANGED
@@ -1,6 +1,29 @@
|
|
1
1
|
# HeimdallAuth
|
2
2
|
This makes it easy to equip an empty rails application with our Heimdall Auth features.
|
3
3
|
|
4
|
+
## New Feature: Secure Sidekiq (and other mounts)
|
5
|
+
Use it like so in `config/routes.rb`:
|
6
|
+
```
|
7
|
+
mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq
|
8
|
+
```
|
9
|
+
instead of the known:
|
10
|
+
```
|
11
|
+
mount Sidekiq::Web => '/sidekiq'
|
12
|
+
```
|
13
|
+
|
14
|
+
Additionally you need to add the rights to your `app/models/ability.rb`:
|
15
|
+
```
|
16
|
+
if user.is_admin
|
17
|
+
can :manage, :sidekiq
|
18
|
+
end
|
19
|
+
```
|
20
|
+
|
21
|
+
Options:
|
22
|
+
- mount_heimdall_auth_secured ENGINE => PATH, ACTION => RESOURCE
|
23
|
+
- ENGINE - any mountable Engine like `Sidekiq::Web`
|
24
|
+
- PATH - where to mount the engine
|
25
|
+
- ACTION & RESOURCE - like any action and resource in cancancan
|
26
|
+
|
4
27
|
## Installation and Usage
|
5
28
|
|
6
29
|
Example: https://gitlab.vesputi.com/netzmap/nanna
|
@@ -8,29 +8,29 @@ class HeimdallAuth::SessionsController < ApplicationController
|
|
8
8
|
if user_token
|
9
9
|
do_a_signin_precall(user_token, heimdall_auth_url)
|
10
10
|
else
|
11
|
-
redirect_to heimdall_auth_url
|
11
|
+
redirect_to heimdall_auth_url, allow_other_host: true
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
15
|
def create
|
16
16
|
auth = request.env["omniauth.auth"]
|
17
17
|
session[:access_token] = auth.credentials.token
|
18
|
-
redirect_to session[:last_url] ||
|
18
|
+
redirect_to( session[:last_url] || request.base_url, allow_other_host: true)
|
19
19
|
end
|
20
20
|
|
21
21
|
def destroy
|
22
22
|
last_url = session[:last_url]
|
23
23
|
reset_session
|
24
|
-
redirect_to
|
24
|
+
redirect_to("#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || request.base_url}", :notice => 'Signed out!', allow_other_host: true)
|
25
25
|
end
|
26
26
|
|
27
27
|
def failure
|
28
|
-
redirect_to
|
28
|
+
redirect_to request.base_url, :alert => "Authentication error: #{params[:message].humanize}", allow_other_host: true
|
29
29
|
end
|
30
30
|
|
31
31
|
private
|
32
32
|
def do_a_signin_precall(user_token, heimdall_auth_url)
|
33
|
-
redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}"
|
33
|
+
redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}", allow_other_host: true
|
34
34
|
end
|
35
35
|
|
36
36
|
end
|
@@ -0,0 +1,48 @@
|
|
1
|
+
module HeimdallAuth
|
2
|
+
module AuthenticationAdditions
|
3
|
+
def current_ability
|
4
|
+
@current_ability ||= Ability.new(current_user)
|
5
|
+
end
|
6
|
+
|
7
|
+
def store_location_in_session
|
8
|
+
session[:last_url] = request.url if storable_location?
|
9
|
+
::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
|
10
|
+
end
|
11
|
+
|
12
|
+
def storable_location?
|
13
|
+
request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
|
14
|
+
end
|
15
|
+
|
16
|
+
def current_access_token
|
17
|
+
request.session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
|
18
|
+
end
|
19
|
+
|
20
|
+
def current_user
|
21
|
+
begin
|
22
|
+
@current_user ||= get_user_from_auth_server(current_access_token)
|
23
|
+
rescue NoMethodError => e
|
24
|
+
User.new(is_invalid: true)
|
25
|
+
rescue Exception => e
|
26
|
+
nil
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def current_environment
|
31
|
+
begin
|
32
|
+
@current_environment ||= current_user.key_environment || params[:environment]
|
33
|
+
rescue NoMethodError, Exception => e
|
34
|
+
nil
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def get_user_from_auth_server(access_token)
|
39
|
+
client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
|
40
|
+
user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
|
41
|
+
User.new(user_data)
|
42
|
+
end
|
43
|
+
|
44
|
+
def user_signed_in?
|
45
|
+
return true if current_user
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -1,10 +1,12 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
require "cancancan"
|
3
|
+
require "heimdall_auth/authentication_additions"
|
3
4
|
|
4
5
|
module HeimdallAuth
|
5
6
|
# This module is automatically included into all controllers.
|
6
7
|
# It adds methods like current_user but also handles auth-failure redirections
|
7
8
|
module ControllerAdditions
|
9
|
+
include HeimdallAuth::AuthenticationAdditions
|
8
10
|
|
9
11
|
def self.included(base)
|
10
12
|
base.helper_method :current_user, :current_access_token, :current_environment, :user_signed_in? if base.respond_to? :helper_method
|
@@ -28,52 +30,6 @@ module HeimdallAuth
|
|
28
30
|
end
|
29
31
|
|
30
32
|
end
|
31
|
-
|
32
|
-
def current_ability
|
33
|
-
@current_ability ||= Ability.new(current_user)
|
34
|
-
end
|
35
|
-
|
36
|
-
def store_location_in_session
|
37
|
-
session[:last_url] = request.url if storable_location?
|
38
|
-
::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
|
39
|
-
end
|
40
|
-
|
41
|
-
def storable_location?
|
42
|
-
request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
|
43
|
-
end
|
44
|
-
|
45
|
-
|
46
|
-
def current_access_token
|
47
|
-
session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
|
48
|
-
end
|
49
|
-
|
50
|
-
def current_user
|
51
|
-
begin
|
52
|
-
@current_user ||= get_user_from_auth_server(current_access_token)
|
53
|
-
rescue NoMethodError => e
|
54
|
-
User.new(is_invalid: true)
|
55
|
-
rescue Exception => e
|
56
|
-
nil
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def current_environment
|
61
|
-
begin
|
62
|
-
@current_environment ||= current_user.key_environment || params[:environment]
|
63
|
-
rescue NoMethodError, Exception => e
|
64
|
-
nil
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
def get_user_from_auth_server(access_token)
|
69
|
-
client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
|
70
|
-
user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
|
71
|
-
User.new(user_data)
|
72
|
-
end
|
73
|
-
|
74
|
-
def user_signed_in?
|
75
|
-
return true if current_user
|
76
|
-
end
|
77
33
|
end
|
78
34
|
end
|
79
35
|
|
@@ -9,6 +9,22 @@ module HeimdallAuth
|
|
9
9
|
get '/signin' => 'heimdall_auth/sessions#new', :as => :new_user_session
|
10
10
|
get '/signout' => 'heimdall_auth/sessions#destroy', :as => :destroy_user_session
|
11
11
|
end
|
12
|
+
|
13
|
+
|
14
|
+
def mount_heimdall_auth_secured(options = {}, &block)
|
15
|
+
mount_element = options.keys.first
|
16
|
+
path = options[mount_element]
|
17
|
+
|
18
|
+
action = options.keys.second
|
19
|
+
resource = options.values.second
|
20
|
+
if action.nil? || resource.nil?
|
21
|
+
puts "WARNING: It seems you missed the cancancan rights. Use: `mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq`"
|
22
|
+
end
|
23
|
+
|
24
|
+
mount mount_element => path, constraints: HeimdallAuth::RouteConstraint.new(action, resource)
|
25
|
+
get "#{path}", to: redirect('/signin')
|
26
|
+
get "#{path}/*rest", to: redirect('/signin')
|
27
|
+
end
|
12
28
|
end
|
13
29
|
|
14
30
|
def self.install!
|
@@ -0,0 +1,45 @@
|
|
1
|
+
module HeimdallAuth
|
2
|
+
|
3
|
+
class AuthenticationChecker
|
4
|
+
include HeimdallAuth::AuthenticationAdditions
|
5
|
+
|
6
|
+
def initialize(request)
|
7
|
+
@request = request
|
8
|
+
end
|
9
|
+
|
10
|
+
def request #This allowes the methods in AuthenticationAdditions to use to usually global request
|
11
|
+
@request
|
12
|
+
end
|
13
|
+
|
14
|
+
def session #This allowes the methods in AuthenticationAdditions to use to usually global request
|
15
|
+
@request.session
|
16
|
+
end
|
17
|
+
|
18
|
+
def can?(action, resource)
|
19
|
+
store_location_in_session
|
20
|
+
if current_user
|
21
|
+
if current_ability.can?(action, resource)
|
22
|
+
return true
|
23
|
+
else
|
24
|
+
session[:last_url] = request.base_url #prevent a redirection loop if users do not have enough rights. So send her to the base_url
|
25
|
+
return false
|
26
|
+
end
|
27
|
+
else
|
28
|
+
return false
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
class RouteConstraint
|
34
|
+
|
35
|
+
def initialize(action, resource)
|
36
|
+
@action = action
|
37
|
+
@resource = resource
|
38
|
+
end
|
39
|
+
|
40
|
+
def matches?(matching_request)
|
41
|
+
AuthenticationChecker.new(matching_request).can?(@action, @resource)
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
45
|
+
end
|
data/lib/heimdall_auth/user.rb
CHANGED
@@ -3,7 +3,7 @@ class HeimdallAuth::User
|
|
3
3
|
extend ActiveModel::Naming
|
4
4
|
|
5
5
|
attr_accessor :is_invalid
|
6
|
-
attr_accessor :id, :name, :
|
6
|
+
attr_accessor :id, :name, :app_type, :app_environment, :app_id, :email, :is_editor, :is_operator, :is_admin, :is_user_admin, :is_police, :is_ride_on_demand_provider, :is_ride_on_demand_accounting, :raw_data
|
7
7
|
|
8
8
|
def initialize(attributes = {})
|
9
9
|
attributes.each do |name, value|
|
@@ -13,6 +13,16 @@ class HeimdallAuth::User
|
|
13
13
|
self.raw_data = attributes.to_json
|
14
14
|
end
|
15
15
|
|
16
|
+
def key_type
|
17
|
+
Rails.logger.warn("key_type is deprecated, please use app_type")
|
18
|
+
app_type
|
19
|
+
end
|
20
|
+
|
21
|
+
def key_environment
|
22
|
+
Rails.logger.warn("key_environment is deprecated, please use app_environment")
|
23
|
+
app_environment
|
24
|
+
end
|
25
|
+
|
16
26
|
def persisted?
|
17
27
|
false
|
18
28
|
end
|
data/lib/heimdall_auth.rb
CHANGED
@@ -6,8 +6,11 @@ require "heimdall_auth/rails/routes"
|
|
6
6
|
require "heimdall_auth/user"
|
7
7
|
require "omniauth/stategies/heimdall"
|
8
8
|
|
9
|
+
require "heimdall_auth/authentication_additions"
|
9
10
|
require "heimdall_auth/controller_additions"
|
10
11
|
|
12
|
+
require "heimdall_auth/route_constraint"
|
13
|
+
|
11
14
|
|
12
15
|
module HeimdallAuth
|
13
16
|
# Your code goes here...
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: heimdall_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- René Meye
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2023-01-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -19,7 +19,7 @@ dependencies:
|
|
19
19
|
version: '5.0'
|
20
20
|
- - "<"
|
21
21
|
- !ruby/object:Gem::Version
|
22
|
-
version: '
|
22
|
+
version: '8.0'
|
23
23
|
type: :runtime
|
24
24
|
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -29,7 +29,7 @@ dependencies:
|
|
29
29
|
version: '5.0'
|
30
30
|
- - "<"
|
31
31
|
- !ruby/object:Gem::Version
|
32
|
-
version: '
|
32
|
+
version: '8.0'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
34
|
name: omniauth
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -109,10 +109,12 @@ files:
|
|
109
109
|
- lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb
|
110
110
|
- lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb
|
111
111
|
- lib/heimdall_auth.rb
|
112
|
+
- lib/heimdall_auth/authentication_additions.rb
|
112
113
|
- lib/heimdall_auth/controller_additions.rb
|
113
114
|
- lib/heimdall_auth/engine.rb
|
114
115
|
- lib/heimdall_auth/rails/routes.rb
|
115
116
|
- lib/heimdall_auth/railtie.rb
|
117
|
+
- lib/heimdall_auth/route_constraint.rb
|
116
118
|
- lib/heimdall_auth/user.rb
|
117
119
|
- lib/heimdall_auth/version.rb
|
118
120
|
- lib/omniauth/stategies/heimdall.rb
|
@@ -137,7 +139,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
137
139
|
- !ruby/object:Gem::Version
|
138
140
|
version: '0'
|
139
141
|
requirements: []
|
140
|
-
rubygems_version: 3.
|
142
|
+
rubygems_version: 3.3.7
|
141
143
|
signing_key:
|
142
144
|
specification_version: 4
|
143
145
|
summary: Summary of HeimdallAuth.
|