heimdall_auth 1.7.0 → 1.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +23 -0
- data/app/controllers/heimdall_auth/sessions_controller.rb +5 -5
- data/lib/heimdall_auth/authentication_additions.rb +48 -0
- data/lib/heimdall_auth/controller_additions.rb +2 -46
- data/lib/heimdall_auth/rails/routes.rb +16 -0
- data/lib/heimdall_auth/route_constraint.rb +45 -0
- data/lib/heimdall_auth/version.rb +1 -1
- data/lib/heimdall_auth.rb +3 -0
- metadata +6 -4
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 62917a5dfbec560e91964ae280d362973e51c3fd7aec9fa39012fcba2053fb96
|
4
|
+
data.tar.gz: d902146d018ba779759c7bef16e7807266d1960a49127961d587a791f131ee41
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: b47b0dfd4f6db45ab8a1d5a34626e1529dcba2811901c36e3ba9a1534e5a814b7c163a4ed433198c66462575feb2eadbd60792ac604f53703381c88cf0282cbc
|
7
|
+
data.tar.gz: 97c6c1a896670c6e224725d848e30340cf30baeecca65a24d7f12275d8040ad1ebdd1bc75156295eda8b94c847901a34802e0542145a2a02a75fdc09a38de91a
|
data/README.md
CHANGED
@@ -1,6 +1,29 @@
|
|
1
1
|
# HeimdallAuth
|
2
2
|
This makes it easy to equip an empty rails application with our Heimdall Auth features.
|
3
3
|
|
4
|
+
## New Feature: Secure Sidekiq (and other mounts)
|
5
|
+
Use it like so in `config/routes.rb`:
|
6
|
+
```
|
7
|
+
mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq
|
8
|
+
```
|
9
|
+
instead of the known:
|
10
|
+
```
|
11
|
+
mount Sidekiq::Web => '/sidekiq'
|
12
|
+
```
|
13
|
+
|
14
|
+
Additionally you need to add the rights to your `app/models/ability.rb`:
|
15
|
+
```
|
16
|
+
if user.is_admin
|
17
|
+
can :manage, :sidekiq
|
18
|
+
end
|
19
|
+
```
|
20
|
+
|
21
|
+
Options:
|
22
|
+
- mount_heimdall_auth_secured ENGINE => PATH, ACTION => RESOURCE
|
23
|
+
- ENGINE - any mountable Engine like `Sidekiq::Web`
|
24
|
+
- PATH - where to mount the engine
|
25
|
+
- ACTION & RESOURCE - like any action and resource in cancancan
|
26
|
+
|
4
27
|
## Installation and Usage
|
5
28
|
|
6
29
|
Example: https://gitlab.vesputi.com/netzmap/nanna
|
@@ -8,29 +8,29 @@ class HeimdallAuth::SessionsController < ApplicationController
|
|
8
8
|
if user_token
|
9
9
|
do_a_signin_precall(user_token, heimdall_auth_url)
|
10
10
|
else
|
11
|
-
redirect_to heimdall_auth_url
|
11
|
+
redirect_to heimdall_auth_url, allow_other_host: true
|
12
12
|
end
|
13
13
|
end
|
14
14
|
|
15
15
|
def create
|
16
16
|
auth = request.env["omniauth.auth"]
|
17
17
|
session[:access_token] = auth.credentials.token
|
18
|
-
redirect_to session[:last_url] ||
|
18
|
+
redirect_to( session[:last_url] || request.base_url, allow_other_host: true)
|
19
19
|
end
|
20
20
|
|
21
21
|
def destroy
|
22
22
|
last_url = session[:last_url]
|
23
23
|
reset_session
|
24
|
-
redirect_to
|
24
|
+
redirect_to("#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || request.base_url}", :notice => 'Signed out!', allow_other_host: true)
|
25
25
|
end
|
26
26
|
|
27
27
|
def failure
|
28
|
-
redirect_to
|
28
|
+
redirect_to request.base_url, :alert => "Authentication error: #{params[:message].humanize}", allow_other_host: true
|
29
29
|
end
|
30
30
|
|
31
31
|
private
|
32
32
|
def do_a_signin_precall(user_token, heimdall_auth_url)
|
33
|
-
redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}"
|
33
|
+
redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}", allow_other_host: true
|
34
34
|
end
|
35
35
|
|
36
36
|
end
|
@@ -0,0 +1,48 @@
|
|
1
|
+
module HeimdallAuth
|
2
|
+
module AuthenticationAdditions
|
3
|
+
def current_ability
|
4
|
+
@current_ability ||= Ability.new(current_user)
|
5
|
+
end
|
6
|
+
|
7
|
+
def store_location_in_session
|
8
|
+
session[:last_url] = request.url if storable_location?
|
9
|
+
::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
|
10
|
+
end
|
11
|
+
|
12
|
+
def storable_location?
|
13
|
+
request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
|
14
|
+
end
|
15
|
+
|
16
|
+
def current_access_token
|
17
|
+
request.session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
|
18
|
+
end
|
19
|
+
|
20
|
+
def current_user
|
21
|
+
begin
|
22
|
+
@current_user ||= get_user_from_auth_server(current_access_token)
|
23
|
+
rescue NoMethodError => e
|
24
|
+
User.new(is_invalid: true)
|
25
|
+
rescue Exception => e
|
26
|
+
nil
|
27
|
+
end
|
28
|
+
end
|
29
|
+
|
30
|
+
def current_environment
|
31
|
+
begin
|
32
|
+
@current_environment ||= current_user.key_environment || params[:environment]
|
33
|
+
rescue NoMethodError, Exception => e
|
34
|
+
nil
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def get_user_from_auth_server(access_token)
|
39
|
+
client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
|
40
|
+
user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
|
41
|
+
User.new(user_data)
|
42
|
+
end
|
43
|
+
|
44
|
+
def user_signed_in?
|
45
|
+
return true if current_user
|
46
|
+
end
|
47
|
+
end
|
48
|
+
end
|
@@ -1,10 +1,12 @@
|
|
1
1
|
# frozen_string_literal: true
|
2
2
|
require "cancancan"
|
3
|
+
require "heimdall_auth/authentication_additions"
|
3
4
|
|
4
5
|
module HeimdallAuth
|
5
6
|
# This module is automatically included into all controllers.
|
6
7
|
# It adds methods like current_user but also handles auth-failure redirections
|
7
8
|
module ControllerAdditions
|
9
|
+
include HeimdallAuth::AuthenticationAdditions
|
8
10
|
|
9
11
|
def self.included(base)
|
10
12
|
base.helper_method :current_user, :current_access_token, :current_environment, :user_signed_in? if base.respond_to? :helper_method
|
@@ -28,52 +30,6 @@ module HeimdallAuth
|
|
28
30
|
end
|
29
31
|
|
30
32
|
end
|
31
|
-
|
32
|
-
def current_ability
|
33
|
-
@current_ability ||= Ability.new(current_user)
|
34
|
-
end
|
35
|
-
|
36
|
-
def store_location_in_session
|
37
|
-
session[:last_url] = request.url if storable_location?
|
38
|
-
::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
|
39
|
-
end
|
40
|
-
|
41
|
-
def storable_location?
|
42
|
-
request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
|
43
|
-
end
|
44
|
-
|
45
|
-
|
46
|
-
def current_access_token
|
47
|
-
session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
|
48
|
-
end
|
49
|
-
|
50
|
-
def current_user
|
51
|
-
begin
|
52
|
-
@current_user ||= get_user_from_auth_server(current_access_token)
|
53
|
-
rescue NoMethodError => e
|
54
|
-
User.new(is_invalid: true)
|
55
|
-
rescue Exception => e
|
56
|
-
nil
|
57
|
-
end
|
58
|
-
end
|
59
|
-
|
60
|
-
def current_environment
|
61
|
-
begin
|
62
|
-
@current_environment ||= current_user.key_environment || params[:environment]
|
63
|
-
rescue NoMethodError, Exception => e
|
64
|
-
nil
|
65
|
-
end
|
66
|
-
end
|
67
|
-
|
68
|
-
def get_user_from_auth_server(access_token)
|
69
|
-
client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
|
70
|
-
user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
|
71
|
-
User.new(user_data)
|
72
|
-
end
|
73
|
-
|
74
|
-
def user_signed_in?
|
75
|
-
return true if current_user
|
76
|
-
end
|
77
33
|
end
|
78
34
|
end
|
79
35
|
|
@@ -9,6 +9,22 @@ module HeimdallAuth
|
|
9
9
|
get '/signin' => 'heimdall_auth/sessions#new', :as => :new_user_session
|
10
10
|
get '/signout' => 'heimdall_auth/sessions#destroy', :as => :destroy_user_session
|
11
11
|
end
|
12
|
+
|
13
|
+
|
14
|
+
def mount_heimdall_auth_secured(options = {}, &block)
|
15
|
+
mount_element = options.keys.first
|
16
|
+
path = options[mount_element]
|
17
|
+
|
18
|
+
action = options.keys.second
|
19
|
+
resource = options.values.second
|
20
|
+
if action.nil? || resource.nil?
|
21
|
+
puts "WARNING: It seems you missed the cancancan rights. Use: `mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq`"
|
22
|
+
end
|
23
|
+
|
24
|
+
mount mount_element => path, constraints: HeimdallAuth::RouteConstraint.new(action, resource)
|
25
|
+
get "#{path}", to: redirect('/signin')
|
26
|
+
get "#{path}/*rest", to: redirect('/signin')
|
27
|
+
end
|
12
28
|
end
|
13
29
|
|
14
30
|
def self.install!
|
@@ -0,0 +1,45 @@
|
|
1
|
+
module HeimdallAuth
|
2
|
+
|
3
|
+
class AuthenticationChecker
|
4
|
+
include HeimdallAuth::AuthenticationAdditions
|
5
|
+
|
6
|
+
def initialize(request)
|
7
|
+
@request = request
|
8
|
+
end
|
9
|
+
|
10
|
+
def request #This allowes the methods in AuthenticationAdditions to use to usually global request
|
11
|
+
@request
|
12
|
+
end
|
13
|
+
|
14
|
+
def session #This allowes the methods in AuthenticationAdditions to use to usually global request
|
15
|
+
@request.session
|
16
|
+
end
|
17
|
+
|
18
|
+
def can?(action, resource)
|
19
|
+
store_location_in_session
|
20
|
+
if current_user
|
21
|
+
if current_ability.can?(action, resource)
|
22
|
+
return true
|
23
|
+
else
|
24
|
+
session[:last_url] = request.base_url #prevent a redirection loop if users do not have enough rights. So send her to the base_url
|
25
|
+
return false
|
26
|
+
end
|
27
|
+
else
|
28
|
+
return false
|
29
|
+
end
|
30
|
+
end
|
31
|
+
end
|
32
|
+
|
33
|
+
class RouteConstraint
|
34
|
+
|
35
|
+
def initialize(action, resource)
|
36
|
+
@action = action
|
37
|
+
@resource = resource
|
38
|
+
end
|
39
|
+
|
40
|
+
def matches?(matching_request)
|
41
|
+
AuthenticationChecker.new(matching_request).can?(@action, @resource)
|
42
|
+
end
|
43
|
+
|
44
|
+
end
|
45
|
+
end
|
data/lib/heimdall_auth.rb
CHANGED
@@ -6,8 +6,11 @@ require "heimdall_auth/rails/routes"
|
|
6
6
|
require "heimdall_auth/user"
|
7
7
|
require "omniauth/stategies/heimdall"
|
8
8
|
|
9
|
+
require "heimdall_auth/authentication_additions"
|
9
10
|
require "heimdall_auth/controller_additions"
|
10
11
|
|
12
|
+
require "heimdall_auth/route_constraint"
|
13
|
+
|
11
14
|
|
12
15
|
module HeimdallAuth
|
13
16
|
# Your code goes here...
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: heimdall_auth
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.8.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- René Meye
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date: 2023-01-
|
11
|
+
date: 2023-01-28 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: rails
|
@@ -19,7 +19,7 @@ dependencies:
|
|
19
19
|
version: '5.0'
|
20
20
|
- - "<"
|
21
21
|
- !ruby/object:Gem::Version
|
22
|
-
version: '
|
22
|
+
version: '8.0'
|
23
23
|
type: :runtime
|
24
24
|
prerelease: false
|
25
25
|
version_requirements: !ruby/object:Gem::Requirement
|
@@ -29,7 +29,7 @@ dependencies:
|
|
29
29
|
version: '5.0'
|
30
30
|
- - "<"
|
31
31
|
- !ruby/object:Gem::Version
|
32
|
-
version: '
|
32
|
+
version: '8.0'
|
33
33
|
- !ruby/object:Gem::Dependency
|
34
34
|
name: omniauth
|
35
35
|
requirement: !ruby/object:Gem::Requirement
|
@@ -109,10 +109,12 @@ files:
|
|
109
109
|
- lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb
|
110
110
|
- lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb
|
111
111
|
- lib/heimdall_auth.rb
|
112
|
+
- lib/heimdall_auth/authentication_additions.rb
|
112
113
|
- lib/heimdall_auth/controller_additions.rb
|
113
114
|
- lib/heimdall_auth/engine.rb
|
114
115
|
- lib/heimdall_auth/rails/routes.rb
|
115
116
|
- lib/heimdall_auth/railtie.rb
|
117
|
+
- lib/heimdall_auth/route_constraint.rb
|
116
118
|
- lib/heimdall_auth/user.rb
|
117
119
|
- lib/heimdall_auth/version.rb
|
118
120
|
- lib/omniauth/stategies/heimdall.rb
|