heimdall_auth 1.7.0 → 1.9.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57bca32565813f01226295da73012e3b10a4d6c1551e7e680c74ade1fc47330c
-  data.tar.gz: 4c13f4f4e6f0c67026c8f4def6351625b2ff377d580828997adf6658f054e987
+  metadata.gz: '0904885207b67efe16aefc1bd5c37a57490f412c199bdf0275a22b56a3f90b84'
+  data.tar.gz: 278819290094fa8e3ae2e7640e423c48dbdbc926343c1896ca2ac9eb84b36e37
 SHA512:
-  metadata.gz: 46a5916934411a7957c8f494bd0348083a1cc5394517d9924899eebae911450c4bfeb78a6cdbae1e85dc4fd51146d07af562f56615362ebe72e06e7da1af3a43
-  data.tar.gz: 630a7af9ae20322235561977d94f0d84900bab12edb052515a1967db5bce6aa262493a13acba131cace42790641762d1d6db603c5169d2e3e80c05712c900137
+  metadata.gz: ddb292841b5c583e820fecec2162263d8dd34fb125681bad493e80c73f00fcb242026b649d924b57a9abc5f2003b65bf918bb90c9d07816242831bc019bf0080
+  data.tar.gz: 6150a29eaab129ce489f897ab36106de8e46da278f14db29438a607bfe077f481527492d0089903b9df1e25fc0fdff52f24a87932326a326bdb3b891e4d25250

data/README.md

@@ -1,6 +1,40 @@
 # HeimdallAuth
 This makes it easy to equip an empty rails application with our Heimdall Auth features.
 
+## New Feature: Secure Sidekiq (and other mounts)
+Use it like so in `config/routes.rb`:
+```
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq
+
+or
+
+# The /sidekiq/stats path gets available for services like Datadog
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq, accessible_via_token: {'/sidekiq/stats': ENV['SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG']}
+```
+instead of the known:
+```
+mount Sidekiq::Web => '/sidekiq'
+```
+
+Additionally you need to add the rights to your `app/models/ability.rb`:
+```
+if user.is_admin
+  can :manage, :sidekiq
+end
+```
+
+and the password in `.env` and `.env.example` if you used it:
+```
+SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG=halloweltrandomstring
+```
+
+Options:
+- mount_heimdall_auth_secured ENGINE => PATH, ACTION => RESOURCE, accessible_via_token: {EXCEPTION_PATH: EXCEPTION_PASSWORD, EXCEPTION_PATH2: EXCEPTION_PASSWORD2}
+  - ENGINE - any mountable Engine like `Sidekiq::Web`
+  - PATH - where to mount the engine
+  - ACTION & RESOURCE - like any action and resource in cancancan
+- :accessible_via_token -> Defines paths that are available via a particular token. e.g. for Watchdog services like Datadog
+
 ## Installation and Usage
 
 Example: https://gitlab.vesputi.com/netzmap/nanna

data/app/controllers/heimdall_auth/sessions_controller.rb

@@ -8,29 +8,29 @@ class HeimdallAuth::SessionsController < ApplicationController
     if user_token
       do_a_signin_precall(user_token, heimdall_auth_url)
     else
-      redirect_to heimdall_auth_url
+      redirect_to heimdall_auth_url, allow_other_host: true
     end
   end
 
   def create
     auth = request.env["omniauth.auth"]
     session[:access_token] = auth.credentials.token
-    redirect_to session[:last_url] || root_url
+    redirect_to( session[:last_url] || request.base_url, allow_other_host: true)
   end
 
   def destroy
     last_url = session[:last_url]
     reset_session
-    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || passenger_url}", :notice => 'Signed out!'
+    redirect_to("#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || request.base_url}", :notice => 'Signed out!', allow_other_host: true)
   end
 
   def failure
-    redirect_to root_url, :alert => "Authentication error: #{params[:message].humanize}"
+    redirect_to request.base_url, :alert => "Authentication error: #{params[:message].humanize}", allow_other_host: true
   end
 
   private
   def do_a_signin_precall(user_token, heimdall_auth_url)
-    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}"
+    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}", allow_other_host: true
   end
 
 end

data/lib/heimdall_auth/authentication_additions.rb

@@ -0,0 +1,48 @@
+module HeimdallAuth
+  module AuthenticationAdditions
+    def current_ability
+      @current_ability ||= Ability.new(current_user)
+    end
+
+    def store_location_in_session
+      session[:last_url] = request.url if storable_location?
+      ::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
+    end
+
+    def storable_location?
+      request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
+    end
+
+    def current_access_token
+      request.session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
+    end
+
+    def current_user
+      begin
+        @current_user ||= get_user_from_auth_server(current_access_token)
+      rescue NoMethodError => e
+        User.new(is_invalid: true)
+      rescue Exception => e
+        nil
+      end
+    end
+
+    def current_environment
+      begin
+        @current_environment ||= current_user.key_environment || params[:environment]
+      rescue NoMethodError, Exception => e
+        nil
+      end
+    end
+
+    def get_user_from_auth_server(access_token)
+      client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
+      user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
+      User.new(user_data)
+    end
+
+    def user_signed_in?
+      return true if current_user
+    end
+  end
+end

data/lib/heimdall_auth/controller_additions.rb

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 require "cancancan"
+require "heimdall_auth/authentication_additions"
 
 module HeimdallAuth
   # This module is automatically included into all controllers.
   # It adds methods like current_user but also handles auth-failure redirections
   module ControllerAdditions
+    include HeimdallAuth::AuthenticationAdditions
 
     def self.included(base)
       base.helper_method :current_user, :current_access_token, :current_environment, :user_signed_in? if base.respond_to? :helper_method
@@ -28,52 +30,6 @@ module HeimdallAuth
       end
 
     end
-
-    def current_ability
-      @current_ability ||= Ability.new(current_user)
-    end
-
-    def store_location_in_session
-      session[:last_url] = request.url if storable_location?
-      ::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
-    end
-
-    def storable_location?
-      request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
-    end
-
-
-    def current_access_token
-      session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
-    end
-
-    def current_user
-      begin
-        @current_user ||= get_user_from_auth_server(current_access_token)
-      rescue NoMethodError => e
-        User.new(is_invalid: true)
-      rescue Exception => e
-        nil
-      end
-    end
-
-    def current_environment
-      begin
-        @current_environment ||= current_user.key_environment || params[:environment]
-      rescue NoMethodError, Exception => e
-        nil
-      end
-    end
-
-    def get_user_from_auth_server(access_token)
-      client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
-      user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
-      User.new(user_data)
-    end
-
-    def user_signed_in?
-      return true if current_user
-    end
   end
 end
 

data/lib/heimdall_auth/rails/routes.rb

@@ -9,6 +9,25 @@ module HeimdallAuth
           get '/signin' => 'heimdall_auth/sessions#new', :as => :new_user_session
           get '/signout' => 'heimdall_auth/sessions#destroy', :as => :destroy_user_session
         end
+
+
+        def mount_heimdall_auth_secured(options = {}, &block)
+          accessible_via_token = options.extract!(:accessible_via_token)[:accessible_via_token]
+
+          engine = options.keys.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          path = options.values.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+
+          action = options.keys.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          resource = options.values.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+
+          if action.nil? || resource.nil?
+            puts "WARNING: It seems you missed the cancancan rights. Use: `mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq`"
+          end
+
+          mount engine => path, constraints: HeimdallAuth::RouteConstraint.new(action, resource, accessible_via_token)
+           get "#{path}", to: redirect('/signin')
+           get "#{path}/*rest", to: redirect('/signin')
+        end
       end
 
       def self.install!

data/lib/heimdall_auth/route_constraint.rb

@@ -0,0 +1,57 @@
+module HeimdallAuth
+
+  class AuthenticationChecker
+    include HeimdallAuth::AuthenticationAdditions
+
+    def initialize(request)
+      @request = request
+    end
+
+    def request #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request
+    end
+
+    def session #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request.session
+    end
+
+    def can?(action, resource)
+      store_location_in_session
+      if current_user
+        if current_ability.can?(action, resource)
+          return true
+        else
+          session[:last_url] = request.base_url #prevent a redirection loop if users do not have enough rights. So send her to the base_url
+          return false
+        end
+      else
+        return false
+      end
+    end
+  end
+
+  class RouteConstraint
+
+    def initialize(action, resource, accessible_via_token)
+      @action = action
+      @resource = resource
+      @accessible_via_token = accessible_via_token
+    end
+
+    def matches?(matching_request)
+      if @accessible_via_token && matching_request.query_parameters["token"]
+        @accessible_via_token.keys.each do |path|
+          if path.to_s == matching_request.path.to_s
+            expected_token = @accessible_via_token[path]
+            if expected_token && ActiveSupport::SecurityUtils.secure_compare(matching_request.query_parameters["token"], expected_token)
+              return true
+            end
+          end
+        end
+      end
+
+      AuthenticationChecker.new(matching_request).can?(@action, @resource)
+    end
+
+  end
+end

data/lib/heimdall_auth/version.rb

@@ -1,3 +1,3 @@
 module HeimdallAuth
-  VERSION = '1.7.0'
+  VERSION = '1.9.0'
 end

data/lib/heimdall_auth.rb

@@ -6,8 +6,11 @@ require "heimdall_auth/rails/routes"
 require "heimdall_auth/user"
 require "omniauth/stategies/heimdall"
 
+require "heimdall_auth/authentication_additions"
 require "heimdall_auth/controller_additions"
 
+require "heimdall_auth/route_constraint"
+
 
 module HeimdallAuth
   # Your code goes here...

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_auth
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.9.0
 platform: ruby
 authors:
 - René Meye
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-13 00:00:00.000000000 Z
+date: 2023-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,7 +19,7 @@ dependencies:
         version: '5.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '5.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -109,10 +109,12 @@ files:
 - lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb
 - lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb
 - lib/heimdall_auth.rb
+- lib/heimdall_auth/authentication_additions.rb
 - lib/heimdall_auth/controller_additions.rb
 - lib/heimdall_auth/engine.rb
 - lib/heimdall_auth/rails/routes.rb
 - lib/heimdall_auth/railtie.rb
+- lib/heimdall_auth/route_constraint.rb
 - lib/heimdall_auth/user.rb
 - lib/heimdall_auth/version.rb
 - lib/omniauth/stategies/heimdall.rb