RubyGems - heimdall_auth - Versions diffs - 1.7.0 → 1.9.0 - Mend

heimdall_auth 1.7.0 → 1.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/README.md +34 -0
data/app/controllers/heimdall_auth/sessions_controller.rb +5 -5
data/lib/heimdall_auth/authentication_additions.rb +48 -0
data/lib/heimdall_auth/controller_additions.rb +2 -46
data/lib/heimdall_auth/rails/routes.rb +19 -0
data/lib/heimdall_auth/route_constraint.rb +57 -0
data/lib/heimdall_auth/version.rb +1 -1
data/lib/heimdall_auth.rb +3 -0
metadata +6 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 57bca32565813f01226295da73012e3b10a4d6c1551e7e680c74ade1fc47330c
-  data.tar.gz: 4c13f4f4e6f0c67026c8f4def6351625b2ff377d580828997adf6658f054e987
+  metadata.gz: '0904885207b67efe16aefc1bd5c37a57490f412c199bdf0275a22b56a3f90b84'
+  data.tar.gz: 278819290094fa8e3ae2e7640e423c48dbdbc926343c1896ca2ac9eb84b36e37
 SHA512:
-  metadata.gz: 46a5916934411a7957c8f494bd0348083a1cc5394517d9924899eebae911450c4bfeb78a6cdbae1e85dc4fd51146d07af562f56615362ebe72e06e7da1af3a43
-  data.tar.gz: 630a7af9ae20322235561977d94f0d84900bab12edb052515a1967db5bce6aa262493a13acba131cace42790641762d1d6db603c5169d2e3e80c05712c900137
+  metadata.gz: ddb292841b5c583e820fecec2162263d8dd34fb125681bad493e80c73f00fcb242026b649d924b57a9abc5f2003b65bf918bb90c9d07816242831bc019bf0080
+  data.tar.gz: 6150a29eaab129ce489f897ab36106de8e46da278f14db29438a607bfe077f481527492d0089903b9df1e25fc0fdff52f24a87932326a326bdb3b891e4d25250

data/README.md CHANGED Viewed

@@ -1,6 +1,40 @@
 # HeimdallAuth
 This makes it easy to equip an empty rails application with our Heimdall Auth features.
+## New Feature: Secure Sidekiq (and other mounts)
+Use it like so in `config/routes.rb`:
+```
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq
+or
+# The /sidekiq/stats path gets available for services like Datadog
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq, accessible_via_token: {'/sidekiq/stats': ENV['SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG']}
+```
+instead of the known:
+```
+mount Sidekiq::Web => '/sidekiq'
+```
+Additionally you need to add the rights to your `app/models/ability.rb`:
+```
+if user.is_admin
+  can :manage, :sidekiq
+end
+```
+and the password in `.env` and `.env.example` if you used it:
+```
+SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG=halloweltrandomstring
+```
+Options:
+- mount_heimdall_auth_secured ENGINE => PATH, ACTION => RESOURCE, accessible_via_token: {EXCEPTION_PATH: EXCEPTION_PASSWORD, EXCEPTION_PATH2: EXCEPTION_PASSWORD2}
+  - ENGINE - any mountable Engine like `Sidekiq::Web`
+  - PATH - where to mount the engine
+  - ACTION & RESOURCE - like any action and resource in cancancan
+- :accessible_via_token -> Defines paths that are available via a particular token. e.g. for Watchdog services like Datadog
 ## Installation and Usage
 Example: https://gitlab.vesputi.com/netzmap/nanna

data/app/controllers/heimdall_auth/sessions_controller.rb CHANGED Viewed

@@ -8,29 +8,29 @@ class HeimdallAuth::SessionsController < ApplicationController
     if user_token
       do_a_signin_precall(user_token, heimdall_auth_url)
     else
-      redirect_to heimdall_auth_url
+      redirect_to heimdall_auth_url, allow_other_host: true
     end
   end
   def create
     auth = request.env["omniauth.auth"]
     session[:access_token] = auth.credentials.token
-    redirect_to session[:last_url] || root_url
+    redirect_to( session[:last_url] || request.base_url, allow_other_host: true)
   end
   def destroy
     last_url = session[:last_url]
     reset_session
-    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || passenger_url}", :notice => 'Signed out!'
+    redirect_to("#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || request.base_url}", :notice => 'Signed out!', allow_other_host: true)
   end
   def failure
-    redirect_to root_url, :alert => "Authentication error: #{params[:message].humanize}"
+    redirect_to request.base_url, :alert => "Authentication error: #{params[:message].humanize}", allow_other_host: true
   end
   private
   def do_a_signin_precall(user_token, heimdall_auth_url)
-    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}"
+    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}", allow_other_host: true
   end
 end

data/lib/heimdall_auth/authentication_additions.rb ADDED Viewed

@@ -0,0 +1,48 @@
+module HeimdallAuth
+  module AuthenticationAdditions
+    def current_ability
+      @current_ability ||= Ability.new(current_user)
+    end
+    def store_location_in_session
+      session[:last_url] = request.url if storable_location?
+      ::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
+    end
+    def storable_location?
+      request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
+    end
+    def current_access_token
+      request.session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
+    end
+    def current_user
+      begin
+        @current_user ||= get_user_from_auth_server(current_access_token)
+      rescue NoMethodError => e
+        User.new(is_invalid: true)
+      rescue Exception => e
+        nil
+      end
+    end
+    def current_environment
+      begin
+        @current_environment ||= current_user.key_environment || params[:environment]
+      rescue NoMethodError, Exception => e
+        nil
+      end
+    end
+    def get_user_from_auth_server(access_token)
+      client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
+      user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
+      User.new(user_data)
+    end
+    def user_signed_in?
+      return true if current_user
+    end
+  end
+end

data/lib/heimdall_auth/controller_additions.rb CHANGED Viewed

@@ -1,10 +1,12 @@
 # frozen_string_literal: true
 require "cancancan"
+require "heimdall_auth/authentication_additions"
 module HeimdallAuth
   # This module is automatically included into all controllers.
   # It adds methods like current_user but also handles auth-failure redirections
   module ControllerAdditions
+    include HeimdallAuth::AuthenticationAdditions
     def self.included(base)
       base.helper_method :current_user, :current_access_token, :current_environment, :user_signed_in? if base.respond_to? :helper_method
@@ -28,52 +30,6 @@ module HeimdallAuth
       end
     end
-    def current_ability
-      @current_ability ||= Ability.new(current_user)
-    end
-    def store_location_in_session
-      session[:last_url] = request.url if storable_location?
-      ::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
-    end
-    def storable_location?
-      request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
-    end
-    def current_access_token
-      session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
-    end
-    def current_user
-      begin
-        @current_user ||= get_user_from_auth_server(current_access_token)
-      rescue NoMethodError => e
-        User.new(is_invalid: true)
-      rescue Exception => e
-        nil
-      end
-    end
-    def current_environment
-      begin
-        @current_environment ||= current_user.key_environment || params[:environment]
-      rescue NoMethodError, Exception => e
-        nil
-      end
-    end
-    def get_user_from_auth_server(access_token)
-      client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
-      user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
-      User.new(user_data)
-    end
-    def user_signed_in?
-      return true if current_user
-    end
   end
 end

data/lib/heimdall_auth/rails/routes.rb CHANGED Viewed

@@ -9,6 +9,25 @@ module HeimdallAuth
           get '/signin' => 'heimdall_auth/sessions#new', :as => :new_user_session
           get '/signout' => 'heimdall_auth/sessions#destroy', :as => :destroy_user_session
         end
+        def mount_heimdall_auth_secured(options = {}, &block)
+          accessible_via_token = options.extract!(:accessible_via_token)[:accessible_via_token]
+          engine = options.keys.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          path = options.values.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          action = options.keys.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          resource = options.values.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          if action.nil? || resource.nil?
+            puts "WARNING: It seems you missed the cancancan rights. Use: `mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq`"
+          end
+          mount engine => path, constraints: HeimdallAuth::RouteConstraint.new(action, resource, accessible_via_token)
+           get "#{path}", to: redirect('/signin')
+           get "#{path}/*rest", to: redirect('/signin')
+        end
       end
       def self.install!

data/lib/heimdall_auth/route_constraint.rb ADDED Viewed

@@ -0,0 +1,57 @@
+module HeimdallAuth
+  class AuthenticationChecker
+    include HeimdallAuth::AuthenticationAdditions
+    def initialize(request)
+      @request = request
+    end
+    def request #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request
+    end
+    def session #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request.session
+    end
+    def can?(action, resource)
+      store_location_in_session
+      if current_user
+        if current_ability.can?(action, resource)
+          return true
+        else
+          session[:last_url] = request.base_url #prevent a redirection loop if users do not have enough rights. So send her to the base_url
+          return false
+        end
+      else
+        return false
+      end
+    end
+  end
+  class RouteConstraint
+    def initialize(action, resource, accessible_via_token)
+      @action = action
+      @resource = resource
+      @accessible_via_token = accessible_via_token
+    end
+    def matches?(matching_request)
+      if @accessible_via_token && matching_request.query_parameters["token"]
+        @accessible_via_token.keys.each do |path|
+          if path.to_s == matching_request.path.to_s
+            expected_token = @accessible_via_token[path]
+            if expected_token && ActiveSupport::SecurityUtils.secure_compare(matching_request.query_parameters["token"], expected_token)
+              return true
+            end
+          end
+        end
+      end
+      AuthenticationChecker.new(matching_request).can?(@action, @resource)
+    end
+  end
+end

data/lib/heimdall_auth/version.rb CHANGED Viewed

@@ -1,3 +1,3 @@
 module HeimdallAuth
-  VERSION = '1.7.0'
+  VERSION = '1.9.0'
 end

data/lib/heimdall_auth.rb CHANGED Viewed

@@ -6,8 +6,11 @@ require "heimdall_auth/rails/routes"
 require "heimdall_auth/user"
 require "omniauth/stategies/heimdall"
+require "heimdall_auth/authentication_additions"
 require "heimdall_auth/controller_additions"
+require "heimdall_auth/route_constraint"
 module HeimdallAuth
   # Your code goes here...

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heimdall_auth
 version: !ruby/object:Gem::Version
-  version: 1.7.0
+  version: 1.9.0
 platform: ruby
 authors:
 - René Meye
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-01-13 00:00:00.000000000 Z
+date: 2023-02-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -19,7 +19,7 @@ dependencies:
         version: '5.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
@@ -29,7 +29,7 @@ dependencies:
         version: '5.0'
     - - "<"
       - !ruby/object:Gem::Version
-        version: '7.0'
+        version: '8.0'
 - !ruby/object:Gem::Dependency
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
@@ -109,10 +109,12 @@ files:
 - lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb
 - lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb
 - lib/heimdall_auth.rb
+- lib/heimdall_auth/authentication_additions.rb
 - lib/heimdall_auth/controller_additions.rb
 - lib/heimdall_auth/engine.rb
 - lib/heimdall_auth/rails/routes.rb
 - lib/heimdall_auth/railtie.rb
+- lib/heimdall_auth/route_constraint.rb
 - lib/heimdall_auth/user.rb
 - lib/heimdall_auth/version.rb
 - lib/omniauth/stategies/heimdall.rb