heimdall_auth_bw 2.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 897e838e92686bdc993d3528f0907ab07d894c9f2962f6ca601ba79bc4b4552d
+  data.tar.gz: d6abc328c02dfd3c278db93384755844e2a2e8a34f5af6209a971e53aa847546
+SHA512:
+  metadata.gz: 3e97a168649f24437530649f4401a39948a27138f73453415953c160ee6a1ccc42b09c6598d22251bb4d37c7300731fdb09d81292d73f822f1f83887ff233086
+  data.tar.gz: 7a48c02ea680b9029746c840d8a3d044f16e34f814a81bed5256095c88cc4e68a123e56dca1a500f648b3fc52c74b1d19501c385f5a593a7ff4a07734c721a64

data/MIT-LICENSE

@@ -0,0 +1,20 @@
+Copyright 2019 René Meye
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,140 @@
+# HeimdallAuth
+This makes it easy to equip an empty rails application with our Heimdall Auth features.
+
+## New Feature: Secure Sidekiq (and other mounts)
+Use it like so in `config/routes.rb`:
+```
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq
+
+or
+
+# The /sidekiq/stats path gets available for services like Datadog
+mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq, accessible_via_token: {'/sidekiq/stats': ENV['SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG']}
+```
+instead of the known:
+```
+mount Sidekiq::Web => '/sidekiq'
+```
+
+Additionally you need to add the rights to your `app/models/ability.rb`:
+```
+if user.is_admin
+  can :manage, :sidekiq
+end
+```
+
+and the password in `.env` and `.env.example` if you used it:
+```
+SIDEKIQ_STATS_TOKEN_FOR_WATCHDOG=halloweltrandomstring
+```
+
+Options:
+- mount_heimdall_auth_secured ENGINE => PATH, ACTION => RESOURCE, accessible_via_token: {EXCEPTION_PATH: EXCEPTION_PASSWORD, EXCEPTION_PATH2: EXCEPTION_PASSWORD2}
+  - ENGINE - any mountable Engine like `Sidekiq::Web`
+  - PATH - where to mount the engine
+  - ACTION & RESOURCE - like any action and resource in cancancan
+- :accessible_via_token -> Defines paths that are available via a particular token. e.g. for Watchdog services like Datadog
+  - URL needs then to have the token as `?token=secretpassword` in the query params. Like: `https://webhook.vesputi-abc.de/sidekiq/stats?token=secretpassword`
+
+## Installation and Usage
+
+Example: https://gitlab.vesputi.com/netzmap/nanna
+
+0) Commit the empty rails application (and mention the command you used for generating the app)
+
+1) Add this line to your application's Gemfile:
+
+```ruby
+gem 'heimdall_auth'
+```
+
+2) and afterwards do theses commands (yes... second bundle install ist needed, because the install script adds dotenv gem)
+```bash
+bundle install
+rails puma_dev:link
+rails generate heimdall_auth:install
+rails heimdall:register -- -u"rene@vesputi.com" -p"HeimdallPassword" >> .env
+bundle install
+killall puma-dev
+```
+
+3) And please commit directly after executing the lines above so you have clean history
+
+
+## Linking puma_dev
+
+This executes a very simple `ln -s` command in order to link our application with appropriate naming to the local puma_dev server.
+```bash
+rails puma_dev:link
+```
+
+## Heimdall-Auth install scripts
+This makes a few steps in order to install heimdall stuff to your app.
+```bash
+rails generate heimdall_auth:install
+```
+executes the following generators
+1. `rails generate heimdall_auth:cancan`
+2. `rails generate heimdall_auth:sessions`
+3. `rails generate heimdall_auth:standard_pages`
+4. `rails generate heimdall_auth:dotenv`
+
+### generate heimdall_auth:cancan
+This adds the ability.rb file of the cancancan gem with default heimdall roles and adds `check_authorization` to the application controller. (For details see the [cancancan gem](https://github.com/CanCanCommunity/cancancan))
+
+### generate heimdall_auth:sessions
+This adds the default heimdall_auth routes for session generation to the routes file, switches the application to https only and lowers the log level.
+
+### generate heimdall_auth:standard_pages
+This adds the default admin page `/admin` and two error pages: for invalid_user_data and not_enough_rights.
+
+### generate heimdall_auth:dotenv
+This adds a default .env.example file (for documentation purposes) to the application and adds the dotenv gem to the gemfile which loads enviroment variables from .env file.
+
+## Register at local heimdall
+
+The following command Registeres the service at Heimdall and puts credentials at the end of the `.env` file
+
+```bash
+rails heimdall:register -- -u"rene@vesputi.com" -p"YourHeimdallPassword" >> .env
+```
+Parameters:
+```
+-u"rene@vesputi.com" # Username in Heimdall (Needs Admin rights)
+-p"YourHeimdallPassword" # Password in Heimdall
+-h"https://heimdall.vesp" (Optional) - Protocol and Domain the heimdall is found at
+-s"https://foo.vesputi-abc.de" # (Optional) - Protocol and Domain the Service is found at
+```
+
+## RSpec
+If you want to test your Applications controller than you have to give it a User
+You do so by mocking `current_user` in ApplicationController
+
+```
+RSpec.describe "/foobar", type: :request do
+  before { allow_any_instance_of(ApplicationController).to receive(:current_user) { HeimdallAuth::User.new(is_editor: true) } }
+end
+```
+
+# Usage with RSpec
+## Simulate an Admin user
+
+See the example:
+```ruby
+require 'rails_helper'
+
+RSpec.describe "/cards", type: :request do
+
+  let(:admin_user) {
+    HeimdallAuth::User.new(email: "foo@bar.com", is_admin: true)
+  }
+
+  describe "GET /index" do
+    before(:each) do
+      allow_any_instance_of( HeimdallAuth::ControllerAdditions ).to receive(:current_user).and_return(admin_user)
+    end
+
+    it "renders a successful response" do
+      Card.create! valid_attributes
+      get cards_url
+```

data/Rakefile

@@ -0,0 +1,27 @@
+begin
+  require 'bundler/setup'
+rescue LoadError
+  puts 'You must `gem install bundler` and `bundle install` to run rake tasks'
+end
+
+require 'rdoc/task'
+
+RDoc::Task.new(:rdoc) do |rdoc|
+  rdoc.rdoc_dir = 'rdoc'
+  rdoc.title    = 'HeimdallAuth'
+  rdoc.options << '--line-numbers'
+  rdoc.rdoc_files.include('README.md')
+  rdoc.rdoc_files.include('lib/**/*.rb')
+end
+
+require 'bundler/gem_tasks'
+
+require 'rake/testtask'
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << 'test'
+  t.pattern = 'test/**/*_test.rb'
+  t.verbose = false
+end
+
+task default: :test

data/app/controllers/heimdall_auth/sessions_controller.rb

@@ -0,0 +1,39 @@
+class HeimdallAuth::SessionsController < ApplicationController
+  skip_authorization_check
+
+  def new
+    user_token = params[:user_token].presence
+    heimdall_auth_url = auth_provider_url(provider: "heimdall")
+
+    if user_token
+      do_a_signin_precall(user_token, heimdall_auth_url)
+    else
+      redirect_to heimdall_auth_url, allow_other_host: true
+    end
+  end
+
+  def create
+    auth = request.env["omniauth.auth"]
+    session[:access_token] = auth&.credentials&.token
+    redirect_to( session[:last_url] || request.base_url, allow_other_host: true)
+  end
+
+  def destroy
+    last_url = session[:last_url]
+    reset_session
+    redirect_to("#{ENV['HEIMDALL_SERVER_URL']}/signout?redirect_to=#{last_url || request.base_url}", :notice => 'Signed out!', allow_other_host: true)
+  end
+
+  def failure
+    redirect_to request.base_url, :alert => "Authentication error: #{params[:message].humanize}", allow_other_host: true
+  end
+
+  def login_button
+  end
+
+  private
+  def do_a_signin_precall(user_token, heimdall_auth_url)
+    redirect_to "#{ENV['HEIMDALL_SERVER_URL']}/?user_token=#{user_token}&redirect_to=#{heimdall_auth_url}", allow_other_host: true
+  end
+
+end

data/lib/generators/heimdall_auth/cancan/cancan_generator.rb

@@ -0,0 +1,19 @@
+module HeimdallAuth
+  module Generators
+    class CancanGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def add_ability_file
+        copy_file "ability.rb", "app/models/ability.rb"
+      end
+
+      def add_check_authorization_method
+        inject_into_file 'app/controllers/application_controller.rb', after: "class ApplicationController < ActionController::Base\n" do
+<<-'RUBY'
+  check_authorization
+RUBY
+        end
+      end
+    end
+  end
+end

data/lib/generators/heimdall_auth/cancan/templates/ability.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+class Ability
+  include CanCan::Ability
+
+  def initialize(user)
+    if user && not(user.is_invalid)
+      can :index, :admin_page
+      # if user.is_editor
+      #   can :manage, :all
+      # end
+      # if user.is_operator
+      # end
+      # if user.is_admin
+      # end
+      # if user.is_user_admin
+      # end
+    end
+
+    #
+    # The first argument to `can` is the action you are giving the user
+    # permission to do.
+    # If you pass :manage it will apply to every action. Other common actions
+    # here are :read, :create, :update and :destroy.
+    #
+    # The second argument is the resource the user can perform the action on.
+    # If you pass :all it will apply to every resource. Otherwise pass a Ruby
+    # class of the resource.
+    #
+    # The third argument is an optional hash of conditions to further filter the
+    # objects.
+    # For example, here the user can only update published articles.
+    #
+    #   can :update, Article, :published => true
+    #
+    # See the wiki for details:
+    # https://github.com/CanCanCommunity/cancancan/wiki/Defining-Abilities
+  end
+end

data/lib/generators/heimdall_auth/dotenv/dotenv_generator.rb

@@ -0,0 +1,24 @@
+module HeimdallAuth
+  module Generators
+    class DotenvGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def add_dot_env_support
+        gem_group :development, :test do
+          # Load ENV variables from .env file development and test
+          gem 'dotenv-rails'
+        end
+      end
+
+      def create_example_file
+        copy_file "dot-env.example", ".env.example"
+      end
+
+      def ignore_dot_env_file
+        inject_into_file '.gitignore', after: "/.bundle\n" do
+          "/.env\n"
+        end
+      end
+    end
+  end
+end

data/lib/generators/heimdall_auth/dotenv/templates/dot-env.example

@@ -0,0 +1,3 @@
+HEIMDALL_SERVER_URL=https://heimdall.vesputi-abc.de/
+HEIMDALL_APPLICATION_ID=foo
+HEIMDALL_APPLICATION_SECRET=bar

data/lib/generators/heimdall_auth/install/install_generator.rb

@@ -0,0 +1,12 @@
+module HeimdallAuth
+  module Generators
+    class InstallGenerator < ::Rails::Generators::Base
+      def install
+        generate "heimdall_auth:cancan"
+        generate "heimdall_auth:sessions"
+        generate "heimdall_auth:standard_pages"
+        generate "heimdall_auth:dotenv"
+      end
+    end
+  end
+end

data/lib/generators/heimdall_auth/sessions/sessions_generator.rb

@@ -0,0 +1,26 @@
+module HeimdallAuth
+  module Generators
+    class SessionsGenerator < ::Rails::Generators::Base
+
+      def add_session_routes
+        route "use_heimdall_auth"
+      end
+
+      def set_https_only
+        gsub_file 'config/environments/production.rb', '# config.force_ssl = true', 'config.force_ssl = true'
+        inject_into_file 'config/environments/development.rb', after: "  config.assets.debug = true\n" do
+<<-'RUBY'
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  config.force_ssl = true
+RUBY
+        end
+      end
+
+      def lower_production_log_level
+        gsub_file 'config/environments/production.rb', 'config.log_level = :debug', 'config.log_level = :warn'
+      end
+
+    end
+  end
+end

data/lib/generators/heimdall_auth/standard_pages/standard_pages_generator.rb

@@ -0,0 +1,23 @@
+module HeimdallAuth
+  module Generators
+    class StandardPagesGenerator < ::Rails::Generators::Base
+      source_root File.expand_path('templates', __dir__)
+
+      def generate_admin_page
+        copy_file "admin_controller.rb", "app/controllers/admin_page_controller.rb"
+        copy_file "admin_view.html.erb", "app/views/admin_page/index.html.erb"
+        route "get '/admin' => 'admin_page#index'"
+      end
+
+      def generate_error_pages
+        copy_file "invalid_user_data.html.erb", "app/views/application/invalid_user_data.html.erb"
+        copy_file "not_enough_rights.html.erb", "app/views/application/not_enough_rights.html.erb"
+      end
+
+      def generate_login_pages
+        copy_file "login_button.html.erb", "app/views/heimdall_auth/sessions/login_button.html.erb"
+      end
+
+    end
+  end
+end

data/lib/generators/heimdall_auth/standard_pages/templates/admin_controller.rb

@@ -0,0 +1,5 @@
+class AdminPageController < ApplicationController
+  def index
+    authorize! :index, :admin_page
+  end
+end

data/lib/generators/heimdall_auth/standard_pages/templates/admin_view.html.erb

@@ -0,0 +1,2 @@
+<h1>Admin Page</h1>
+<h3>Hallo: <%=current_user && current_user.name%></h3>

data/lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb

@@ -0,0 +1,2 @@
+<h1>Ungültige Nutzerdaten.</h1>
+<p>Das Authentifizierungssytem hat ungültige Benutzerdaten geliefert. Bitte informieren Sie den Administrator.</p>

data/lib/generators/heimdall_auth/standard_pages/templates/login_button.html.erb

@@ -0,0 +1,3 @@
+<%= form_tag('/auth/heimdall', method: 'post', data: {turbo: false}) do %>
+  <button type='submit'>Login</button>
+<% end %>

data/lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb

@@ -0,0 +1,2 @@
+<h1>Nicht genügend Rechte.</h1>
+<p>Sie verfügen leider nicht über genügend Rechte um diese Seite zu öffnen. Bei Fragen wenden Sie sich an Ihren Administrator.</p>

data/lib/heimdall_auth/authentication_additions.rb

@@ -0,0 +1,48 @@
+module HeimdallAuth
+  module AuthenticationAdditions
+    def current_ability
+      @current_ability ||= Ability.new(current_user)
+    end
+
+    def store_location_in_session
+      session[:last_url] = request.url if storable_location?
+      ::Rails.logger.info("\033[32m session[:last_url] = #{session[:last_url]} \033[0m")
+    end
+
+    def storable_location?
+      request.get? && request.format.try(:ref) == :html && !is_a?(SessionsController) && !request.xhr?
+    end
+
+    def current_access_token
+      request.session[:access_token] || params[:access_token] || request.headers['HeimdallAccessToken']
+    end
+
+    def current_user
+      begin
+        @current_user ||= get_user_from_auth_server(current_access_token)
+      rescue NoMethodError => e
+        User.new(is_invalid: true)
+      rescue Exception => e
+        nil
+      end
+    end
+
+    def current_environment
+      begin
+        @current_environment ||= current_user.app_environment || params[:environment]
+      rescue NoMethodError, Exception => e
+        nil
+      end
+    end
+
+    def get_user_from_auth_server(access_token)
+      client = OAuth2::Client.new(ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET'], :site => ENV['HEIMDALL_SERVER_URL'])
+      user_data = OAuth2::AccessToken.new(client,access_token).get('/me.json').parsed
+      User.new(user_data)
+    end
+
+    def user_signed_in?
+      return true if current_user
+    end
+  end
+end

data/lib/heimdall_auth/controller_additions.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+require "cancancan"
+require "heimdall_auth/authentication_additions"
+
+module HeimdallAuth
+  # This module is automatically included into all controllers.
+  # It adds methods like current_user but also handles auth-failure redirections
+  module ControllerAdditions
+    include HeimdallAuth::AuthenticationAdditions
+
+    def self.included(base)
+      base.helper_method :current_user, :current_access_token, :current_environment, :user_signed_in? if base.respond_to? :helper_method
+      base.before_action :store_location_in_session
+
+      base.rescue_from CanCan::AccessDenied do |exception|
+        user_token = params[:user_token].presence
+
+        respond_to do |format|
+          format.json { head :forbidden, content_type: 'text/html' }
+          format.html {
+            if current_user.nil?
+              redirect_to new_user_session_path({user_token: user_token})
+            elsif current_user.is_invalid
+              render 'application/invalid_user_data'
+            else
+              render 'application/not_enough_rights'
+            end
+          }
+        end
+      end
+
+    end
+  end
+end
+
+if defined? ActiveSupport
+  ActiveSupport.on_load(:action_controller) do
+    include CanCan::ControllerAdditions
+    include HeimdallAuth::ControllerAdditions
+  end
+end

data/lib/heimdall_auth/engine.rb

@@ -0,0 +1,28 @@
+module HeimdallAuth
+  class Engine < Rails::Engine
+    initializer "heimdall_auth.routes" do
+      HeimdallAuth::Rails::Routes.install!
+    end
+
+    initializer "heimdall_auth.middleware" do |app|
+      unless [ENV['HEIMDALL_SERVER_URL'], ENV['HEIMDALL_APPLICATION_ID'], ENV['HEIMDALL_APPLICATION_SECRET']].any? &:nil?
+        app.config.middleware.use OmniAuth::Builder do
+          provider :heimdall,
+            ENV['HEIMDALL_APPLICATION_ID'],
+            ENV['HEIMDALL_APPLICATION_SECRET'],
+            client_options: {
+              site: ENV['HEIMDALL_SERVER_URL']
+            }
+        end
+      else
+        warn_missing_config
+      end
+    end
+
+    private
+
+    def warn_missing_config
+      puts "Heimdall configuration is missing. Set the follwing ENV-Variables: HEIMDALL_SERVER_URL, HEIMDALL_APPLICATION_ID and HEIMDALL_APPLICATION_SECRET. You might execute `rails heimdall:register -- -u'rene@vesputi.com' -p'YourHeimdallPassword' >> .env`"
+    end
+  end
+end

data/lib/heimdall_auth/rails/routes.rb

@@ -0,0 +1,38 @@
+module HeimdallAuth
+  module Rails
+    class Routes
+      module Helper
+        def use_heimdall_auth(options = {}, &block)
+          get '/auth/:provider' => 'heimdall_auth/sessions#login_button', :as => :auth_provider
+          get '/auth/:provider/callback' => 'heimdall_auth/sessions#create', :as => :auth_provider_callback
+          get '/auth/failure' => 'heimdall_auth/sessions#failure'
+          get '/signin' => 'heimdall_auth/sessions#new', :as => :new_user_session
+          get '/signout' => 'heimdall_auth/sessions#destroy', :as => :destroy_user_session
+        end
+
+
+        def mount_heimdall_auth_secured(options = {}, &block)
+          accessible_via_token = options.extract!(:accessible_via_token)[:accessible_via_token]
+
+          engine = options.keys.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          path = options.values.first #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+
+          action = options.keys.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+          resource = options.values.second #Syntax sugar ENGINE => PATH, ACTION => RESOURCE
+
+          if action.nil? || resource.nil?
+            puts "WARNING: It seems you missed the cancancan rights. Use: `mount_heimdall_auth_secured Sidekiq::Web => '/sidekiq', :manage => :sidekiq`"
+          end
+
+          mount engine => path, constraints: HeimdallAuth::RouteConstraint.new(action, resource, accessible_via_token)
+           get "#{path}", to: redirect('/signin')
+           get "#{path}/*rest", to: redirect('/signin')
+        end
+      end
+
+      def self.install!
+        ActionDispatch::Routing::Mapper.send :include, HeimdallAuth::Rails::Routes::Helper
+      end
+    end
+  end
+end

data/lib/heimdall_auth/railtie.rb

@@ -0,0 +1,4 @@
+module HeimdallAuth
+  class Railtie < ::Rails::Railtie
+  end
+end

data/lib/heimdall_auth/route_constraint.rb

@@ -0,0 +1,57 @@
+module HeimdallAuth
+
+  class AuthenticationChecker
+    include HeimdallAuth::AuthenticationAdditions
+
+    def initialize(request)
+      @request = request
+    end
+
+    def request #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request
+    end
+
+    def session #This allowes the methods in AuthenticationAdditions to use to usually global request
+      @request.session
+    end
+
+    def can?(action, resource)
+      store_location_in_session
+      if current_user
+        if current_ability.can?(action, resource)
+          return true
+        else
+          session[:last_url] = request.base_url #prevent a redirection loop if users do not have enough rights. So send her to the base_url
+          return false
+        end
+      else
+        return false
+      end
+    end
+  end
+
+  class RouteConstraint
+
+    def initialize(action, resource, accessible_via_token)
+      @action = action
+      @resource = resource
+      @accessible_via_token = accessible_via_token
+    end
+
+    def matches?(matching_request)
+      if @accessible_via_token && matching_request.query_parameters["token"]
+        @accessible_via_token.keys.each do |path|
+          if path.to_s == matching_request.path.to_s
+            expected_token = @accessible_via_token[path]
+            if expected_token && ActiveSupport::SecurityUtils.secure_compare(matching_request.query_parameters["token"], expected_token)
+              return true
+            end
+          end
+        end
+      end
+
+      AuthenticationChecker.new(matching_request).can?(@action, @resource)
+    end
+
+  end
+end

data/lib/heimdall_auth/user.rb

@@ -0,0 +1,29 @@
+class HeimdallAuth::User
+  include ActiveModel::Conversion
+  extend ActiveModel::Naming
+
+  attr_accessor :is_invalid
+  attr_accessor :id, :name, :app_type, :app_environment, :app_id, :email, :is_editor, :is_operator, :is_admin, :is_user_admin, :is_police, :is_ride_on_demand_provider, :is_ride_on_demand_accounting, :raw_data
+
+  def initialize(attributes = {})
+    attributes.each do |name, value|
+      setter_method = "#{name}="
+      send(setter_method, value) if self.respond_to? setter_method
+    end
+    self.raw_data = attributes.to_json
+  end
+
+  def key_type
+    Rails.logger.warn("key_type is deprecated, please use app_type")
+    app_type
+  end
+
+  def key_environment
+    Rails.logger.warn("key_environment is deprecated, please use app_environment")
+    app_environment
+  end
+
+  def persisted?
+    false
+  end
+end

data/lib/heimdall_auth/version.rb

@@ -0,0 +1,3 @@
+module HeimdallAuth
+  VERSION = '2.0.0'
+end

data/lib/heimdall_auth_bw.rb

@@ -0,0 +1,16 @@
+require "heimdall_auth/railtie" if defined?(Rails)
+
+require "heimdall_auth/engine"
+require "heimdall_auth/rails/routes"
+
+require "heimdall_auth/user"
+require "omniauth/stategies/heimdall"
+
+require "heimdall_auth/authentication_additions"
+require "heimdall_auth/controller_additions"
+
+require "heimdall_auth/route_constraint"
+
+module HeimdallAuthBw
+  # Your code goes here...
+end

data/lib/omniauth/stategies/heimdall.rb

@@ -0,0 +1,47 @@
+require 'omniauth-oauth2'
+require 'omniauth/rails_csrf_protection'
+
+module OmniAuth
+  module Strategies
+    class Heimdall < OmniAuth::Strategies::OAuth2
+      option :name, :heimdall
+
+      uid {
+        raw_info['id']
+      }
+
+      info do
+        {
+          name: raw_info['name'],
+          email: raw_info['email'],
+        }
+      end
+
+      extra do
+        { raw_info: raw_info }
+      end
+
+      def raw_info
+        @raw_info ||= access_token.get('/me.json').parsed
+      end
+
+      def callback_url
+        # If redirect_uri is configured in token_params, use that
+        # value.
+        token_params.to_hash(:symbolize_keys => true)[:redirect_uri] || super
+      end
+
+      def query_string
+        # This method is called by callback_url, only if redirect_uri
+        # is omitted in token_params.
+        if request.params["code"]
+          # If this is a callback, ignore query parameters added by
+          # the provider.
+          ""
+        else
+          super
+        end
+      end
+    end
+  end
+end

data/lib/tasks/puma_dev_link.rake

@@ -0,0 +1,12 @@
+namespace :puma_dev do
+  desc 'Fast linking to puma dev'
+  task :link do
+
+    application_name = Rails.application.class.try(:parent_name) || Rails.application.class.try(:module_parent_name)
+    puma_dev_app_name = "#{application_name.underscore.dasherize}.vesputi-abc"
+    command = "ln -s #{Rails.root} ~/.puma-dev/#{puma_dev_app_name}"
+
+    puts "Script is linking to puma-dev"
+    sh command
+  end
+end

data/lib/tasks/register.rake

@@ -0,0 +1,84 @@
+require 'net/http'
+require 'net/https'
+require 'json'
+require 'optparse'
+
+namespace :heimdall do
+  desc 'Register application at a Heimdall Application'
+  task :register do
+
+    application_name = Rails.application.class.try(:parent_name) || Rails.application.class.try(:module_parent_name)
+
+    options = {
+      application_name: application_name,
+      service_url: "https://#{application_name.underscore.dasherize}.vesputi-abc.de",
+      heimdall_url: "https://heimdall.vesputi-abc.de",
+    }
+    option_parser = OptionParser.new
+    option_parser.banner = "Usage: rake add [options]"
+    option_parser.on("-h", "--heimdall ARG", String) { |heimdall_url| options[:heimdall_url] = heimdall_url }
+    option_parser.on("-s", "--service ARG", String) { |service_url| options[:service_url] = service_url }
+    option_parser.on("-u", "--username ARG", String) { |username| options[:username] = username }
+    option_parser.on("-p", "--password ARG", String) { |password| options[:password] = password }
+
+    args = option_parser.order!(ARGV) {}
+    option_parser.parse!(args)
+
+    #TODO: strip the trialing slash ... if there is one
+    credentials = create_oauth_application_request(
+      options[:heimdall_url],
+      options[:service_url],
+      "#{options[:application_name]} | (Registered at #{DateTime.current.to_formatted_s(:long)})",
+      options[:username],
+      options[:password]
+    )
+
+    if credentials
+      STDERR.puts "## Sucessfully registered as '#{options[:application_name]}'"
+      STDERR.puts "# Heimdall URL as '#{options[:heimdall_url]}' (change it with -h\"https://heimdall.any-whe.re/\")"
+      STDERR.puts "# Service URL as '#{options[:service_url]}' (change it with -s\"https://foo.bar/\")"
+      puts "HEIMDALL_SERVER_URL=#{options[:heimdall_url]}/"
+      puts "HEIMDALL_APPLICATION_ID=#{credentials['uid']}"
+      puts "HEIMDALL_APPLICATION_SECRET=#{credentials['secret']}"
+    end
+  end
+end
+
+
+def create_oauth_application_request(heimdall_url, application_url, application_name, heimdall_username, heimdall_password)
+  uri = URI("#{heimdall_url}/oauth_applications_api.json")
+
+  # Create client
+  http = Net::HTTP.new(uri.host, uri.port)
+  http.use_ssl = true
+  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+  dict = {
+            "oauth_application" => {
+                "name" => "#{application_name}",
+                "redirect_uri" =>
+                  "#{application_url}/auth/heimdall/callback\n" +
+                  "#{application_url}/auth/heimdall/callback/"
+            }
+        }
+  body = JSON.dump(dict)
+
+  # Create Request
+  req =  Net::HTTP::Post.new(uri)
+  # Add headers
+  req.add_field "Authorization", "Basic #{Base64.strict_encode64("#{heimdall_username}:#{heimdall_password}")}"
+  # Add headers
+  req.add_field "Content-Type", "application/json; charset=utf-8"
+  # Set body
+  req.body = body
+
+  # Fetch Request
+  res = http.request(req)
+
+  if res.code == "201"
+    return JSON.parse(res.body)
+  else
+    STDERR.puts "Can't Register \n\n Code #{res.code} Body: #{res.body}"
+  end
+rescue StandardError => e
+  STDERR.puts "HTTP Request failed (#{e.message})"
+end

metadata

@@ -0,0 +1,151 @@
+--- !ruby/object:Gem::Specification
+name: heimdall_auth_bw
+version: !ruby/object:Gem::Version
+  version: 2.0.0
+platform: ruby
+authors:
+- René Meye
+bindir: bin
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '5.0'
+- !ruby/object:Gem::Dependency
+  name: omniauth
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-oauth2
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: omniauth-rails_csrf_protection
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: cancancan
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Description of HeimdallAuth.
+email:
+- rene@meye.md
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- MIT-LICENSE
+- README.md
+- Rakefile
+- app/controllers/heimdall_auth/sessions_controller.rb
+- lib/generators/heimdall_auth/cancan/cancan_generator.rb
+- lib/generators/heimdall_auth/cancan/templates/ability.rb
+- lib/generators/heimdall_auth/dotenv/dotenv_generator.rb
+- lib/generators/heimdall_auth/dotenv/templates/dot-env.example
+- lib/generators/heimdall_auth/install/install_generator.rb
+- lib/generators/heimdall_auth/sessions/sessions_generator.rb
+- lib/generators/heimdall_auth/standard_pages/standard_pages_generator.rb
+- lib/generators/heimdall_auth/standard_pages/templates/admin_controller.rb
+- lib/generators/heimdall_auth/standard_pages/templates/admin_view.html.erb
+- lib/generators/heimdall_auth/standard_pages/templates/invalid_user_data.html.erb
+- lib/generators/heimdall_auth/standard_pages/templates/login_button.html.erb
+- lib/generators/heimdall_auth/standard_pages/templates/not_enough_rights.html.erb
+- lib/heimdall_auth/authentication_additions.rb
+- lib/heimdall_auth/controller_additions.rb
+- lib/heimdall_auth/engine.rb
+- lib/heimdall_auth/rails/routes.rb
+- lib/heimdall_auth/railtie.rb
+- lib/heimdall_auth/route_constraint.rb
+- lib/heimdall_auth/user.rb
+- lib/heimdall_auth/version.rb
+- lib/heimdall_auth_bw.rb
+- lib/omniauth/stategies/heimdall.rb
+- lib/tasks/puma_dev_link.rake
+- lib/tasks/register.rake
+licenses:
+- MIT
+metadata: {}
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.6.7
+specification_version: 4
+summary: Summary of HeimdallAuth.
+test_files: []