RubyGems - heroku-bouncer - Versions diffs - 0.3.4 → 0.4.0.pre - Mend

heroku-bouncer 0.3.4 → 0.4.0.pre

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b0a0fcbf6c90f52b0178b11532f52f99c89d882f
-  data.tar.gz: b98b20f813286ef2057f194b8060f325a78ffe89
+  metadata.gz: f43138f01404ab7e324200582dfb741e4eaaccdd
+  data.tar.gz: 066eb52d989918961505cd21f760b7421a3fd40d
 SHA512:
-  metadata.gz: a64178645292a555e6dda738b02a795ce7405e649cf7467d458736da1108d74a67b03d99cc7f9f1d35681a251dc80e090df4dac9d8143a29ed07d4dadc15f0d0
-  data.tar.gz: 1a6ae3ff4a85d68e9be0507edf3309dab70de8221d84587a19fdefe0918f5d2a617ebbf6cba46bbc981d3af159bb1ae9101675efafe40ae97ff04fd6560da40a
+  metadata.gz: f9b41150e950a3f5342d5f909197f38c7896a240a2e384b28e470d1217c600586a9631e5735fe1e5bf65eb3c50363f83190b03df507f985f551780707fde1cf0
+  data.tar.gz: c12572fc71cb948758547a3580e73bb0393cb75479f6e64eb6b514b54ee9997185ac511955e8dd381917eebc33cbb298ebc2032c1a192a9f380cc5dc2aab1cae

data/Gemfile.lock CHANGED Viewed

@@ -1,8 +1,7 @@
 PATH
   remote: .
   specs:
-    heroku-bouncer (0.2.1)
-      encrypted_cookie (~> 0.0.4)
+    heroku-bouncer (0.3.3)
       faraday (~> 0.8)
       multi_json (~> 1.0)
       omniauth-heroku (>= 0.1.0)
@@ -11,14 +10,14 @@ PATH
 GEM
   remote: https://rubygems.org/
   specs:
-    encrypted_cookie (0.0.4)
-    faraday (0.8.7)
-      multipart-post (~> 1.1)
+    faraday (0.8.8)
+      multipart-post (~> 1.2.0)
     hashie (2.0.5)
     httpauth (0.2.0)
     jwt (0.1.8)
       multi_json (>= 1.5)
-    multi_json (1.7.7)
+    minitest (5.0.8)
+    multi_json (1.8.0)
     multipart-post (1.2.0)
     oauth2 (0.8.1)
       faraday (~> 0.8)
@@ -49,3 +48,4 @@ PLATFORMS
 DEPENDENCIES
   heroku-bouncer!
+  minitest (~> 5.0)

data/README.md CHANGED Viewed

@@ -10,7 +10,13 @@ Sinatra app that uses heroku-bouncer.
 ## Use
-1. Create your OAuth client using `/auth/heroku/callback` as your
+1. Install the Heroku OAuth CLI plugin.
+    ```sh
+    heroku plugins:install git://github.com/heroku/heroku-oauth.git
+    ```
+2. Create your OAuth client using `/auth/heroku/callback` as your
    callback endpoint. Use `http://localhost:5000/auth/heroku/callback`
    for local development with Foreman.
@@ -19,26 +25,43 @@ Sinatra app that uses heroku-bouncer.
     heroku clients:register myapp https://myapp.herokuapp.com/auth/heroku/callback
     ```
-2. Set `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` in your environment.
-3. Set the `COOKIE_SECRET` environment variable to a long random string.
+3. Set `HEROKU_OAUTH_ID` and `HEROKU_OAUTH_SECRET` in your environment.
+4. Set the `COOKIE_SECRET` environment variable to a long random string.
    Otherwise, the OAuth ID and secret are concatenated for use as a secret.
-4. Use the middleware.
+5. Use the middleware as follows:
-    **Rack, Sinatra, and Rails 4**
+    **Rack**
-    Add a `use` line to `config.ru`:
+    `Heroku::Bouncer` requires a session middleware to be mounted above
+    it. Pure Rack apps will need to add such a middleware if they don't
+    already have one. In `config.ru`:
     ```ruby
-    require ::File.expand_path('../config/environment', __FILE__)
-    use ::Heroku::Bouncer
-    run Rails.application
+    require 'rack/session/cookie'
+    require 'heroku/bouncer'
+    require 'my_app'
+    # use `openssl rand -base64 32` to generate a secret
+    use Rack::Session::Cookie, secret: "..."
+    use Heroku::Bouncer
+    run MyApp
     ```
-    The middleware does not work properly when configured inside
-    Rails 4.
+    **Sinatra**
+    `Heroku::Bouncer` can be run like a Rack app, but since a Sinatra
+    app can mount Rack middleware, it may be easier to mount it inside
+    the app and use Sinatra's session.
+    ```ruby
+    class MyApp < Sinatra::Base
+      ...
+      enable :sessions, secret: "..."
+      use ::Heroku::Bouncer
+      ...
+    ```
-    **Rails 3**
+    **Rails**
     Add a middleware configuration line to `config/application.rb`:

data/lib/heroku/bouncer.rb CHANGED Viewed

@@ -2,7 +2,7 @@ require 'sinatra/base'
 require 'omniauth-heroku'
 require 'faraday'
 require 'multi_json'
-require 'encrypted_cookie'
+require 'openssl'
 unless defined?(Heroku)
   module Heroku; end
@@ -13,17 +13,13 @@ class Heroku::Bouncer < Sinatra::Base
   $stderr.puts "[warn] heroku-bouncer: HEROKU_ID detected, please use HEROKU_OAUTH_ID instead" if ENV.has_key?('HEROKU_ID')
   $stderr.puts "[warn] heroku-bouncer: HEROKU_SECRET detected, please use HEROKU_OAUTH_SECRET instead" if ENV.has_key?('HEROKU_SECRET')
-  ID = (ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']).to_s
-  SECRET = (ENV['HEROKU_OAUTH_SECRET'] ||  ENV['HEROKU_SECRET']).to_s
+  ID            = (ENV['HEROKU_OAUTH_ID'] || ENV['HEROKU_ID']).to_s
+  SECRET        = (ENV['HEROKU_OAUTH_SECRET'] ||  ENV['HEROKU_SECRET']).to_s
+  COOKIE_SECRET = (ENV['COOKIE_SECRET'] || (ID + SECRET)).to_s
   enable :raise_errors
   disable :show_exceptions
-  use Rack::Session::EncryptedCookie,
-    :secret => (ENV['COOKIE_SECRET'] || (ID + SECRET)).to_s,
-    :expire_after => 8 * 60 * 60,
-    :key => (ENV['COOKIE_NAME'] || '_bouncer_session').to_s
   # sets up the /auth/heroku endpoint
   unless ID.empty? || SECRET.empty?
     use OmniAuth::Builder do
@@ -47,14 +43,27 @@ class Heroku::Bouncer < Sinatra::Base
   end
   def call(env)
-    @disabled ? @app.call(env) : super(env)
+    if @disabled
+      @app.call(env)
+    else
+      unlock_session_data(env) do
+        super(env)
+      end
+    end
+  end
+  def unlock_session_data(env, &block)
+    decrypt_store(env)
+    return_value = yield
+    encrypt_store(env)
+    return_value
   end
   before do
-    if session[:store] && session[:store][:user]
+    if store_read(:user)
       expose_store
     elsif ! %w[/auth/heroku/callback /auth/heroku /auth/failure /auth/sso-logout /auth/logout].include?(request.path)
-      session[:return_to] = request.url
+      store_write(:return_to, request.url)
       redirect to('/auth/heroku')
     end
   end
@@ -68,14 +77,14 @@ class Heroku::Bouncer < Sinatra::Base
         url = @herokai_only.is_a?(String) ? @herokai_only : 'https://www.heroku.com'
         redirect to(url) and return
       end
-      @expose_user ? store(:user, user) : store(:user, true)
-      store(:email, user['email']) if @expose_email
+      @expose_user ? store_write(:user, user) : store_write(:user, true)
+      store_write(:email, user['email']) if @expose_email
     else
-      store(:user, true)
+      store_write(:user, true)
     end
-    store(:token, token) if @expose_token
-    redirect to(session.delete(:return_to) || '/')
+    store_write(:token, token) if @expose_token
+    redirect to(store_delete(:return_to) || '/')
   end
   # something went wrong
@@ -97,10 +106,90 @@ class Heroku::Bouncer < Sinatra::Base
     redirect to("/")
   end
+  # Encapsulates encrypting and decrypting a hash of data. Does not store the
+  # key that is passed in.
+  class DecryptedHash < Hash
+    def initialize(decrypted_hash = nil)
+      super
+      replace(decrypted_hash) if decrypted_hash
+    end
+    def self.unlock(data, key)
+      if data && data = Lockbox.new(key).unlock(data)
+        data, digest = data.split("--")
+        if digest == Lockbox.generate_hmac(data, key)
+          data = data.unpack('m*').first
+          data = Marshal.load(data)
+          new(data)
+        else
+          new
+        end
+      else
+        new
+      end
+    end
+    def lock(key)
+      # marshal a Hash, not a DecryptedHash
+      data = {}.replace(self)
+      data = Marshal.dump(data)
+      data = [data].pack('m*')
+      data = "#{data}--#{Lockbox.generate_hmac(data, key)}"
+      Lockbox.new(key).lock(data)
+    end
+  end
+  class Lockbox < BasicObject
+    def initialize(key)
+      @key = key
+    end
+    def lock(str)
+      aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt
+      aes.key = @key
+      iv = ::OpenSSL::Random.random_bytes(aes.iv_len)
+      aes.iv = iv
+      [iv + (aes.update(str) << aes.final)].pack('m0')
+    end
+    # decrypts string. returns nil if an error occurs
+    #
+    # returns nil if openssl raises an error during decryption (data
+    # manipulation, key change, implementation change), or if the text to
+    # decrypt is too short to possibly be good aes data.
+    def unlock(str)
+      str = str.unpack('m0').first
+      aes = ::OpenSSL::Cipher::Cipher.new('aes-128-cbc').decrypt
+      aes.key = @key
+      iv = str[0, aes.iv_len]
+      aes.iv = iv
+      crypted_text = str[aes.iv_len..-1]
+      return nil if crypted_text.nil? || iv.nil?
+      aes.update(crypted_text) << aes.final
+    rescue
+      nil
+    end
+  private
+    def self.generate_hmac(data, key)
+      ::OpenSSL::HMAC.hexdigest(::OpenSSL::Digest::SHA1.new, key, data)
+    end
+  end
 private
-  def destroy_session
-    session = nil if session
+  def decrypt_store(env)
+    env["rack.session"][:bouncer] =
+      DecryptedHash.unlock(env["rack.session"][:bouncer], COOKIE_SECRET)
+  end
+  def encrypt_store(env)
+    env["rack.session"][:bouncer] =
+      env["rack.session"][:bouncer].lock(COOKIE_SECRET)
   end
   def extract_option(options, option, default = nil)
@@ -115,15 +204,31 @@ private
       end.body)
   end
-  def store(key, value)
-    session[:store] ||= {}
-    session[:store][key] = value
+  def store
+    session[:bouncer]
+  end
+  def store_write(key, value)
+    store[key] = value
+  end
+  def store_read(key)
+    store.fetch(key, nil)
+  end
+  def store_delete(key)
+    store.delete(key)
+  end
+  def destroy_session
+    session = nil if session
   end
   def expose_store
-    session[:store].each_pair do |key, value|
+    store.each_pair do |key, value|
       request.env["bouncer.#{key}"] = value
     end
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: heroku-bouncer
 version: !ruby/object:Gem::Version
-  version: 0.3.4
+  version: 0.4.0.pre
 platform: ruby
 authors:
 - Jonathan Dance
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-09-24 00:00:00.000000000 Z
+date: 2013-09-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: omniauth-heroku
@@ -67,19 +67,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: encrypted_cookie
+  name: minitest
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.0.4
-  type: :runtime
+        version: '5.0'
+  type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 0.0.4
+        version: '5.0'
 description: ID please.
 email:
 - jd@heroku.com
@@ -108,9 +108,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - '>'
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project:
 rubygems_version: 2.0.3