heroku-bouncer 0.7.1 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/README.md +15 -5
- data/lib/heroku/bouncer/lockbox.rb +18 -4
- data/lib/heroku/bouncer/middleware.rb +1 -1
- metadata +19 -7
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 85c6929c3208eb743c042d9dbef6f9d43db08987
|
|
4
|
+
data.tar.gz: b08dd7bac4866f854c050a65011ec6403936cb93
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 5370531c477251b6247116d86597c9cc4d35ade54fa1dd5bb513e2c51a5db3f09b926a99cf573a5b1674c5dcc0980887c41db12598d9f9459c8f93ae011e17c2
|
|
7
|
+
data.tar.gz: a748a855a7be7e07e9756c5e9407f2db0a08d12dedff83f0fe4473a53ecc205058a6b1eb2113f7ff524bb5fae25d642dc83fcc1dc18e23d3bb1218319dbf671b
|
data/CHANGELOG.md
CHANGED
data/README.md
CHANGED
|
@@ -6,6 +6,14 @@
|
|
|
6
6
|
Heroku Bouncer is a Rack middleware (implemented in Sinatra) that
|
|
7
7
|
requires Heroku OAuth on all requests.
|
|
8
8
|
|
|
9
|
+
## Ruby and Rack compatibility
|
|
10
|
+
|
|
11
|
+
* **Ruby**: Versions >= 0.8.0 require Ruby >= 2.2. If you need a version
|
|
12
|
+
that works with prior versions of Ruby, please use version `~> 0.7.1`.
|
|
13
|
+
Note, however, that 0.7.1 does not support Rack 2 (Rails 5).
|
|
14
|
+
|
|
15
|
+
* **Rack**: Rack 1 and 2 are supported.
|
|
16
|
+
|
|
9
17
|
## Demo
|
|
10
18
|
|
|
11
19
|
[heroku-bouncer-demo](https://github.com/schneems/heroku-bouncer-demo) is a
|
|
@@ -16,7 +24,7 @@ Sinatra app that uses heroku-bouncer.
|
|
|
16
24
|
1. Install the Heroku OAuth CLI plugin.
|
|
17
25
|
|
|
18
26
|
```sh
|
|
19
|
-
heroku plugins:install
|
|
27
|
+
heroku plugins:install heroku-cli-oauth
|
|
20
28
|
```
|
|
21
29
|
|
|
22
30
|
2. Create your OAuth client using `/auth/heroku/callback` as your
|
|
@@ -24,10 +32,12 @@ Sinatra app that uses heroku-bouncer.
|
|
|
24
32
|
for local development with Foreman.
|
|
25
33
|
|
|
26
34
|
```sh
|
|
27
|
-
heroku clients:
|
|
28
|
-
heroku clients:
|
|
35
|
+
heroku clients:create localhost http://localhost:5000/auth/heroku/callback
|
|
36
|
+
heroku clients:create myapp https://myapp.herokuapp.com/auth/heroku/callback
|
|
29
37
|
```
|
|
30
38
|
|
|
39
|
+
See https://github.com/heroku/heroku-cli-oauth#clients for more details.
|
|
40
|
+
|
|
31
41
|
3. Configure the middleware as follows:
|
|
32
42
|
|
|
33
43
|
**Rack**
|
|
@@ -98,8 +108,8 @@ Here are the supported options you can pass to the middleware:
|
|
|
98
108
|
* `allow_if`: A lambda that takes an email address. If the lambda evaluates to
|
|
99
109
|
true, allow the user through. If false, redirects to `redirect_url`.
|
|
100
110
|
By default, all users are allowed through after authenticating.
|
|
101
|
-
* `allow_if_user`: A lambda that takes the
|
|
102
|
-
[account resource](https://devcenter.heroku.com/articles/platform-api-reference#account)
|
|
111
|
+
* `allow_if_user`: A lambda that takes the
|
|
112
|
+
[account resource](https://devcenter.heroku.com/articles/platform-api-reference#account)
|
|
103
113
|
representing the user. If the lambda evaluates to true, allow the user
|
|
104
114
|
through. If false, redirects to `redirect_url`. By default, all users are
|
|
105
115
|
allowed through after authenticating.
|
|
@@ -7,8 +7,8 @@ class Heroku::Bouncer::Lockbox < BasicObject
|
|
|
7
7
|
end
|
|
8
8
|
|
|
9
9
|
def lock(str)
|
|
10
|
-
aes =
|
|
11
|
-
aes.key = @key
|
|
10
|
+
aes = cipher.encrypt
|
|
11
|
+
aes.key = @key.size > 32 ? @key[0..31] : @key
|
|
12
12
|
iv = ::OpenSSL::Random.random_bytes(aes.iv_len)
|
|
13
13
|
aes.iv = iv
|
|
14
14
|
[iv + (aes.update(str) << aes.final)].pack('m0')
|
|
@@ -21,8 +21,8 @@ class Heroku::Bouncer::Lockbox < BasicObject
|
|
|
21
21
|
# decrypt is too short to possibly be good aes data.
|
|
22
22
|
def unlock(str)
|
|
23
23
|
str = str.unpack('m0').first
|
|
24
|
-
aes =
|
|
25
|
-
aes.key = @key
|
|
24
|
+
aes = cipher.decrypt
|
|
25
|
+
aes.key = @key.size > 32 ? @key[0..31] : @key
|
|
26
26
|
iv = str[0, aes.iv_len]
|
|
27
27
|
aes.iv = iv
|
|
28
28
|
crypted_text = str[aes.iv_len..-1]
|
|
@@ -34,6 +34,20 @@ class Heroku::Bouncer::Lockbox < BasicObject
|
|
|
34
34
|
|
|
35
35
|
private
|
|
36
36
|
|
|
37
|
+
def cipher
|
|
38
|
+
# OpenSSL::Cipher::Cipher is deprecated for Ruby >= 2.4
|
|
39
|
+
# https://ruby.github.io/openssl/OpenSSL/Cipher/Cipher.html
|
|
40
|
+
if ruby_two_point_four_or_above?
|
|
41
|
+
::OpenSSL::Cipher.new('aes-256-cbc')
|
|
42
|
+
else
|
|
43
|
+
::OpenSSL::Cipher::Cipher.new('aes-256-cbc')
|
|
44
|
+
end
|
|
45
|
+
end
|
|
46
|
+
|
|
47
|
+
def ruby_two_point_four_or_above?
|
|
48
|
+
::RUBY_VERSION.to_f >= 2.4
|
|
49
|
+
end
|
|
50
|
+
|
|
37
51
|
def self.generate_hmac(data, key)
|
|
38
52
|
::OpenSSL::HMAC.hexdigest(::OpenSSL::Digest::SHA1.new, key, data)
|
|
39
53
|
end
|
|
@@ -20,7 +20,7 @@ class Heroku::Bouncer::Middleware < Sinatra::Base
|
|
|
20
20
|
# super is not called; we're not using sinatra if we're disabled
|
|
21
21
|
else
|
|
22
22
|
super(app)
|
|
23
|
-
@cookie_secret = extract_option(options, :secret, SecureRandom.
|
|
23
|
+
@cookie_secret = extract_option(options, :secret, SecureRandom.hex(64))
|
|
24
24
|
@allow_if_user = extract_option(options, :allow_if_user, nil)
|
|
25
25
|
@redirect_url = extract_option(options, :redirect_url, 'https://www.heroku.com')
|
|
26
26
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: heroku-bouncer
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.
|
|
4
|
+
version: 0.8.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Jonathan Dance
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: bin
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date:
|
|
11
|
+
date: 2017-08-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: omniauth-heroku
|
|
@@ -28,16 +28,22 @@ dependencies:
|
|
|
28
28
|
name: sinatra
|
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
|
30
30
|
requirements:
|
|
31
|
-
- - "
|
|
31
|
+
- - ">="
|
|
32
32
|
- !ruby/object:Gem::Version
|
|
33
33
|
version: '1.0'
|
|
34
|
+
- - "<"
|
|
35
|
+
- !ruby/object:Gem::Version
|
|
36
|
+
version: '3'
|
|
34
37
|
type: :runtime
|
|
35
38
|
prerelease: false
|
|
36
39
|
version_requirements: !ruby/object:Gem::Requirement
|
|
37
40
|
requirements:
|
|
38
|
-
- - "
|
|
41
|
+
- - ">="
|
|
39
42
|
- !ruby/object:Gem::Version
|
|
40
43
|
version: '1.0'
|
|
44
|
+
- - "<"
|
|
45
|
+
- !ruby/object:Gem::Version
|
|
46
|
+
version: '3'
|
|
41
47
|
- !ruby/object:Gem::Dependency
|
|
42
48
|
name: faraday
|
|
43
49
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -56,16 +62,22 @@ dependencies:
|
|
|
56
62
|
name: rack
|
|
57
63
|
requirement: !ruby/object:Gem::Requirement
|
|
58
64
|
requirements:
|
|
59
|
-
- - "
|
|
65
|
+
- - ">="
|
|
60
66
|
- !ruby/object:Gem::Version
|
|
61
67
|
version: '1.0'
|
|
68
|
+
- - "<"
|
|
69
|
+
- !ruby/object:Gem::Version
|
|
70
|
+
version: '3'
|
|
62
71
|
type: :runtime
|
|
63
72
|
prerelease: false
|
|
64
73
|
version_requirements: !ruby/object:Gem::Requirement
|
|
65
74
|
requirements:
|
|
66
|
-
- - "
|
|
75
|
+
- - ">="
|
|
67
76
|
- !ruby/object:Gem::Version
|
|
68
77
|
version: '1.0'
|
|
78
|
+
- - "<"
|
|
79
|
+
- !ruby/object:Gem::Version
|
|
80
|
+
version: '3'
|
|
69
81
|
- !ruby/object:Gem::Dependency
|
|
70
82
|
name: rake
|
|
71
83
|
requirement: !ruby/object:Gem::Requirement
|
|
@@ -183,7 +195,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
|
183
195
|
requirements:
|
|
184
196
|
- - ">="
|
|
185
197
|
- !ruby/object:Gem::Version
|
|
186
|
-
version: '
|
|
198
|
+
version: '2.2'
|
|
187
199
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
|
188
200
|
requirements:
|
|
189
201
|
- - ">="
|