hobby-sso-guard 0.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 9420789b746af7c4123aec30ee4ea25fa07c33ebf08aa362c37c5fad260d8cfb
+  data.tar.gz: c30830fe6b47ea022317944de82e2a6a636e649d794ac34757e43b610f8c26c4
+SHA512:
+  metadata.gz: f7bb14045ff3c00b36b80ee835b1d78c720ff8aa883ac2697f84014798201bb8952d8651a5c31ee11725425fc5f1d61ac14b9b39d537556b57d7edda9f1d0120
+  data.tar.gz: 4979e6a98d70387c08cbd30b85ae18a3ec169af24a0e423da7056a901e4a91388cca15f795afdca41379f8a6327ed615353461a2e20c3865aa5277a3f192828a

data/Gemfile

@@ -0,0 +1,11 @@
+source 'https://rubygems.org'
+
+gem 'rspec'
+gem 'rspec-power_assert'
+gem 'pry'
+gem 'awesome_print'
+gem 'puma'
+gem 'redis'
+gem 'watir'
+
+gemspec

data/Gemfile.lock

@@ -0,0 +1,63 @@
+PATH
+  remote: .
+  specs:
+    hobby-sso-guard (0.0.0)
+      hobby
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    awesome_print (1.8.0)
+    childprocess (0.9.0)
+      ffi (~> 1.0, >= 1.0.11)
+    coderay (1.1.2)
+    diff-lcs (1.3)
+    ffi (1.9.23)
+    hobby (0.1.2)
+      rack
+    method_source (0.9.0)
+    power_assert (1.1.1)
+    pry (0.11.3)
+      coderay (~> 1.1.0)
+      method_source (~> 0.9.0)
+    puma (3.11.3)
+    rack (2.0.4)
+    redis (4.0.1)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.7.0)
+    rspec-power_assert (1.1.0)
+      power_assert (~> 1.1.0)
+      rspec (>= 2.14)
+    rspec-support (3.7.1)
+    rubyzip (1.2.1)
+    selenium-webdriver (3.11.0)
+      childprocess (~> 0.5)
+      rubyzip (~> 1.2)
+    watir (6.10.3)
+      selenium-webdriver (~> 3.4, >= 3.4.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  awesome_print
+  hobby-sso-guard!
+  pry
+  puma
+  redis
+  rspec
+  rspec-power_assert
+  watir
+
+BUNDLED WITH
+   1.16.1

data/hobby-sso-guard.gemspec

@@ -0,0 +1,9 @@
+Gem::Specification.new do |g|
+  g.name    = 'hobby-sso-guard'
+  g.files   = `git ls-files`.split($/)
+  g.version = '0.0.0'
+  g.summary = 'A Rack middleware for SSO(single sign-on).'
+  g.authors = ['Anatoly Chernow']
+
+  g.add_dependency 'hobby'
+end

data/lib/hobby/sso/guard.rb

@@ -0,0 +1,53 @@
+require 'securerandom'
+
+module Hobby
+  module SSO
+    class Guard
+      # sessions: { session_id => user_id }
+      # tickets: { ticket => session_id } should expire quickly(20 seconds or so)
+      # tokens: { token => latest_visited_path }
+      def initialize app, sessions:, tickets:, tokens:, auth_server:
+        @app, @sessions, @tokens = app, sessions, tokens
+        @auth_server = auth_server
+        @enter_app = Enter.new tickets, tokens
+      end
+
+      def call env
+        @env = env
+
+        if active_session?
+          @app.call env
+        else
+          if env['PATH_INFO'] == '/enter'
+            @enter_app.call env
+          else
+            redirect_to_auth_server_with_token create_guest_token
+          end
+        end
+      end
+
+      private
+        attr_reader :env
+
+        def active_session?
+          session = env['rack.session']
+          @sessions.exists session[:id]
+        end
+
+        def create_guest_token
+          token = SecureRandom.urlsafe_base64 64
+          env['rack.session'][:guest_token] = token
+          @tokens.hset token, 'path', env['PATH_INFO']
+          @tokens.hset token, 'query', env['QUERY_STRING']
+          token
+        end
+
+        def redirect_to_auth_server_with_token token
+          location = "#{@auth_server}?service=#{env['HTTP_HOST']}&token=#{token}"
+          [302, { 'Location' => location }, []]
+        end
+    end
+  end
+end
+
+require_relative 'guard/enter'

data/lib/hobby/sso/guard/enter.rb

@@ -0,0 +1,41 @@
+require 'hobby'
+
+class Hobby::SSO::Guard
+  class Enter
+    include Hobby
+
+    def initialize tickets, tokens
+      @tickets, @tokens = tickets, tokens
+    end
+
+    get '/enter' do
+      if ticket = request.params['ticket']
+        if session_id = @tickets.get(ticket)
+          session[:id] = session_id
+          redirect_to_latest_visited_path_or_root
+        else
+          response.status = 403
+          'Bad ticket.'
+        end
+      else
+        response.status = 403
+        'No ticket.'
+      end
+    end
+
+    def session
+      env['rack.session']
+    end
+
+    def redirect_to_latest_visited_path_or_root
+      token = session[:guest_token]
+      if @tokens.exists token
+        path = @tokens.hget token, 'path'
+        query = @tokens.hget token, 'query'
+        response.redirect "#{path}?#{query}"
+      else
+        response.redirect '/'
+      end
+    end
+  end
+end

data/links

@@ -0,0 +1,3 @@
+https://www.owasp.org/index.php/Testing_for_Session_Management
+https://www.owasp.org/index.php/Session_Management_Cheat_Sheet
+https://www.owasp.org/index.php/Authentication_Cheat_Sheet

data/spec/auth_server.rb

@@ -0,0 +1,24 @@
+require 'hobby'
+require 'awesome_print'
+
+class AuthServer
+  include Hobby
+
+  get do
+    if $auth_server_just_returns_HTTP_HOST
+      ap env
+      env['HTTP_HOST']
+    else
+      session, ticket = random, random
+      $sessions.set session, 'some_user_id'
+      $tickets.set ticket, session
+      
+      response.status = 302
+      response.redirect "#{TEST_APP_URL}/enter?ticket=#{ticket}"
+    end
+  end
+
+  def random
+    SecureRandom.urlsafe_base64 64
+  end
+end

data/spec/helper.rb

@@ -0,0 +1,51 @@
+require 'puma'
+require 'redis'
+require 'watir'
+
+require 'rspec/power_assert'
+RSpec::PowerAssert.example_assertion_alias :assert
+RSpec::PowerAssert.example_group_assertion_alias :assert
+
+require 'fileutils'
+DIR = "/tmp/sso.#{$$}.test"
+FileUtils.mkdir_p DIR
+
+
+TEST_APP_URL = 'http://127.0.0.1:8080'
+TEST_APP_PORT = 8080
+AUTH_SERVER_URL = 'http://127.0.0.1:8081'
+AUTH_SERVER_PORT = 8081
+
+require_relative 'auth_server'
+AUTH_SERVER = AuthServer.new
+
+def start_puma port, app, host = '127.0.0.1'
+  server = Puma::Server.new app
+  server.add_tcp_listener host, port
+  server.run
+end
+
+RSpec.configure do |config|
+  config.before :suite do |example|
+    $sessions_pid = spawn "redis-server --unixsocket #{DIR}/sessions.sock --port 0 --dir #{DIR}"
+    $tickets_pid = spawn "redis-server --unixsocket #{DIR}/tickets.sock --port 0 --dir #{DIR}"
+    $tokens_pid = spawn "redis-server --unixsocket #{DIR}/tokens.sock --port 0 --dir #{DIR}"
+
+    $sessions = Redis.new path: "#{DIR}/sessions.sock"
+    $tickets = Redis.new path: "#{DIR}/tickets.sock"
+    $tokens = Redis.new path: "#{DIR}/tokens.sock"
+
+    $test_app_pid = fork do
+      require_relative 'test_app'
+      start_puma TEST_APP_PORT, TestApp.new
+      sleep
+    end
+
+    start_puma AUTH_SERVER_PORT, AuthServer.new
+  end
+
+  config.after :suite do |example|
+    pids = [$sessions_pid, $tickets_pid, $tokens_pid, $test_app_pid]
+    pids.each { |pid| `kill #{pid}` }
+  end
+end

data/spec/integration_spec.rb

@@ -0,0 +1,44 @@
+require_relative 'helper'
+
+describe do
+  let(:browser) { Watir::Browser.new }
+
+  context 'when there is no active session' do
+    it 'redirects to the auth server' do
+      $auth_server_just_returns_HTTP_HOST = true
+      browser.goto TEST_APP_URL
+      assert { browser.text == '127.0.0.1:8081' }
+    end
+
+    after do
+      $auth_server_just_returns_HTTP_HOST = false
+    end
+  end
+
+  context 'when a user tries to /enter' do
+    it 'refuses if there is no ticket' do
+      browser.goto "#{TEST_APP_URL}/enter"
+      assert { browser.text == 'No ticket.' }
+    end
+
+    it 'refuses if there is a bad ticket' do
+      bad_ticket = SecureRandom.urlsafe_base64 64
+      browser.goto "#{TEST_APP_URL}/enter?ticket=#{bad_ticket}"
+      assert { browser.text == 'Bad ticket.' }
+    end
+
+    context 'when the ticket is valid' do
+      it 'sets a session cookie and redirect to an appropriate path' do
+        browser.goto "#{TEST_APP_URL}/some_path"
+        assert { browser.text == 'some path in test app' }
+      end
+    end
+  end
+
+  after do
+    browser.quit
+    $sessions.flushall
+    $tickets.flushall
+    $tokens.flushall
+  end
+end

data/spec/test_app.rb

@@ -0,0 +1,18 @@
+require 'hobby'
+require 'hobby/sso/guard'
+
+class TestApp
+  include Hobby
+
+  use Rack::Session::Cookie, secret: SecureRandom.hex(64)
+  use Hobby::SSO::Guard, auth_server: AUTH_SERVER_URL,
+    sessions: $sessions, tickets: $tickets, tokens: $tokens
+
+  get do
+    'test app root'
+  end
+
+  get '/some_path' do
+    'some path in test app'
+  end
+end

metadata

@@ -0,0 +1,66 @@
+--- !ruby/object:Gem::Specification
+name: hobby-sso-guard
+version: !ruby/object:Gem::Version
+  version: 0.0.0
+platform: ruby
+authors:
+- Anatoly Chernow
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2018-03-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: hobby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: 
+email: 
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- hobby-sso-guard.gemspec
+- lib/hobby/sso/guard.rb
+- lib/hobby/sso/guard/enter.rb
+- links
+- spec/auth_server.rb
+- spec/helper.rb
+- spec/integration_spec.rb
+- spec/test_app.rb
+homepage: 
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.7.6
+signing_key: 
+specification_version: 4
+summary: A Rack middleware for SSO(single sign-on).
+test_files: []