hubssolib 3.1.0 → 3.2.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +4 -0
- data/README.md +57 -18
- data/hubssolib.gemspec +1 -1
- data/lib/hub_sso_lib.rb +106 -4
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: c6df4bbfdb7389a9ae74fd974f9aec00f80caccf38a9702514bea230563c8abf
|
|
4
|
+
data.tar.gz: 6714640777624dc0a90744f125218375c42ff322401bcf65dc2d730df2de4a0c
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 52375b875cda94de7b2823a1b718a5588f27c0c093d4f0010373670ffc4b54da4c5211e627719a56f10179cb3a91b86403a31f955b07348f7bfdaa25906de410
|
|
7
|
+
data.tar.gz: 5ef7b400a85299a3925994bba59d8c6ff1b1ded612541affd288413955eee935971e7d0bb8e61855fef42955baa3b6b2331333b720de82f1cdfcfff0f4a5eb94
|
data/CHANGELOG.md
CHANGED
|
@@ -1,3 +1,7 @@
|
|
|
1
|
+
## 3.2.0, 15-Feb-2025
|
|
2
|
+
|
|
3
|
+
Introduces the user change handler mechanism, a scheme whereby an external application tells Hub about a Rake task that the application has implemented, through which Hub can inform if of changes to a user's e-mail address or "real" name. See the gem's `README.md` for details, under "Applications with an existing user model".
|
|
4
|
+
|
|
1
5
|
## 3.1.0, 14-Feb-2025
|
|
2
6
|
|
|
3
7
|
Environment variable `HUB_IDLE_TIME_LIMIT` can be used to override the idle timeout, with a value expressed in seconds. It must be set in the environment of any application using Hub, including the Hub application itself.
|
data/README.md
CHANGED
|
@@ -118,20 +118,20 @@ before_action :hubssolib_beforehand
|
|
|
118
118
|
after_action :hubssolib_afterwards</pre>
|
|
119
119
|
```
|
|
120
120
|
|
|
121
|
-
Within any controller which has actions which you wish to protect with Hub login, define a
|
|
121
|
+
Within any controller which has actions which you wish to protect with Hub login, define a constant `HUBSSOLIB_PERMISSIONS` and provide an accessor method for it. I'll deal with the accessor method first; in any controller for which Hub is to guard access, add the following:
|
|
122
122
|
|
|
123
123
|
```ruby
|
|
124
|
-
def
|
|
125
|
-
|
|
124
|
+
def self.hubssolib_permissions
|
|
125
|
+
HUBSSOLIB_PERMISSIONS
|
|
126
126
|
end
|
|
127
127
|
```
|
|
128
128
|
|
|
129
129
|
More details are provided [below](#permissions) but, in brief, to define the permissions variable you create an instance of `HubSsoLib::Permissions`. The constructor is passed a hash. The hash keys are symbolized names of the controller actions you want to protect. The hash values are an array of privileges required to access the action, from a choice of one or more of `:admin`, `:webmaster`, `:privileged` and `:normal`. These relate to the roles you can assign to accounts as Hub administrator. For example:
|
|
130
130
|
|
|
131
131
|
```ruby
|
|
132
|
-
|
|
133
|
-
:
|
|
134
|
-
:
|
|
132
|
+
HUBSSOLIB_PERMISSIONS = HubSsoLib::Permissions.new({
|
|
133
|
+
show: [ :admin, :webmaster, :privileged, :normal ],
|
|
134
|
+
edit: [ :admin, :webmaster ]
|
|
135
135
|
})
|
|
136
136
|
```
|
|
137
137
|
|
|
@@ -140,14 +140,15 @@ In this example, any user can access the controller's `show` action but only use
|
|
|
140
140
|
A user's role(s) must match at least one of the privileges in the array for a given action — so even if your account has an administrator role (and _only_ an administrator role), it won't be able to access a protected action unless `:admin` is included in the array given within the hash to the `HubSsoLib::Permissions` constructor. For example:
|
|
141
141
|
|
|
142
142
|
```ruby
|
|
143
|
-
|
|
144
|
-
:
|
|
143
|
+
HUBSSOLIB_PERMISSIONS = HubSsoLib::Permissions.new({
|
|
144
|
+
weblist: [ :webmaster, :privileged ]
|
|
145
145
|
})
|
|
146
146
|
```
|
|
147
147
|
|
|
148
148
|
Here, only accounts with the webmaster or privileged role associated can access the `weblist` action. If an account has only normal and/or administrative roles, it won't be allowed through.
|
|
149
149
|
|
|
150
150
|
### Applications with an existing user model
|
|
151
|
+
#### General concerns
|
|
151
152
|
|
|
152
153
|
If you want to integrate Hub with an application which already has the concept of user accounts, logging in and logging out, there are two main approaches.
|
|
153
154
|
|
|
@@ -156,6 +157,44 @@ If you want to integrate Hub with an application which already has the concept o
|
|
|
156
157
|
|
|
157
158
|
Neither approach is problem-free and both require quite a lot of effort and testing. Automated testing is very hard because the modified application's behaviour depends upon logging in or out of Hub, which is running elsewhere. Unfortunately Rails doesn't offer a universally supported single sign-on mechanism so applications all use different approaches to user management; this means that there is no magic bullet to integration with Hub. You have to learn and understand the structure of the application being integrated and be prepared to make changes that are potentially quite extensive.
|
|
158
159
|
|
|
160
|
+
#### Synchronisation concerns, where applicable
|
|
161
|
+
|
|
162
|
+
Some applications might use local User records for relational purposes. Suppose users could author Posts. We could simply freeze the author name with a Post using a column in that table. This means the author name of any Post is easy to display. However, if that author changed their name, only new Posts would show the new name. If the application wanted to answer a question such as, "List all Posts by a given author", it would be relatively expensive. And if an application wanted to internally keep a record of author e-mail addresses for things like e-mailed notifications of some kind, it would get worse; the author might change their e-mail address in Hub and the integrated application would not know.
|
|
163
|
+
|
|
164
|
+
To solve these problems, external applications integrated with Hub can participate in the user change handler mechanism. The Hub-integrated external application calls `HubSsoLib::Core#hubssolib_register_user_change_handler` to register an interest in Hub user alterations. The mechanism invokes an application-defined Rake task, which can update user records however it sees fit. The method is given the application's name, it's Rails application root - the filesystem location of the application, since we need to use that as a current working directory to issue a `bundle exec rake your:task:name...` - and the name of the Rake task to run. Registration is usually done in `config/application.rb` - for example:
|
|
165
|
+
|
|
166
|
+
```ruby
|
|
167
|
+
module Foo
|
|
168
|
+
class Application < Rails::Application
|
|
169
|
+
require HubSsoLib::Core
|
|
170
|
+
|
|
171
|
+
hubssolib_register_user_change_handler(
|
|
172
|
+
app_name: Rails.application.name,
|
|
173
|
+
app_root: Rails.root,
|
|
174
|
+
task_name: 'hub:update_user'
|
|
175
|
+
)
|
|
176
|
+
|
|
177
|
+
# ...etc...
|
|
178
|
+
end
|
|
179
|
+
end
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
The Rake task can have any name that works for your application. A "hub" namespace is recommended but entirely optional. If a Hub user edits their details, then the task is invoked with four positional parameters - the user's old e-mail address and old Hub unique name, as returned by `HubSsoLib::Core#hubssolib_unique_name` - followed by the new e-mail address and new unique name (at least one, or both of those will always have actually changed). The Rake task can then look up the external application's User record via the old address or unique name and, if found, update it. It should either throw an exception or `exit` with a non-zero status code if it fails to store the updated details - in that case, Hub will roll back user changes on its side and warn the end user.
|
|
183
|
+
|
|
184
|
+
For example, `lib/tasks/hub.rake` might look like this:
|
|
185
|
+
|
|
186
|
+
```ruby
|
|
187
|
+
namespace :hub do
|
|
188
|
+
desc 'Update a user with details sent from Hub'
|
|
189
|
+
task :update_user, [:old_email, :old_name, :new_email, :new_name] => :environment do | t, args |
|
|
190
|
+
user = User.find_by_email_address(old_email)
|
|
191
|
+
user&.update!(email_address: new_email, display_name: new_name)
|
|
192
|
+
end
|
|
193
|
+
end
|
|
194
|
+
```
|
|
195
|
+
|
|
196
|
+
|
|
197
|
+
|
|
159
198
|
## Hub library API
|
|
160
199
|
|
|
161
200
|
The Hub component interfaces that should be used by application authors when integrating with the Hub single sign-on mechanism are described below. If you want a complete list of all public interfaces, consult the file `hub_sso_lib.rb` inside the Hub gem. All functions and classes therein are fully commented to describe the purpose of each class, along with the purpose, input parameters and return values of class methods and instance methods.
|
|
@@ -178,9 +217,9 @@ Hub protects against access to actions in controller by using a `before_action`
|
|
|
178
217
|
Permitted roles are expressed as single symbols or their equivalent strings, or an array containing many symbols or equivalent strings. Most often, an array of symbols is used. To create a permissions object, instantiate `HubSsoLib::Permissions`. For example:
|
|
179
218
|
|
|
180
219
|
```ruby
|
|
181
|
-
|
|
182
|
-
:
|
|
183
|
-
:
|
|
220
|
+
HUBSSOLIB_PERMISSIONS = HubSsoLib::Permissions.new({
|
|
221
|
+
show: [ :admin, :webmaster, :privileged, :normal ],
|
|
222
|
+
edit: [ :admin, :webmaster ]
|
|
184
223
|
})
|
|
185
224
|
```
|
|
186
225
|
|
|
@@ -191,7 +230,7 @@ The above line of code typically appears at the start of the class definition fo
|
|
|
191
230
|
```ruby
|
|
192
231
|
class AccountController < ApplicationController
|
|
193
232
|
|
|
194
|
-
|
|
233
|
+
HUBSSOLIB_PERMISSIONS = HubSsoLib::Permissions.new({
|
|
195
234
|
# ...permissions here...
|
|
196
235
|
})
|
|
197
236
|
|
|
@@ -199,11 +238,11 @@ class AccountController < ApplicationController
|
|
|
199
238
|
end
|
|
200
239
|
```
|
|
201
240
|
|
|
202
|
-
Having created the permissions object, you need to expose
|
|
241
|
+
Having created the permissions object, you need to expose constant `HUBSSOLIB_PERMISSIONS` to Hub in a way that it understands. To do this, create a class method called `hubssolib_permissions` that just returns the variable:
|
|
203
242
|
|
|
204
243
|
```ruby
|
|
205
|
-
def
|
|
206
|
-
|
|
244
|
+
def self.hubssolib_permissions
|
|
245
|
+
HUBSSOLIB_PERMISSIONS
|
|
207
246
|
end
|
|
208
247
|
```
|
|
209
248
|
|
|
@@ -212,12 +251,12 @@ So the full preamble in this example is:
|
|
|
212
251
|
```ruby
|
|
213
252
|
class AccountController < ApplicationController
|
|
214
253
|
|
|
215
|
-
|
|
254
|
+
HUBSSOLIB_PERMISSIONS = HubSsoLib::Permissions.new({
|
|
216
255
|
...permissions here...
|
|
217
256
|
})
|
|
218
257
|
|
|
219
|
-
def
|
|
220
|
-
|
|
258
|
+
def self.hubssolib_permissions
|
|
259
|
+
HUBSSOLIB_PERMISSIONS
|
|
221
260
|
end
|
|
222
261
|
|
|
223
262
|
...existing class contents here...
|
data/hubssolib.gemspec
CHANGED
data/lib/hub_sso_lib.rb
CHANGED
|
@@ -19,6 +19,7 @@ module HubSsoLib
|
|
|
19
19
|
|
|
20
20
|
require 'drb'
|
|
21
21
|
require 'securerandom'
|
|
22
|
+
require 'json'
|
|
22
23
|
|
|
23
24
|
# DRb connection
|
|
24
25
|
HUB_CONNECTION_URI = ENV['HUB_CONNECTION_URI'] || 'drbunix:' + File.join( ENV['HOME'] || '/', '/.hub_drb')
|
|
@@ -33,6 +34,19 @@ module HubSsoLib
|
|
|
33
34
|
raise 'Exiting'
|
|
34
35
|
end
|
|
35
36
|
|
|
37
|
+
# External application command registry for on-user-change events
|
|
38
|
+
HUB_COMMAND_REGISTRY = ENV['HUB_COMMAND_REGISTRY'] || File.join( ENV['HOME'] || '/', '/.hub_cmd_reg')
|
|
39
|
+
|
|
40
|
+
unless Dir.exist?(File.dirname(HUB_COMMAND_REGISTRY))
|
|
41
|
+
puts
|
|
42
|
+
puts '*' * 80
|
|
43
|
+
puts "Invalid path specified by HUB_COMMAND_REGISTRY (#{ HUB_COMMAND_REGISTRY.inspect })"
|
|
44
|
+
puts '*' * 80
|
|
45
|
+
puts
|
|
46
|
+
|
|
47
|
+
raise 'Exiting'
|
|
48
|
+
end
|
|
49
|
+
|
|
36
50
|
# Location of Hub application root.
|
|
37
51
|
#
|
|
38
52
|
HUB_PATH_PREFIX = ENV['HUB_PATH_PREFIX'] || ''
|
|
@@ -710,9 +724,96 @@ module HubSsoLib
|
|
|
710
724
|
user ? "#{user.user_real_name} (#{user.user_id})" : 'Anonymous'
|
|
711
725
|
end
|
|
712
726
|
|
|
713
|
-
#
|
|
714
|
-
#
|
|
715
|
-
#
|
|
727
|
+
# If an application needs to know about changes of a user e-mail address
|
|
728
|
+
# or display name (e.g. because of sync to a local relational store of
|
|
729
|
+
# users related to other application-managed resources, with therefore a
|
|
730
|
+
# desire to keep that store up to date), it can register a task to run
|
|
731
|
+
# on-change here. When a user edits their information, Hub runs through
|
|
732
|
+
# all such commands, allowing external applications to manage their own
|
|
733
|
+
# state with no need for coupled configuration or other duplication.
|
|
734
|
+
#
|
|
735
|
+
# The registered name must be a Rake task and the application must specify
|
|
736
|
+
# its location in the filesystem so that the PWD can be changed there, in
|
|
737
|
+
# order to execute the Rake task via "bundle exec". The task is passed the
|
|
738
|
+
# following parameters, in the specified order:
|
|
739
|
+
#
|
|
740
|
+
# - User's old e-mail address
|
|
741
|
+
# - User's old unique display name (as returned by #hubssolib_unique_name)
|
|
742
|
+
# - User's new e-mail address (which might be the same as the old)
|
|
743
|
+
# - User's old unique display name (which might be unchanged too)
|
|
744
|
+
#
|
|
745
|
+
# This is a newer Hub interface which uses named parameters rather than
|
|
746
|
+
# positional:
|
|
747
|
+
#
|
|
748
|
+
# +app_name+:: Application name, e.g. "beast"; make sure this is unique.
|
|
749
|
+
# +app_root+:: Application's Rails root, e.g. "/home/fred/rails/beast".
|
|
750
|
+
# +task_name+:: Rake task name, e.g. "hub:update_user".
|
|
751
|
+
#
|
|
752
|
+
# An example invocation in "config/application.rb" might look like this:
|
|
753
|
+
#
|
|
754
|
+
# module Foo
|
|
755
|
+
# class Application < Rails::Application
|
|
756
|
+
# require HubSsoLib::Core
|
|
757
|
+
#
|
|
758
|
+
# hubssolib_register_user_change_handler(
|
|
759
|
+
# app_name: Rails.application.name,
|
|
760
|
+
# app_root: Rails.root,
|
|
761
|
+
# task_name: 'hub:update_user'
|
|
762
|
+
# )
|
|
763
|
+
#
|
|
764
|
+
# config.load_defaults 8.0 # ...etc...
|
|
765
|
+
# end
|
|
766
|
+
# end
|
|
767
|
+
#
|
|
768
|
+
def hubssolib_register_user_change_handler(app_name:, app_root:, task_name:)
|
|
769
|
+
File.open(HUB_COMMAND_REGISTRY, File::RDWR | File::CREAT) do |file|
|
|
770
|
+
file.flock(File::LOCK_EX)
|
|
771
|
+
|
|
772
|
+
commands_json = file.read()
|
|
773
|
+
commands_hash = (JSON.parse(commands_json) rescue nil) if commands_json.present?
|
|
774
|
+
commands_hash ||= {}
|
|
775
|
+
|
|
776
|
+
file.rewind()
|
|
777
|
+
|
|
778
|
+
commands_hash[app_name] = {
|
|
779
|
+
root: app_root,
|
|
780
|
+
task: task_name
|
|
781
|
+
}
|
|
782
|
+
|
|
783
|
+
file.write(JSON.fast_generate(commands_hash))
|
|
784
|
+
file.truncate(file.pos)
|
|
785
|
+
end
|
|
786
|
+
end
|
|
787
|
+
|
|
788
|
+
# Returns all change handlers registered by prior calls made to
|
|
789
|
+
# #hubssolib_register_user_change_handler. Returns a Hash, keyed by Rails
|
|
790
|
+
# application name, with values of another Hash:
|
|
791
|
+
#
|
|
792
|
+
# * +root+ => Rails application root
|
|
793
|
+
# * +task+ => Name of Rake task to be run
|
|
794
|
+
#
|
|
795
|
+
# All keys are Strings.
|
|
796
|
+
#
|
|
797
|
+
# This is usually called by the Hub application only, when it is processing
|
|
798
|
+
# a user's request to change their information.
|
|
799
|
+
#
|
|
800
|
+
def hubssolib_registered_user_change_handlers
|
|
801
|
+
commands_hash = {}
|
|
802
|
+
|
|
803
|
+
File.open(HUB_COMMAND_REGISTRY, File::RDWR | File::CREAT) do |file|
|
|
804
|
+
file.flock(File::LOCK_EX)
|
|
805
|
+
|
|
806
|
+
commands_json = file.read()
|
|
807
|
+
commands_hash = (JSON.parse(commands_json) rescue nil) if commands_json.present?
|
|
808
|
+
commands_hash ||= {}
|
|
809
|
+
end
|
|
810
|
+
|
|
811
|
+
return commands_hash
|
|
812
|
+
end
|
|
813
|
+
|
|
814
|
+
# Mandatory controller "before_action" callback method which activates
|
|
815
|
+
# HubSsoLib permissions management, session expiry and so-on. Usually
|
|
816
|
+
# invoked in ApplicationController.
|
|
716
817
|
#
|
|
717
818
|
def hubssolib_beforehand
|
|
718
819
|
|
|
@@ -794,7 +895,8 @@ module HubSsoLib
|
|
|
794
895
|
end
|
|
795
896
|
end
|
|
796
897
|
|
|
797
|
-
#
|
|
898
|
+
# Mandatory controller "after_action" callback method to tidy up after Hub
|
|
899
|
+
# actions during a request. Usually invoked in ApplicationController.
|
|
798
900
|
#
|
|
799
901
|
def hubssolib_afterwards
|
|
800
902
|
begin
|
metadata
CHANGED
|
@@ -1,13 +1,13 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: hubssolib
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 3.
|
|
4
|
+
version: 3.2.0
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andrew Hodgkinson and others
|
|
8
8
|
bindir: bin
|
|
9
9
|
cert_chain: []
|
|
10
|
-
date: 2025-02-
|
|
10
|
+
date: 2025-02-15 00:00:00.000000000 Z
|
|
11
11
|
dependencies:
|
|
12
12
|
- !ruby/object:Gem::Dependency
|
|
13
13
|
name: drb
|