jekyll-auth 0.6.1 → 1.0.0

data/jekyll-auth.gemspec

@@ -0,0 +1,31 @@
+require './lib/jekyll_auth/version'
+
+Gem::Specification.new do |s|
+  s.name                  = "jekyll-auth"
+  s.version               = JekyllAuth::VERSION
+  s.summary               = "A simple way to use Github OAuth to serve a protected jekyll site to your GitHub organization"
+  s.description           = "A simple way to use Github Oauth to serve a protected jekyll site to your GitHub organization."
+  s.authors               = "Ben Balter"
+  s.email                 = "ben@balter.com"
+  s.homepage              = "https://github.com/benbalter/jekyll-auth"
+  s.license               = "MIT"
+  s.files                 = `git ls-files`.split("\n")
+  s.test_files            = `git ls-files -- {test,spec,features}/*`.split("\n")
+  s.executables           = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
+  s.require_paths         = ["lib"]
+
+  s.add_dependency "jekyll", "~> 2.0"
+  s.add_dependency "sinatra-index", "~> 0.0"
+  s.add_dependency "sinatra_auth_github", "~> 1.1"
+  s.add_dependency "rack", "1.5.2"
+  s.add_dependency "dotenv", "~> 1.0"
+  s.add_dependency "rake", "~> 10.3"
+  s.add_dependency "rack-ssl-enforcer", "~> 0.2"
+  s.add_dependency "mercenary", "~> 0.3"
+  s.add_dependency 'safe_yaml', "~> 1.0"
+  s.add_dependency "colorator", "~> 0.1"
+  s.add_development_dependency "rspec", "~> 3.1"
+  s.add_development_dependency "rack-test", "~> 0.6"
+  s.add_development_dependency "webmock", "~> 1.2 "
+  s.add_development_dependency "pry", "~> 0.10"
+end

data/lib/jekyll-auth.rb

@@ -1,13 +1,16 @@
-require 'rubygems'
 require 'sinatra-index'
 require 'sinatra_auth_github'
-require 'rack'
 require 'dotenv'
 require 'safe_yaml'
-require File.dirname(__FILE__) + '/jekyll-auth/version'
-require File.dirname(__FILE__) + '/jekyll-auth/config'
-require File.dirname(__FILE__) + '/jekyll-auth/auth-site'
-require File.dirname(__FILE__) + '/jekyll-auth/jekyll-site'
+require 'colorator'
+require 'mkmf'
+require_relative 'jekyll_auth/version'
+require_relative 'jekyll_auth/helpers'
+require_relative 'jekyll_auth/auth_site'
+require_relative 'jekyll_auth/jekyll_site'
+require_relative 'jekyll_auth/config_error'
+require_relative 'jekyll_auth/commands'
+
 Dotenv.load
 
 class JekyllAuth
@@ -17,4 +20,26 @@ class JekyllAuth
       run JekyllAuth::JekyllSite
     end
   end
+
+  def self.config_file
+    File.join(Dir.pwd, "_config.yml")
+  end
+
+  def self.config
+    @config ||= begin
+      config = YAML.safe_load_file(config_file)
+      config["jekyll_auth"] || {}
+    rescue
+      {}
+    end
+  end
+
+  def self.whitelist
+    whitelist = JekyllAuth::config["whitelist"]
+    Regexp.new(whitelist.join("|")) unless whitelist.nil?
+  end
+
+  def self.ssl?
+    !!JekyllAuth::config["ssl"]
+  end
 end

data/lib/jekyll_auth/auth_site.rb

@@ -0,0 +1,47 @@
+class JekyllAuth
+  class AuthSite < Sinatra::Base
+
+    configure :production do
+      require 'rack-ssl-enforcer'
+      use Rack::SslEnforcer if JekyllAuth.ssl?
+    end
+
+    use Rack::Session::Cookie, {
+      :http_only => true,
+      :secret    => ENV['SESSION_SECRET'] || SecureRandom.hex
+    }
+
+    set :github_options, {
+      :scopes    => 'read:org'
+    }
+
+    ENV['WARDEN_GITHUB_VERIFIER_SECRET'] ||= SecureRandom.hex
+    register Sinatra::Auth::Github
+
+    use Rack::Logger
+
+    include JekyllAuth::Helpers
+
+    before do
+      pass if whitelisted?
+
+      logger.info "Authentication strategy: #{authentication_strategy}"
+
+      case authentication_strategy
+      when :team
+        github_team_authenticate! ENV['GITHUB_TEAM_ID']
+      when :teams
+        github_teams_authenticate! ENV['GITHUB_TEAM_IDS'].split(",")
+      when :org
+        github_organization_authenticate! ENV['GITHUB_ORG_ID']
+      else
+        raise JekyllAuth::ConfigError
+      end
+    end
+
+    get '/logout' do
+      logout!
+      redirect '/'
+    end
+  end
+end

data/lib/jekyll_auth/commands.rb

@@ -0,0 +1,73 @@
+class JekyllAuth
+  class Commands
+
+    FILES = %w{Rakefile config.ru .gitignore .env}
+    VARS  = %w{client_id client_secret team_id org_id}
+
+    def self.source
+      @source ||= File.expand_path( "../../templates", File.dirname(__FILE__) )
+    end
+
+    def self.destination
+      @destination ||= Dir.pwd
+    end
+
+    def self.changed?
+      execute_command("git", "status", destination, "--porcelain").length != 0
+    rescue
+      false
+    end
+
+    def self.execute_command(*args)
+      output, status = Open3.capture2e(*args)
+      raise "Command `#{args.join(" ")}` failed: #{output}" if status != 0
+      output
+    end
+
+    def self.copy_templates
+      FILES.each do |file|
+        if File.exist? "#{destination}/#{file}"
+          puts "* #{destination}/#{file} already exists... skipping."
+        else
+          puts "* creating #{destination}/#{file}"
+          FileUtils.cp "#{source}/#{file}", "#{destination}/#{file}"
+        end
+      end
+    end
+
+    def self.team_id(org, team)
+      client = Octokit::Client.new :access_token => ENV["GITHUB_TOKEN"]
+      client.auto_paginate = true
+      teams = client.organization_teams org
+      found = teams.find { |t| t[:slug] == team }
+      found[:id] if found
+    end
+
+    def self.env_var_set?(var)
+      !(ENV[var].to_s.blank?)
+    end
+
+    def self.init_repo
+      execute_command "git", "init", destination
+      FILES.each do |file|
+        next if file == ".env"
+        execute_command("git", "add", "--", "#{destination}/#{file}")
+      end
+    end
+
+    def self.initial_commit
+      execute_command "git", "commit", "-m", "'[Jekyll Auth] Initial setup'"
+    end
+
+    def self.heroku_remote_set?
+      remotes = execute_command "git", "remote", "-v"
+      !!(remotes =~ /^heroku\s/)
+    end
+
+    def self.configure_heroku(options)
+      VARS.each do |var|
+        execute_command "heroku", "config:set", "GITHUB_#{var.upcase}=#{options[var]}" if options[var]
+      end
+    end
+  end
+end

data/lib/jekyll_auth/config_error.rb

@@ -0,0 +1,8 @@
+class JekyllAuth
+  class ConfigError < SecurityError
+
+    def message
+      "Jekyll Auth is refusing to serve your site because your oauth credentials are not properly configured."
+    end
+  end
+end

data/lib/jekyll_auth/helpers.rb

@@ -0,0 +1,18 @@
+class JekyllAuth
+  module Helpers
+    def whitelisted?
+      return true if request.path_info == "/logout"
+      !!(JekyllAuth.whitelist && JekyllAuth.whitelist.match(request.path_info))
+    end
+
+    def authentication_strategy
+      if !ENV['GITHUB_TEAM_ID'].to_s.blank?
+        :team
+      elsif !ENV['GITHUB_TEAM_IDS'].to_s.blank?
+        :teams
+      elsif !ENV['GITHUB_ORG_ID'].to_s.blank?
+        :org
+      end
+    end
+  end
+end

data/lib/jekyll_auth/jekyll_site.rb

@@ -0,0 +1,14 @@
+class JekyllAuth
+  class JekyllSite < Sinatra::Base
+
+    register Sinatra::Index
+    set :public_folder, File.expand_path('_site', Dir.pwd)
+    use_static_index 'index.html'
+
+    not_found do
+      status 404
+      four_oh_four = File.expand_path('_site/404.html', Dir.pwd)
+      File.read(four_oh_four) if File.exists?(four_oh_four)
+    end
+  end
+end

data/lib/jekyll_auth/sinatra/auth/github.rb

@@ -0,0 +1,11 @@
+module Sinatra
+  module Auth
+    module Github
+      # Like the native github_team_authenticate! but accepts an array of team ids
+      def github_teams_authenticate!(teams)
+        authenticate!
+        halt([401, "Unauthorized User"]) unless teams.any? { |team_id| github_team_access?(team_id) }
+      end
+    end
+  end
+end

data/lib/{jekyll-auth → jekyll_auth}/version.rb

@@ -1,3 +1,3 @@
 class JekyllAuth
-  VERSION = '0.6.1'
+  VERSION = '1.0.0'
 end

data/script/bootstrap

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+set -e
+
+echo "Let's get set up here..."
+bundle install
+echo "Boom."

data/script/cibuild

@@ -0,0 +1,8 @@
+#!/bin/sh
+# Test that all dependencies resolve, and that the thing actually fires
+
+set -e
+
+bundle exec rake spec
+bundle exec gem build jekyll-auth.gemspec
+bundle exec jekyll-auth --version

data/script/console

@@ -0,0 +1 @@
+bundle exec pry -r "./lib/jekyll-auth"

data/script/release

@@ -0,0 +1,38 @@
+#!/bin/sh
+# Tag and push a release.
+
+set -e
+
+# Make sure we're in the project root.
+
+cd $(dirname "$0")/..
+
+# Build a new gem archive.
+
+rm -rf jekyll-auth-*.gem
+gem build -q jekyll-auth.gemspec
+
+# Make sure we're on the master branch.
+
+(git branch | grep -q '* master') || {
+  echo "Only release from the master branch."
+  exit 1
+}
+
+# Figure out what version we're releasing.
+
+tag=v`ls jekyll-auth-*.gem | sed 's/^jekyll-auth-\(.*\)\.gem$/\1/'`
+
+# Make sure we haven't released this version before.
+
+git fetch -t origin
+
+(git tag -l | grep -q "$tag") && {
+  echo "Whoops, there's already a '${tag}' tag."
+  exit 1
+}
+
+# Tag it and bag it.
+
+gem push jekyll-auth-*.gem && git tag "$tag" &&
+  git push origin master && git push origin "$tag"

data/script/server

@@ -0,0 +1,3 @@
+#! /bin/sh
+
+bundle exec rake site

data/script/setup

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+bundle exec jekyll-auth setup

data/spec/jekyll_auth_auth_site_spec.rb

@@ -0,0 +1,76 @@
+require "spec_helper"
+
+describe "logged in user" do
+  include Rack::Test::Methods
+
+  def app
+    JekyllAuth.site
+  end
+
+  before(:each) do
+    setup_tmp_dir
+    @user = make_user('login' => 'benbaltertest')
+    login_as @user
+
+    ENV['GITHUB_ORG_ID'] = "balter-test-org"
+    
+    stub_request(:get, "https://api.github.com/orgs/#{ENV["GITHUB_ORG_ID"]}/members/benbaltertest").
+    to_return(:status => 200)
+  end
+
+  it "shows the securocat when github returns an oauth error" do
+    get "/auth/github/callback?error=redirect_uri_mismatch"
+    expect(last_response.body).to match(%r{securocat\.png})
+  end
+
+  it "logs the user out" do
+    get "/logout"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to eql("http://example.org/")
+
+    get "/"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to match(%r{^https://github\.com/login/oauth/authorize})
+  end
+
+end
+
+describe "logged out user" do
+
+  include Rack::Test::Methods
+
+  def app
+    JekyllAuth.site
+  end
+
+  before do
+    ENV['GITHUB_ORG_ID'] = "balter-test-org"
+  end
+
+  it "doesn't let you view indexes" do
+    get "/"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to match(%r{^https://github\.com/login/oauth/authorize})
+
+    get "/some_dir"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to match(%r{^https://github\.com/login/oauth/authorize})
+  end
+
+  it "doesn't let you view files" do
+    get "/index.html"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to match(%r{^https://github\.com/login/oauth/authorize})
+
+    get "/some_dir/index.html"
+    expect(last_response.status).to eql(302)
+    expect(last_response.headers['Location']).to match(%r{^https://github\.com/login/oauth/authorize})
+  end
+
+  it "refuses to serve the site without an authentication strategy" do
+    ENV["GITHUB_ORG_ID"] = nil
+    ENV["GITHUB_TEAM_ID"] = nil
+    ENV["GITHUB_TEAMS_ID"] = nil
+    expect{get "/"}.to raise_error(JekyllAuth::ConfigError)
+  end
+end

data/spec/jekyll_auth_bin_spec.rb

@@ -0,0 +1,44 @@
+require "spec_helper"
+
+describe "bin" do
+  before(:each) do
+    setup_tmp_dir
+  end
+
+  it "spits out the help do" do
+    env = { "GITHUB_TOKEN" => nil}
+    output = execute_bin(env, "--help")
+    expect(output).to match(%r{A simple way to use Github OAuth to serve a protected jekyll site to your GitHub organization})
+  end
+
+  describe "team id" do
+
+    it "errors if no token is given" do
+      env = { "GITHUB_TOKEN" => nil}
+      expect{execute_bin(env, "team_id", "--org", "balter-test-org", "--team", "1")}.to raise_error(RuntimeError).
+      with_message(/prefix the jekyll-auth command with GITHUB_TOKEN/)
+    end
+
+    it "errors if no team_id or org_id is given" do
+      env = { "GITHUB_TOKEN" => "1234"}
+      expect{execute_bin(env, "team_id")}.to raise_error(RuntimeError).
+      with_message(/An org name and team ID are required/)
+    end
+  end
+
+  it "initializes a new site" do
+    `git init`
+    `git add .`
+    `git commit -m 'initial commit'`
+    execute_bin({"RACK_ENV" => "TEST"}, "new")
+    expect(File).to exist("#{tmp_dir}/config.ru")
+    expect(File).to exist("#{tmp_dir}/Rakefile")
+    expect(File).to exist("#{tmp_dir}/.gitignore")
+    expect(File).to exist("#{tmp_dir}/.env")
+  end
+
+  it "builds the site" do
+    execute_bin({}, "build")
+    expect(File).to exist("#{tmp_dir}/_site/index.html")
+  end
+end