katalyst-basic-auth 0.3.2 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 42a7c271d2cff6d64ef648d0137bf97aa0bad05304140dca22cf0eca7540e721
4
- data.tar.gz: cff3c9af52be2633129eb88b26ae7afd82eefe2f0f5631caa48adf7678882ee7
3
+ metadata.gz: 2ba4ca13e4d93df610df02a04c6282aa5320c47ffe44cf15b17ee9484ff7ec4b
4
+ data.tar.gz: 0fab877c0d5f4cd3dda28b2cd169c2339fda404e4d0033efbf202e4ed583c8ea
5
5
  SHA512:
6
- metadata.gz: 0ca93649e6378df0b81d42799226fc3609137abcb0ae97224866bae219905e7395cc62012c34ac07fa0e8ee8431688fd7a86538ddcaa87b1e509df79b31775d6
7
- data.tar.gz: 9035f91c1b3655a51fe8353ef535147c687a68b6582c659f4eb09a048da3ee2994ae782d605596befdad112eff4c507b24d762bba02fa15edd1f8312775cd32f
6
+ metadata.gz: 30d91927431d0f6c1a823ca25876c6995614f66e676fd3d4f83a4607becc6edb861ae1c52e5afb7ff247ce375e3f5401c4c0b12abecb94f166542ddb7595a925
7
+ data.tar.gz: 730907dfaca349496752303bee3778fabff379255ef6255a1db9e8c5ae39889040e22f69a112e291fc507c95bb28cf42bf1b6e7f161c00f4e2c5452ca27cc718
data/CHANGELOG.md CHANGED
@@ -1,3 +1,7 @@
1
+ ## [0.4.0] - 2022-06-10
2
+
3
+ - Add support for IP address allowlists
4
+
1
5
  ## [0.3.2] - 2022-03-25
2
6
 
3
7
  - Publish to RubyGems
data/README.md CHANGED
@@ -32,6 +32,7 @@ The following environment variables can optionally be defined to configure the g
32
32
  | KATALYST_BASIC_AUTH_ENABLED | If "yes" or "true", the middleware will be enabled. By default, the middleware is enabled on staging and uat Rails environments |
33
33
  | KATALYST_BASIC_AUTH_USER | The username for basic authentication. Default is the Rails application name in lowercase. |
34
34
  | KATALYST_BASIC_AUTH_PASS | The password for basic authentication. A password will be generated if not set. |
35
+ | KATALYST_BASIC_AUTH_IP_ALLOWLIST | Comma or space separated list of IP addresses or CIDR ranges to allow without basic auth |
35
36
 
36
37
  The gem provides a rake task that can be used to query basic auth settings:
37
38
 
@@ -1,11 +1,13 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  require "digest"
4
+ require "ipaddr"
5
+ require "rack"
4
6
 
5
7
  module Katalyst
6
8
  module Basic
7
9
  module Auth
8
- class Config
10
+ class Config # rubocop:disable Metrics/ClassLength
9
11
  DEFAULT_USERNAME = "katalyst"
10
12
  ROOT_PATH = "/"
11
13
 
@@ -26,8 +28,19 @@ module Katalyst
26
28
  all[0]
27
29
  end
28
30
 
29
- def add(path:, username: nil, password: nil, enabled: nil)
30
- config = new(path: path, username: username, password: password, enabled: enabled)
31
+ # @param path [String] Relative path
32
+ # @param username [String] Basic auth user name
33
+ # @param password [String] Basic auth password
34
+ # @param enabled [Boolean] True to enable basic auth for this path
35
+ # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
36
+ def add(path:, username: nil, password: nil, enabled: nil, ip_allowlist: nil)
37
+ config = new(
38
+ path: path,
39
+ username: username,
40
+ password: password,
41
+ enabled: enabled,
42
+ ip_allowlist: ip_allowlist
43
+ )
31
44
  all.delete(all.detect { |i| i.path == config.path })
32
45
  all << config
33
46
  config
@@ -48,10 +61,7 @@ module Katalyst
48
61
  def description
49
62
  output = ["Basic auth settings:", ""]
50
63
  all.each do |config|
51
- output << "path: #{config.root_path? ? "(global)" : config.path}"
52
- output << "enabled: #{config.enabled?}"
53
- output << "username: #{config.username}"
54
- output << "password: #{config.password}"
64
+ output << config.description
55
65
  output << ""
56
66
  end
57
67
  output.join("\n")
@@ -96,9 +106,13 @@ module Katalyst
96
106
  ENV["SECRET_KEY_BASE"]
97
107
  end
98
108
  end
109
+
110
+ def default_ip_allowlist
111
+ ENV.fetch("KATALYST_BASIC_AUTH_IP_ALLOWLIST", "").split(/[\s,]+/)
112
+ end
99
113
  end
100
114
 
101
- attr_reader :path, :username, :password
115
+ attr_reader :path, :username, :password, :ip_allowlist
102
116
 
103
117
  def enabled?
104
118
  @enabled
@@ -108,13 +122,37 @@ module Katalyst
108
122
  path == ROOT_PATH
109
123
  end
110
124
 
125
+ def allow_ip?(env)
126
+ request = ::Rack::Request.new(env)
127
+ return false unless request.ip
128
+
129
+ remote_ip = IPAddr.new(request.ip)
130
+ ip_allowlist.any? { |i| i.include?(remote_ip) }
131
+ end
132
+
133
+ def description
134
+ output = []
135
+ output << "path: #{root_path? ? "(global)" : path}"
136
+ output << "enabled: #{enabled?}"
137
+ output << "username: #{username}"
138
+ output << "password: #{password}"
139
+ output << "ip allowlist: #{ip_allowlist.inspect}"
140
+ output.join("\n")
141
+ end
142
+
111
143
  private
112
144
 
113
- def initialize(path: nil, username: nil, password: nil, enabled: nil)
114
- @path = sanitize_path(path)
115
- @username = username || self.class.default_username
116
- @password = password || self.class.default_password(@username)
117
- @enabled = enabled.nil? ? (!root_path? || self.class.enabled?) : enabled
145
+ # @param path [String] Relative path
146
+ # @param username [String] Basic auth user name
147
+ # @param password [String] Basic auth password
148
+ # @param enabled [Boolean] True to enable basic auth for this path
149
+ # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
150
+ def initialize(path: nil, username: nil, password: nil, enabled: nil, ip_allowlist: nil)
151
+ @path = sanitize_path(path)
152
+ @username = username || self.class.default_username
153
+ @password = password || self.class.default_password(@username)
154
+ @enabled = enabled.nil? ? (!root_path? || self.class.enabled?) : enabled
155
+ @ip_allowlist = initialize_ip_allowlist(ip_allowlist)
118
156
  end
119
157
 
120
158
  def sanitize_path(path)
@@ -123,6 +161,10 @@ module Katalyst
123
161
  path = "/#{path}" unless path.start_with?("/")
124
162
  path
125
163
  end
164
+
165
+ def initialize_ip_allowlist(ip_allowlist)
166
+ (ip_allowlist || self.class.default_ip_allowlist).map { |i| IPAddr.new(i) }
167
+ end
126
168
  end
127
169
  end
128
170
  end
@@ -13,6 +13,7 @@ module Katalyst
13
13
  def call(env)
14
14
  config = Config.for_path(env["PATH_INFO"])
15
15
  return @app.call(env) unless config.enabled?
16
+ return @app.call(env) if config.allow_ip?(env)
16
17
 
17
18
  auth = Rack::Auth::Basic.new(app) do |u, p|
18
19
  u == config.username && p == config.password
@@ -3,7 +3,7 @@
3
3
  module Katalyst
4
4
  module Basic
5
5
  module Auth
6
- VERSION = "0.3.2"
6
+ VERSION = "0.4.0"
7
7
  end
8
8
  end
9
9
  end
@@ -10,11 +10,20 @@ module Katalyst
10
10
  module Auth
11
11
  class << self
12
12
  # Add a path to be protected by basic authentication
13
- def add(path, username: nil, password: nil)
14
- Config.add(path: path, username: username, password: password)
13
+ # @param path [String] Relative path
14
+ # @param username [String] Basic auth user name
15
+ # @param password [String] Basic auth password
16
+ # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
17
+ def add(path, username: nil, password: nil, ip_allowlist: nil)
18
+ Config.add(path: path,
19
+ username: username,
20
+ password: password,
21
+ enabled: true,
22
+ ip_allowlist: ip_allowlist)
15
23
  end
16
24
 
17
25
  # Add a path to be excluded from basic authentication
26
+ # @param path [String] Relative path
18
27
  def exclude(path)
19
28
  Config.add(path: path, enabled: false)
20
29
  end
metadata CHANGED
@@ -1,15 +1,29 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: katalyst-basic-auth
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.3.2
4
+ version: 0.4.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Katalyst Interactive
8
- autorequire:
8
+ autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2022-03-25 00:00:00.000000000 Z
12
- dependencies: []
11
+ date: 2022-06-14 00:00:00.000000000 Z
12
+ dependencies:
13
+ - !ruby/object:Gem::Dependency
14
+ name: rack
15
+ requirement: !ruby/object:Gem::Requirement
16
+ requirements:
17
+ - - ">="
18
+ - !ruby/object:Gem::Version
19
+ version: '0'
20
+ type: :runtime
21
+ prerelease: false
22
+ version_requirements: !ruby/object:Gem::Requirement
23
+ requirements:
24
+ - - ">="
25
+ - !ruby/object:Gem::Version
26
+ version: '0'
13
27
  description: Makes it easy to add basic auth on staging and development apps.
14
28
  email:
15
29
  - admin@katalyst.com.au
@@ -35,7 +49,7 @@ metadata:
35
49
  homepage_uri: https://github.com/katalyst/katalyst-basic-auth
36
50
  source_code_uri: https://github.com/katalyst/katalyst-basic-auth
37
51
  changelog_uri: https://github.com/katalyst/katalyst-basic-auth/blob/main/CHANGELOG.md
38
- post_install_message:
52
+ post_install_message:
39
53
  rdoc_options: []
40
54
  require_paths:
41
55
  - lib
@@ -50,8 +64,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
50
64
  - !ruby/object:Gem::Version
51
65
  version: '0'
52
66
  requirements: []
53
- rubygems_version: 3.2.32
54
- signing_key:
67
+ rubygems_version: 3.3.15
68
+ signing_key:
55
69
  specification_version: 4
56
70
  summary: Gem to add basic auth on staging websites
57
71
  test_files: []