RubyGems - katalyst-basic-auth - Versions diffs - 0.3.2 → 0.4.0 - Mend

katalyst-basic-auth 0.3.2 → 0.4.0

Files changed (8) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +4 -0
data/README.md +1 -0
data/lib/katalyst/basic/auth/config.rb +55 -13
data/lib/katalyst/basic/auth/middleware.rb +1 -0
data/lib/katalyst/basic/auth/version.rb +1 -1
data/lib/katalyst/basic/auth.rb +11 -2
metadata +21 -7

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 42a7c271d2cff6d64ef648d0137bf97aa0bad05304140dca22cf0eca7540e721
-  data.tar.gz: cff3c9af52be2633129eb88b26ae7afd82eefe2f0f5631caa48adf7678882ee7
+  metadata.gz: 2ba4ca13e4d93df610df02a04c6282aa5320c47ffe44cf15b17ee9484ff7ec4b
+  data.tar.gz: 0fab877c0d5f4cd3dda28b2cd169c2339fda404e4d0033efbf202e4ed583c8ea
 SHA512:
-  metadata.gz: 0ca93649e6378df0b81d42799226fc3609137abcb0ae97224866bae219905e7395cc62012c34ac07fa0e8ee8431688fd7a86538ddcaa87b1e509df79b31775d6
-  data.tar.gz: 9035f91c1b3655a51fe8353ef535147c687a68b6582c659f4eb09a048da3ee2994ae782d605596befdad112eff4c507b24d762bba02fa15edd1f8312775cd32f
+  metadata.gz: 30d91927431d0f6c1a823ca25876c6995614f66e676fd3d4f83a4607becc6edb861ae1c52e5afb7ff247ce375e3f5401c4c0b12abecb94f166542ddb7595a925
+  data.tar.gz: 730907dfaca349496752303bee3778fabff379255ef6255a1db9e8c5ae39889040e22f69a112e291fc507c95bb28cf42bf1b6e7f161c00f4e2c5452ca27cc718

data/CHANGELOG.md CHANGED Viewed

@@ -1,3 +1,7 @@
+## [0.4.0] - 2022-06-10
+- Add support for IP address allowlists
 ## [0.3.2] - 2022-03-25
 - Publish to RubyGems

data/README.md CHANGED Viewed

@@ -32,6 +32,7 @@ The following environment variables can optionally be defined to configure the g
 | KATALYST_BASIC_AUTH_ENABLED | If "yes" or "true", the middleware will be enabled. By default, the middleware is enabled on staging and uat Rails environments |
 | KATALYST_BASIC_AUTH_USER | The username for basic authentication. Default is the Rails application name in lowercase. |
 | KATALYST_BASIC_AUTH_PASS | The password for basic authentication. A password will be generated if not set. |
+| KATALYST_BASIC_AUTH_IP_ALLOWLIST | Comma or space separated list of IP addresses or CIDR ranges to allow without basic auth |
 The gem provides a rake task that can be used to query basic auth settings:

data/lib/katalyst/basic/auth/config.rb CHANGED Viewed

@@ -1,11 +1,13 @@
 # frozen_string_literal: true
 require "digest"
+require "ipaddr"
+require "rack"
 module Katalyst
   module Basic
     module Auth
-      class Config
+      class Config # rubocop:disable Metrics/ClassLength
         DEFAULT_USERNAME = "katalyst"
         ROOT_PATH        = "/"
@@ -26,8 +28,19 @@ module Katalyst
             all[0]
           end
-          def add(path:, username: nil, password: nil, enabled: nil)
-            config = new(path: path, username: username, password: password, enabled: enabled)
+          # @param path [String] Relative path
+          # @param username [String] Basic auth user name
+          # @param password [String] Basic auth password
+          # @param enabled [Boolean] True to enable basic auth for this path
+          # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
+          def add(path:, username: nil, password: nil, enabled: nil, ip_allowlist: nil)
+            config = new(
+              path:         path,
+              username:     username,
+              password:     password,
+              enabled:      enabled,
+              ip_allowlist: ip_allowlist
+            )
             all.delete(all.detect { |i| i.path == config.path })
             all << config
             config
@@ -48,10 +61,7 @@ module Katalyst
           def description
             output = ["Basic auth settings:", ""]
             all.each do |config|
-              output << "path:     #{config.root_path? ? "(global)" : config.path}"
-              output << "enabled:  #{config.enabled?}"
-              output << "username: #{config.username}"
-              output << "password: #{config.password}"
+              output << config.description
               output << ""
             end
             output.join("\n")
@@ -96,9 +106,13 @@ module Katalyst
               ENV["SECRET_KEY_BASE"]
             end
           end
+          def default_ip_allowlist
+            ENV.fetch("KATALYST_BASIC_AUTH_IP_ALLOWLIST", "").split(/[\s,]+/)
+          end
         end
-        attr_reader :path, :username, :password
+        attr_reader :path, :username, :password, :ip_allowlist
         def enabled?
           @enabled
@@ -108,13 +122,37 @@ module Katalyst
           path == ROOT_PATH
         end
+        def allow_ip?(env)
+          request = ::Rack::Request.new(env)
+          return false unless request.ip
+          remote_ip = IPAddr.new(request.ip)
+          ip_allowlist.any? { |i| i.include?(remote_ip) }
+        end
+        def description
+          output = []
+          output << "path:         #{root_path? ? "(global)" : path}"
+          output << "enabled:      #{enabled?}"
+          output << "username:     #{username}"
+          output << "password:     #{password}"
+          output << "ip allowlist: #{ip_allowlist.inspect}"
+          output.join("\n")
+        end
         private
-        def initialize(path: nil, username: nil, password: nil, enabled: nil)
-          @path     = sanitize_path(path)
-          @username = username || self.class.default_username
-          @password = password || self.class.default_password(@username)
-          @enabled  = enabled.nil? ? (!root_path? || self.class.enabled?) : enabled
+        # @param path [String] Relative path
+        # @param username [String] Basic auth user name
+        # @param password [String] Basic auth password
+        # @param enabled [Boolean] True to enable basic auth for this path
+        # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
+        def initialize(path: nil, username: nil, password: nil, enabled: nil, ip_allowlist: nil)
+          @path         = sanitize_path(path)
+          @username     = username || self.class.default_username
+          @password     = password || self.class.default_password(@username)
+          @enabled      = enabled.nil? ? (!root_path? || self.class.enabled?) : enabled
+          @ip_allowlist = initialize_ip_allowlist(ip_allowlist)
         end
         def sanitize_path(path)
@@ -123,6 +161,10 @@ module Katalyst
           path = "/#{path}" unless path.start_with?("/")
           path
         end
+        def initialize_ip_allowlist(ip_allowlist)
+          (ip_allowlist || self.class.default_ip_allowlist).map { |i| IPAddr.new(i) }
+        end
       end
     end
   end

data/lib/katalyst/basic/auth/middleware.rb CHANGED Viewed

@@ -13,6 +13,7 @@ module Katalyst
         def call(env)
           config = Config.for_path(env["PATH_INFO"])
           return @app.call(env) unless config.enabled?
+          return @app.call(env) if config.allow_ip?(env)
           auth = Rack::Auth::Basic.new(app) do |u, p|
             u == config.username && p == config.password

data/lib/katalyst/basic/auth/version.rb CHANGED Viewed

@@ -3,7 +3,7 @@
 module Katalyst
   module Basic
     module Auth
-      VERSION = "0.3.2"
+      VERSION = "0.4.0"
     end
   end
 end

data/lib/katalyst/basic/auth.rb CHANGED Viewed

@@ -10,11 +10,20 @@ module Katalyst
     module Auth
       class << self
         # Add a path to be protected by basic authentication
-        def add(path, username: nil, password: nil)
-          Config.add(path: path, username: username, password: password)
+        # @param path [String] Relative path
+        # @param username [String] Basic auth user name
+        # @param password [String] Basic auth password
+        # @param ip_allowlist [Array<String>] List of IP addresses or network ranges to allow without basic auth
+        def add(path, username: nil, password: nil, ip_allowlist: nil)
+          Config.add(path:         path,
+                     username:     username,
+                     password:     password,
+                     enabled:      true,
+                     ip_allowlist: ip_allowlist)
         end
         # Add a path to be excluded from basic authentication
+        # @param path [String] Relative path
         def exclude(path)
           Config.add(path: path, enabled: false)
         end

metadata CHANGED Viewed

@@ -1,15 +1,29 @@
 --- !ruby/object:Gem::Specification
 name: katalyst-basic-auth
 version: !ruby/object:Gem::Version
-  version: 0.3.2
+  version: 0.4.0
 platform: ruby
 authors:
 - Katalyst Interactive
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2022-03-25 00:00:00.000000000 Z
-dependencies: []
+date: 2022-06-14 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rack
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 description: Makes it easy to add basic auth on staging and development apps.
 email:
 - admin@katalyst.com.au
@@ -35,7 +49,7 @@ metadata:
   homepage_uri: https://github.com/katalyst/katalyst-basic-auth
   source_code_uri: https://github.com/katalyst/katalyst-basic-auth
   changelog_uri: https://github.com/katalyst/katalyst-basic-auth/blob/main/CHANGELOG.md
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -50,8 +64,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.2.32
-signing_key:
+rubygems_version: 3.3.15
+signing_key:
 specification_version: 4
 summary: Gem to add basic auth on staging websites
 test_files: []