mais-access 1.1.1 → 2.1.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f88002e1195c7f1187c27fa7a244619fa3101a2ab91a650260dfcd9acb9d9912
-  data.tar.gz: fdc4e863615ef1ff267d989a0bdd2696ffa2bdbd876695cf4a15b484c4949aaf
+  metadata.gz: 7a805653b216cf10cc22f5022741c3e1983f281283a079dc3b44288d74826a40
+  data.tar.gz: 69c9cbfb19ce32de6b7a7ba5479454e04c7cc4600b00eb80f84d7c5c89c89575
 SHA512:
-  metadata.gz: 59f48ae598a636cfcaa9b82acb728e70977d7dbd384cf85404d3d11179db9ec46b79ce0c479790e4c05e1e13dd12f98f1d3bcd54a4bfa04f53cd662528d69dd9
-  data.tar.gz: e350a1b236ecefb20a7184d301c94c3be458c5ec4a8e1b81c986a17ef59257467c4fe89e324f1de48a5a699318073a0981800f4f8e6d33c90a1e9a58eb1df53c
+  metadata.gz: d661f99ca020d193ff8b55f9ac94b8fc8ed783390812bf9a83a4b2d4042d2361ebeae802ffdc328f6661d2ca9feae36eb47382a86bddcf0b0ae062b5c133cc0b
+  data.tar.gz: 4965b71be71484ae798897f07b84bef6f16d33e8db7e40e97637708b7af2956dbfc9ab32f626100c7ab8b529ce9f5b6ff23b43369389f77d633878e5747ea299

data/lib/mais/access/controller.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  module Controller
+    require "mais/access/dispatcher"
+    require "mais/access/user"
+
+    include MaisAccess::Dispatcher
+
+    MAIS_CLIENT = (Rails.application.credentials[:client] || "unregistered").freeze
+    PROMPT = "access - MAIS - #{MAIS_CLIENT}"
+    public_constant :MAIS_CLIENT
+    private_constant :PROMPT
+
+    def mais_user
+      @mais_user ||= MaisAccess::User.new(session[:mais_user])
+    end
+
+    private
+
+    def authenticate_mais_user!
+      valid_jwt? || authenticate_or_request_with_http_basic(PROMPT) do |l, p|
+        user?(l, p)
+      end
+    end
+  end
+end

data/lib/mais/access/dispatcher.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  module Dispatcher
+    AUTH_ENDPOINT = "#{ENV.fetch("MAIS_ACCOUNTS_HOSTNAME")}/api/authenticate"
+    JWT_ENDPOINT = "#{ENV.fetch("MAIS_ACCOUNTS_HOSTNAME")}/api/verify"
+    private_constant :AUTH_ENDPOINT
+    private_constant :JWT_ENDPOINT
+
+    private
+
+    def set_session(user = nil, jwt = nil)
+      reset_session
+      session[:mais_user] = user
+      session[:jwt] = jwt
+    end
+
+    def make_secure_http(endpoint)
+      uri = URI(endpoint)
+
+      begin
+        # Setup and yield an HTTPS connection to the specified endpoint
+        Net::HTTP.start(uri.host, uri.port, use_ssl: true) do |http|
+          yield(uri.path, http)
+        end
+      rescue StandardError => e
+        Rails.logger.error(e)
+        # Something went wrong, so save our butts and don't them in
+        false
+      end
+    end
+
+    def valid_jwt?
+      return false if session[:mais_user].blank? || session[:jwt].blank?
+
+      make_secure_http(JWT_ENDPOINT) do |path, http|
+        # Try to access the verification endpoint with the stored JWT
+        request = Net::HTTP::Get.new(path)
+        request["Authorization"] = session[:jwt]
+        response = http.request(request)
+
+        # If the server returns HTTP 204 No Content, the token is valid.
+        # `next` is required instead of `return` because `return` exits
+        # without finishing the block execution (cleaning up)
+        next true if response.code == "204"
+
+        # invalid token, force a session reset
+        set_session
+        false
+      end
+    end
+
+    def user?(login, password)
+      make_secure_http(AUTH_ENDPOINT) do |path, http|
+        # Post the credentials to the authentication endpoint
+        request = Net::HTTP::Post.new(path, { "Content-Type" => "application/json" })
+        request.body = JSON.generate({ user: { username: login, password: password } })
+        response = http.request(request)
+
+        # Parse the response body as JSON
+        body = JSON.parse(response.body)
+
+        # If the user is valid, reset the session and set the current mais user
+        if response.code == "201" && body["user"]
+          set_session(body["user"], response["Authorization"])
+          next true
+        end
+
+        false
+      end
+    end
+  end
+end

data/lib/mais/access/user.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  # An abstract class used to store the currently authenticated MAIS user. An instance
+  # of this class is initialized every time `authenticate_mais_user!` completes
+  # successfully. The current MAIS user can be accessed anytime via the `mais_user`
+  # method.
+  class User
+    attr_reader :username, :full_name
+
+    def initialize(*params)
+      params = params[0]
+      @username = params["username"]
+      @full_name = params["full_name"]
+    end
+  end
+end

data/lib/mais/access.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module MaisAccess
+  class Railtie < ::Rails::Railtie
+    initializer("mais.middleware") do |_app|
+      # Hook into ActionController's loading process
+      ActiveSupport.on_load(:action_controller) do
+        require "mais/access/controller"
+
+        include MaisAccess::Controller
+
+        # Mark the `mais_user` reader method as a helper so that it can be accessed
+        # from a view
+        helper_method :mais_user
+
+        # Force a MAIS user authentication check on every request
+        before_action :authenticate_mais_user!
+
+        # "Cross-Site Request Forgery (CSRF) is an attack that allows a malicious user
+        # to spoof legitimate requests to your server, masquerading as an authenticated
+        # user. Rails protects against this kind of attack by generating unique tokens
+        # and validating their authenticity with each submission."
+        #
+        # https://link.medium.com/q1U60lAYm7
+        #
+        # If Rails detects an invalid authentication token, reset the current session.
+        # Prepend forgery protection to the beginning of the request action chain to
+        # ensure that it is the first thing to run.
+        protect_from_forgery with: :reset_session, prepend: true
+      end
+    end
+  end
+end

metadata

@@ -1,79 +1,135 @@
 --- !ruby/object:Gem::Specification
 name: mais-access
 version: !ruby/object:Gem::Version
-  version: 1.1.1
+  version: 2.1.2
 platform: ruby
 authors:
 - Elias Gabriel
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2020-02-18 00:00:00.000000000 Z
+date: 2023-02-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '5.2'
+- !ruby/object:Gem::Dependency
+  name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 12.3.3
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ">="
       - !ruby/object:Gem::Version
-        version: 4.0.2
+        version: 12.3.3
 - !ruby/object:Gem::Dependency
-  name: bundler
+  name: practical-pig
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '1.0'
 - !ruby/object:Gem::Dependency
-  name: rake
+  name: rubocop
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
-description: A simple gem that provides HTTP Basic Authentication for users registered
-  with the MAIS(tm) accounts application.
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: rubocop-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: mais-access provides a simple yet secure HTTP(S) authentication barrier
+  for applications developed within the MAIS system. After initial connection, sessions
+  for authenticated clients are validated by JSON Web Tokens for reduced overhead
+  and improved security.
 email: me@eliasfgabriel.com
 executables: []
 extensions: []
-extra_rdoc_files:
-- README.md
+extra_rdoc_files: []
 files:
-- ".gitattributes"
-- ".gitignore"
-- Gemfile
-- README.md
-- lib/mais-access.rb
-- lib/mais-access/dispatcher.rb
-- lib/mais-access/user.rb
-- mais-access.gemspec
-homepage: https://github.com/sdbase/mais-access
+- lib/mais/access.rb
+- lib/mais/access/controller.rb
+- lib/mais/access/dispatcher.rb
+- lib/mais/access/user.rb
+homepage: https://github.com/metabronx/mais-access
 licenses:
 - CC-BY-NC-SA-4.0
 metadata:
-  source_code_uri: https://github.com/sdbase/mais-access
-  homepage_uri: https://github.com/sdbase/mais-access
+  homepage_uri: https://www.metabronx.com
+  source_code_uri: https://github.com/metabronx/mais-access
+  bug_tracker_uri: https://github.com/metabronx/mais-access/issues
+  rubygems_mfa_required: 'true'
+  funding_uri: https://www.metabronx.com/invest
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -82,16 +138,15 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 2.4.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.7.6.2
+rubygems_version: 3.4.6
 signing_key: 
 specification_version: 4
-summary: A MAIS(tm) authentication middleware.
+summary: Provides an HTTP/JWT authentication middleware.
 test_files: []

data/.gitattributes

@@ -1,2 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto

data/.gitignore

@@ -1,2 +0,0 @@
-/node_modules
-*.gem

data/Gemfile

@@ -1,4 +0,0 @@
-source "https://rubygems.org"
-
-# Specify your gem's dependencies in parceler.gemspec
-gemspec

data/README.md

@@ -1,11 +0,0 @@
-# MAIS Access
-
-A simple gem that enforces HTTP Basic Authentication for account holders in the MAIS business management and information system.
-
-## License
-
-Copyright � 2019 [Elias Gabriel](https://eliasfgabriel.com/), [sdbase](http://sdbase.com/)
-
-This work is licensed under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
-
-To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/4.0/ or send a letter to Creative Commons, PO Box 1866, Mountain View, CA 94042, USA.

data/lib/mais-access/dispatcher.rb

@@ -1,44 +0,0 @@
-module MaisAccess
-    module Dispatcher
-        require 'net/https'
-        require 'uri'
-        require 'json'
-        require 'mais-access/user'
-
-        attr_reader :mais_user
-
-        MAIS_CLIENT = ENV['MAIS_CLIENT']
-
-        def authenticate_mais_user!
-            # Prompt the user for HTTP Basic credentials, or authenticate if they are cached in the session
-            authenticate_or_request_with_http_basic("access - MAIS - #{MAIS_CLIENT}") do |login, password|
-                begin
-                    # Setup https connection and specify certificate bundle
-                    url = URI("#{ENV['MAIS_ACCOUNTS_HOSTNAME']}/authenticate")
-                    http = Net::HTTP.new(url.host, 443)
-                    http.use_ssl = true
-                    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-                    http.cert_store = OpenSSL::X509::Store.new
-                    http.cert_store.set_default_paths
-                    http.cert_store.add_file("/etc/pki/tls/certs/server.crt")
-
-                    # Get the credentials and POST them to `accounts.scenycwork.net/authenticate`
-                    request = Net::HTTP::Post.new(url.path, {'Content-Type' => 'application/json'})
-                    request.set_form_data({ "username" => login, "password" => password })
-                    response = http.request(request)
-
-                    # Parse the response body as JSON
-                    body = JSON.parse(response.body)
-
-                    # If the user is valid, set the current mais user and passes the filter action
-                    if response.code == '200' && body["authenticated"]
-                        @mais_user = MaisAccess::User.new(body["user"])
-                        return true
-                    end
-                rescue => e
-                    # Something went wrong, so save our butts and don't them in.
-                end
-            end
-        end
-    end
-end

data/lib/mais-access/user.rb

@@ -1,16 +0,0 @@
-# frozen_string_literal: true
-
-module MaisAccess
-    # An abstract class used to store the currently authenticated MAIS user. An instance of
-    # this class is initialized everytime `authenticate_mais_user!` completes successfully.
-    # The current MAIS user can be accessed anytime via the `mais_user` method.
-    class User
-        attr_reader :username, :full_name
-
-        def initialize(*params)
-            params = params[0]
-            @username = params["username"]
-            @full_name = params["full_name"]
-        end
-    end
-end

data/lib/mais-access.rb

@@ -1,18 +0,0 @@
-module MaisAccess
-	class Railtie < ::Rails::Railtie
-		initializer('mais.middleware') do |app|
-			# Hook into ActionController's loading process
-			ActiveSupport.on_load(:action_controller) do
-				require 'mais-access/dispatcher'
-				include MaisAccess::Dispatcher
-
-				# Mark the `mais_user` reader method (defined in Mais::Dispatcher) as a
-				# helper so that it can be accessed from a view
-				helper_method :mais_user
-
-				# Force a MAIS user authentication check on every request
-				before_action :authenticate_mais_user!
-			end
-		end
-	end
-end

data/mais-access.gemspec

@@ -1,27 +0,0 @@
-lib = File.expand_path("lib", __dir__)
-$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
-
-Gem::Specification.new do |spec|
-	spec.name          = "mais-access"
-	spec.version       = "1.1.1"
-	spec.platform      = Gem::Platform::RUBY
-	spec.author        = "Elias Gabriel"
-	spec.email         = "me@eliasfgabriel.com"
-	spec.summary       = "A MAIS(tm) authentication middleware."
-	spec.description   = "A simple gem that provides HTTP Basic Authentication for users registered with the MAIS(tm) accounts application."
-	spec.homepage      = "https://github.com/sdbase/mais-access"
-	spec.license       = "CC-BY-NC-SA-4.0"
-
-	spec.metadata["homepage_uri"] = spec.metadata["source_code_uri"] = spec.homepage
-	spec.extra_rdoc_files = ["README.md"]
-
-	spec.require_paths = ["lib"]
-	spec.files = Dir.chdir(File.expand_path('..', __FILE__)) do
-		`git ls-files -z`.split("\x0")
-	end
-
-	spec.add_dependency "rails", '>= 4.0.2'
-
-	spec.add_development_dependency "bundler", '~> 2.0'
-	spec.add_development_dependency "rake", '~> 10.0'
-end