nginx_omniauth_adapter 0.2.0 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: da45545a31a51031b94607551c7296f3011c3769
-  data.tar.gz: 79f17b771dffb86ff9527b78a7fbbe14d1a71bf1
+SHA256:
+  metadata.gz: 66f14d6c854ca770e18ee0898ed71488b40d74dca518e543035cef0940d9f228
+  data.tar.gz: 23e54318a5efbd0f6dd2b020b4454d16b8e6f847982d9a379256244e48edbdc9
 SHA512:
-  metadata.gz: 84be2b3d973d457a98b52ba75498b3dd84557012dd8fc9ddadeb5e2873fd9a80efb146f2177024214eadbaf1524814869f250c5ce972fce3e5bad3f61aad7714
-  data.tar.gz: 432c64e9ec6b1953947d6a8ed72e6c4eb019db5cf984cd62de39361c4d594ca7800be2686f25caae168c9b14f5ec24ccf8ae58ff951916ab049129a613687a6d
+  metadata.gz: f893093f330d8b3cbacec6d3a1366f44da12cc0fe9eb75b68f0c2ff075ba7cdeb6c0a71a52e4d4283642562e8c6b4b79f7378b490bc78d2eea1668374617fbc8
+  data.tar.gz: bb19421a7885cfa989da7fdb84ee88246efa55662fd05438aeb17c608631a018445eb9e98d500434e41f0fff9f9f3e4275af053a556bf7c3ad9a9c14a1bc5c95

data/.github/workflows/ci.yml

@@ -0,0 +1,78 @@
+name: ci
+on: 
+  pull_request:
+    branches: [master]
+  push:
+    branches: [master, ci-test]
+
+env:
+  DOCKER_REPO: 'sorah/acmesmith'
+
+jobs:
+  test:
+    name: rspec
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: ['2.7', '3.0', '3.1']
+    container:
+      image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
+    steps:
+      - name: Cache bundled gems
+        uses: actions/cache@v3
+        id: rspec-bundle
+        with:
+          path: ~/bundle
+          key: ${{ runner.os }}-${{ matrix.ruby-version }}
+      - uses: actions/checkout@v3
+      - run: 'apt-get update && apt-get install -y --no-install-recommends nginx'
+      - run: 'bundle install --path ~/bundle'
+      - run: 'bundle exec rspec -fd'
+
+        #docker-build:
+        #  name: docker-build
+        #  runs-on: ubuntu-latest
+        #  steps:
+        #    - uses: actions/checkout@master
+        #    - run: 'echo $GITHUB_SHA > REVISION'
+
+        #    - run: "docker pull ${DOCKER_REPO}:latest || :"
+        #    - name: "docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest"
+        #      run: |
+        #        TAG=$(basename "${{ github.ref }}")
+        #        docker pull ${DOCKER_REPO}:${TAG} || :
+        #        docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest || :
+        #      if: "${{ startsWith(github.ref, 'refs/tags/v') }}"
+
+        #    - run: "docker pull ${DOCKER_REPO}:builder || :"
+
+        #    - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --target builder -t ${DOCKER_REPO}:builder -f Dockerfile ."
+        #    - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --cache-from ${DOCKER_REPO}:latest -t ${DOCKER_REPO}:${GITHUB_SHA} -f Dockerfile ."
+
+        #    - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
+        #      if: "${{ github.event_name != 'pull_request' }}"
+
+        #    - run: "docker push ${DOCKER_REPO}:builder"
+        #      if: "${{ github.ref == 'refs/heads/master' }}"
+        #    - run: "docker push ${DOCKER_REPO}:${GITHUB_SHA}"
+        #      if: "${{ github.event_name != 'pull_request' }}"
+
+        #docker-push:
+        #  name: docker-push
+        #  needs: [test, integration-pebble, docker-build]
+        #  if: "${{ github.event_name == 'push' || github.event_name == 'create' }}"
+        #  runs-on: ubuntu-latest
+        #  steps:
+        #    - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
+        #    - run: "docker pull ${DOCKER_REPO}:${GITHUB_SHA}"
+
+        #    - run: |
+        #        docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:latest
+        #        docker push ${DOCKER_REPO}:latest
+        #      if: "${{ github.ref == 'refs/heads/master' }}"
+        #    - run: |
+        #        TAG=$(basename "${{ github.ref }}")
+        #        docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:${TAG}
+        #        docker push ${DOCKER_REPO}:${TAG}
+        #      if: "${{ startsWith(github.ref, 'refs/tags/v') }}"

data/Dockerfile

@@ -12,6 +12,7 @@ RUN cd /tmp && bundle install -j4 --path vendor/bundle --without 'development te
 WORKDIR /app
 ADD . /app
 RUN cp -a /tmp/.bundle /tmp/vendor /app/
+RUN rm -f /app/.ruby-version
 
 EXPOSE 8080
 ENV RACK_ENV=production

data/Gemfile

@@ -4,4 +4,5 @@ source 'https://rubygems.org'
 gemspec
 
 gem 'omniauth-github'
-gem 'omniauth-google-oauth2'
+gem 'omniauth-google-oauth2', '>= 0.3.1'
+gem 'unicorn'

data/README.md

@@ -1,5 +1,7 @@
 # NginxOmniauthAdapter - Use omniauth for nginx `auth_request` 
 
+[![ci](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml/badge.svg)](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml)
+
 Use [omniauth](https://github.com/intridea/omniauth) for your nginx's authentication via ngx_http_auth_request_module.
 
 NginxOmniauthAdapter provides small Rack app (built with Sinatra) for `auth_request`.
@@ -17,7 +19,7 @@ $ cd example/
 $ foreman start
 ```
 
-http://ngx-auth-test.127.0.0.1.xip.io:18080/
+http://ngx-auth-test.lo.nkmiusercontent.com:18080/
 
 (make sure to have nginx on your PATH)
 
@@ -40,13 +42,19 @@ Then write `config.ru` then deploy it. (see ./config.ru for example)
 
 ### Using docker
 
-TBD
+- Prebuilt: https://quay.io/repository/sorah/nginx_omniauth_adapter
+  - Own your risk.
+  - They're built at circleci
+- Build manually: checkout this repo and run `docker build .`.
+  - Much safer.
+  - But if you can't trust upstream image `quay.io/sorah/rbenv:2.2`, write your own Dockerfile. This is just a simple Rack app.
 
 ## Configuration
 
 environment variable is available only on included config.ru (or Docker image).
 
 - `:providers`: omniauth provider names.
+- `:provider_http_header` `$NGX_OMNIAUTH_PROVIDER_HTTP_HEADER` (string): Name of HTTP header to specify OmniAuth provider to be used (see below). Defaults to 'x-ngx-omniauth-provider`.
 - `:secret` `$NGX_OMNIAUTH_SESSION_SECRET`: Rack session secret. Should be set when not on dev mode
 - `:host` `$NGX_OMNIAUTH_HOST`: URL of adapter. This is used for redirection. Should include protocol (e.g. `http://example.com`.)
   - If this is not specified, adapter will perform redirect using given `Host` header.
@@ -55,6 +63,11 @@ environment variable is available only on included config.ru (or Docker image).
 - `:app_refresh_interval` `NGX_OMNIAUTH_APP_REFRESH_INTERVAL` (integer): Interval to require refresh session cookie on app domain (in second, default 1 day).
 - `:adapter_refresh_interval` `NGX_OMNIAUTH_ADAPTER_REFRESH_INTERVAL` (integer): Interval to require re-logging in on adapter domain (in second, default 3 days).
 
+### Working with multiple OmniAuth providers
+
+When multiple providers are passed to `:providers`, nginx_omniauth_adapter defaults to the first one in list.
+Other providers in list will only be activated for requests with `x-ngx-omniauth-provider` header (key is configurable via `:provider_http_header`).
+
 ### Included config.ru (or Docker)
 
 You can set configuration via environment variables.
@@ -94,6 +107,8 @@ run NginxOmniauthAdapter.app(
 
 ## How it works
 
+![](http://img.sorah.jp/2015-10-08_22.55_2s4hy.png)
+
 1. _browser_ access to restricted area (where `auth_request` has enabled)
 2. _nginx_ sends subrequest to `/_auth/challenge`. It will be proxied to _adapter app_ (`GET /test`)
 3. _adapter app_ `/test` returns 401 when _request (browser)_ doesn't have valid cookie

data/config.ru

@@ -74,6 +74,7 @@ end
 
 run NginxOmniauthAdapter.app(
   providers: providers,
+  provider_http_header: ENV['NGX_OMNIAUTH_PROVIDER_HTTP_HEADER'] || 'x-ngx-omniauth-provider',
   secret: ENV['NGX_OMNIAUTH_SECRET'],
   host: ENV['NGX_OMNIAUTH_HOST'],
   allowed_app_callback_url: allowed_app_callback_url,

data/example/Procfile

@@ -1,3 +1,3 @@
 nginx: nginx -c `pwd`/nginx.conf
-adapter: bundle exec env RACK_ENV=development NGX_OMNIAUTH_HOST=http://ngx-auth.127.0.0.1.xip.io:18080 rackup -p 18081 -o 127.0.0.1 ../config.ru
+adapter: bundle exec env RACK_ENV=development NGX_OMNIAUTH_HOST=http://ngx-auth.lo.nkmiusercontent.com:18080 rackup -p 18081 -o 127.0.0.1 ../config.ru
 app: bundle exec ruby test_backend.rb -p 18082 -o 127.0.0.1

data/example/nginx-site.conf

@@ -6,7 +6,7 @@ upstream auth_adapter {
 }
 server {
   listen 127.0.0.1:18080;
-  server_name ngx-auth.127.0.0.1.xip.io;
+  server_name ngx-auth.lo.nkmiusercontent.com;
 
   location / {
     proxy_pass http://auth_adapter;
@@ -20,12 +20,13 @@ upstream app {
 }
 server {
   listen 127.0.0.1:18080;
-  server_name ngx-auth-test.127.0.0.1.xip.io;
+  server_name ngx-auth-test.lo.nkmiusercontent.com;
 
   # Restricted area
   location / {
     auth_request /_auth/challenge;
     # Trick - do internal redirection when auth_request says "need auth". 
+    proxy_intercept_errors off;
     error_page 401 = /_auth/initiate;
 
     # Receive user info from adapter

data/example/nginx.conf

@@ -1,6 +1,7 @@
 # vim: ft=nginx
 worker_processes 1;
 daemon off;
+pid /tmp/nginx_omniauth_adapter-nginx.pid;
 
 error_log stderr;
 
@@ -13,5 +14,7 @@ http {
 
   server_names_hash_bucket_size 128;
 
+  access_log off;
+
   include nginx-site.conf;
 }

data/example/test_backend.rb

@@ -7,7 +7,7 @@ get '/' do
   {
     provider: request.env['HTTP_X_NGX_OMNIAUTH_PROVIDER'],
     user: request.env['HTTP_X_NGX_OMNIAUTH_USER'],
-    info: JSON.parse(request.env['HTTP_X_NGX_OMNIAUTH_INFO'].unpack('m*')[0]),
+    info: JSON.parse(request.env['HTTP_X_NGX_OMNIAUTH_INFO'].unpack('m0')[0]),
   }.to_json
 end
 

data/lib/nginx_omniauth_adapter/app.rb

@@ -3,6 +3,7 @@ require 'uri'
 require 'time'
 require 'openssl'
 require 'json'
+require 'securerandom'
 
 module NginxOmniauthAdapter
   class App < Sinatra::Base
@@ -44,6 +45,10 @@ module NginxOmniauthAdapter
         adapter_config[:providers]
       end
 
+      def provider_http_header
+        adapter_config[:provider_http_header] || 'x-ngx-omniauth-provider'
+      end
+
       def allowed_back_to_url
         adapter_config[:allowed_back_to_url] || /./
       end
@@ -60,13 +65,30 @@ module NginxOmniauthAdapter
         adapter_config[:policy_proc] || proc { true }
       end
 
+      def log(h={})
+        h = {
+          time: Time.now.xmlschema,
+          severity: :info,
+          logged_in: (!!current_user).inspect,
+          provider: current_user && current_user[:provider],
+          uid: current_user && current_user[:uid],
+          flow_id: current_flow_id,
+        }.merge(h)
+
+        str = h.map { |*kv| kv.join(?:) }.join(?\t)
+
+        puts str
+        if h[:severity] == :warning || h[:severity] == :error
+          $stderr.puts str
+        end
+      end
+
       def default_back_to
         # TODO:
         '/'
       end
 
       def sanitized_back_to_param
-        p params[:back_to]
         if allowed_back_to_url === params[:back_to]
           params[:back_to]
         else
@@ -75,7 +97,6 @@ module NginxOmniauthAdapter
       end
 
       def sanitized_app_callback_param
-        p params[:callback]
         if allowed_app_callback_url === params[:callback]
           params[:callback]
         else
@@ -83,6 +104,14 @@ module NginxOmniauthAdapter
         end
       end
 
+      def set_flow_id!
+        session[:flow_id] = SecureRandom.uuid
+      end
+
+      def current_flow_id
+        session[:flow_id]
+      end
+
       def current_user
         session[:user]
       end
@@ -117,6 +146,7 @@ module NginxOmniauthAdapter
 
       def update_session!(auth = nil)
         unless session[:app_callback]
+          log severity: :error, message: 'missing app_callback'
           raise '[BUG] app_callback is missing'
         end
 
@@ -148,7 +178,12 @@ module NginxOmniauthAdapter
         session.merge!(adapter_session)
 
         session_param = encrypt_session_param(app_session)
+
+        log(message: 'update_session', app_callback: session[:app_callback])
+
         redirect "#{session.delete(:app_callback)}?session=#{session_param}"
+      ensure
+        session[:flow_id] = nil
       end
 
       def secret_key
@@ -212,10 +247,12 @@ module NginxOmniauthAdapter
 
     get '/test' do
       unless current_user
+        log(message: 'test_not_logged_in', original_uri: request.env['HTTP_X_NGX_OMNIAUTH_ORIGINAL_URI'])
         halt 401
       end
 
       if app_authorization_expired?
+        log(message: 'test_app_authorization_expired', original_uri: request.env['HTTP_X_NGX_OMNIAUTH_ORIGINAL_URI'])
         halt 401
       end
 
@@ -226,7 +263,7 @@ module NginxOmniauthAdapter
       headers(
         'x-ngx-omniauth-provider' => current_user[:provider],
         'x-ngx-omniauth-user' => current_user[:uid],
-        'x-ngx-omniauth-info' => [current_user[:info].to_json].pack('m*'),
+        'x-ngx-omniauth-info' => [current_user[:info].to_json].pack('m0'),
       )
 
       content_type :text
@@ -238,34 +275,58 @@ module NginxOmniauthAdapter
       callback = URI.encode_www_form_component(request.env['HTTP_X_NGX_OMNIAUTH_INITIATE_CALLBACK'])
 
       if back_to == '' || callback == '' || back_to.nil? || callback.nil?
+        log(severity: :error, message: 'initiate_no_required_params', back_to: back_to, callback: callback)
         halt 400, {'Content-Type' => 'text/plain'}, 'x-ngx-omniauth-initiate-back-to and x-ngx-omniauth-initiate-callback header are required'
       end
 
+      log(message: 'initiate', adapter_host: adapter_host, back_to: back_to, callback: callback)
+
       redirect "#{adapter_host}/auth?back_to=#{back_to}&callback=#{callback}"
     end
 
     get '/auth' do
-      # TODO: choose provider
+      set_flow_id!
+
+      provider_requested = request.env["HTTP_#{provider_http_header.gsub('-', '_').upcase}"]
+      if provider_requested
+        if providers.include?(provider_requested.to_sym)
+          provider = provider_requested.to_sym
+        else
+          halt 401, {'Content-Type' => 'text/plain'}, 'requested provider not available'
+        end
+      else
+        # default to the first provider in list
+        provider = providers[0]
+      end
+
       session[:back_to] = sanitized_back_to_param
       session[:app_callback] = sanitized_app_callback_param
-      p [:auth, session]
+
+      if session[:back_to] == '' || session[:app_callback] == '' || session[:back_to].nil? || session[:app_callback].nil?
+        log(severity: :error, message: 'auth_invalid_params', back_to: params[:back_to], callback: params[:callback])
+        halt 400, {'Content-Type' => 'text/plain'}, 'back_to or/and app_callback is invalid'
+      end
 
       if current_user && !adapter_authorization_expired?
-        p [:auth, :update]
+        log(message: 'auth_refresh_app', back_to: params[:back_to], callback: params[:callback])
         update_session!
       else
-        p [:auth, :redirect]
-        redirect "#{adapter_host}/auth/#{providers[0]}"
+        log(message: 'auth', provider: provider, back_to: params[:back_to], callback: params[:callback])
+        redirect "#{adapter_host}/auth/#{provider}"
       end
     end
 
     omniauth_callback = proc do
+
       session[:user_data] = {}
 
       unless instance_eval(&on_login_proc)
+        log(severity: :warning, message: 'omniauth_callback_forbidden', new_uid: env['omniauth.auth'][:uid])
         halt 403, {'Content-Type' => 'text/plain'}, 'Forbidden (on_login_proc policy)'
       end
 
+      log(message: 'omniauth_callback', new_uid: env['omniauth.auth'][:uid])
+
       session[:logged_in_at] = Time.now.xmlschema
       update_session! env['omniauth.auth']
     end
@@ -275,6 +336,7 @@ module NginxOmniauthAdapter
     get '/callback' do # app side
       app_session = decrypt_session_param(params[:session])
       session.merge!(app_session)
+      log(message: 'app_callback', back_to: session[:back_to])
       redirect session.delete(:back_to)
     end
   end

data/lib/nginx_omniauth_adapter/version.rb

@@ -1,3 +1,3 @@
 module NginxOmniauthAdapter
-  VERSION = "0.2.0"
+  VERSION = "1.1.0"
 end

data/nginx_omniauth_adapter.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
   spec.require_paths = ["lib"]
 
   spec.add_dependency "sinatra"
-  spec.add_dependency "omniauth"
+  spec.add_dependency "omniauth", '< 2'
 
   spec.add_development_dependency "bundler"
   spec.add_development_dependency "rake"

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nginx_omniauth_adapter
 version: !ruby/object:Gem::Version
-  version: 0.2.0
+  version: 1.1.0
 platform: ruby
 authors:
 - Shota Fukumori (sora_h)
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-09-02 00:00:00.000000000 Z
+date: 2022-10-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: sinatra
@@ -28,16 +28,16 @@ dependencies:
   name: omniauth
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ">="
+    - - "<"
       - !ruby/object:Gem::Version
-        version: '0'
+        version: '2'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
@@ -108,13 +108,14 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
-description: 
+description:
 email:
 - her@sorah.jp
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".github/workflows/ci.yml"
 - ".gitignore"
 - ".rspec"
 - ".travis.yml"
@@ -138,7 +139,7 @@ homepage: https://github.com/sorah/nginx_omniauth_adapter
 licenses:
 - MIT
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -153,9 +154,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.5.0
-signing_key: 
+rubygems_version: 3.4.0.dev
+signing_key:
 specification_version: 4
 summary: omniauth adapter for ngx_http_auth_request_module
 test_files: []