nginx_omniauth_adapter 1.0.0 → 1.1.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +5 -5
- data/.github/workflows/ci.yml +78 -0
- data/Dockerfile +1 -0
- data/Gemfile +1 -2
- data/README.md +8 -2
- data/config.ru +1 -0
- data/example/Procfile +1 -1
- data/example/nginx-site.conf +2 -2
- data/example/test_backend.rb +1 -1
- data/lib/nginx_omniauth_adapter/app.rb +19 -4
- data/lib/nginx_omniauth_adapter/version.rb +1 -1
- data/nginx_omniauth_adapter.gemspec +1 -1
- metadata +12 -13
- data/circle.yml +0 -35
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
|
-
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
2
|
+
SHA256:
|
3
|
+
metadata.gz: 66f14d6c854ca770e18ee0898ed71488b40d74dca518e543035cef0940d9f228
|
4
|
+
data.tar.gz: 23e54318a5efbd0f6dd2b020b4454d16b8e6f847982d9a379256244e48edbdc9
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: f893093f330d8b3cbacec6d3a1366f44da12cc0fe9eb75b68f0c2ff075ba7cdeb6c0a71a52e4d4283642562e8c6b4b79f7378b490bc78d2eea1668374617fbc8
|
7
|
+
data.tar.gz: bb19421a7885cfa989da7fdb84ee88246efa55662fd05438aeb17c608631a018445eb9e98d500434e41f0fff9f9f3e4275af053a556bf7c3ad9a9c14a1bc5c95
|
@@ -0,0 +1,78 @@
|
|
1
|
+
name: ci
|
2
|
+
on:
|
3
|
+
pull_request:
|
4
|
+
branches: [master]
|
5
|
+
push:
|
6
|
+
branches: [master, ci-test]
|
7
|
+
|
8
|
+
env:
|
9
|
+
DOCKER_REPO: 'sorah/acmesmith'
|
10
|
+
|
11
|
+
jobs:
|
12
|
+
test:
|
13
|
+
name: rspec
|
14
|
+
runs-on: ubuntu-latest
|
15
|
+
strategy:
|
16
|
+
fail-fast: false
|
17
|
+
matrix:
|
18
|
+
ruby-version: ['2.7', '3.0', '3.1']
|
19
|
+
container:
|
20
|
+
image: public.ecr.aws/sorah/ruby:${{ matrix.ruby-version }}-dev
|
21
|
+
steps:
|
22
|
+
- name: Cache bundled gems
|
23
|
+
uses: actions/cache@v3
|
24
|
+
id: rspec-bundle
|
25
|
+
with:
|
26
|
+
path: ~/bundle
|
27
|
+
key: ${{ runner.os }}-${{ matrix.ruby-version }}
|
28
|
+
- uses: actions/checkout@v3
|
29
|
+
- run: 'apt-get update && apt-get install -y --no-install-recommends nginx'
|
30
|
+
- run: 'bundle install --path ~/bundle'
|
31
|
+
- run: 'bundle exec rspec -fd'
|
32
|
+
|
33
|
+
#docker-build:
|
34
|
+
# name: docker-build
|
35
|
+
# runs-on: ubuntu-latest
|
36
|
+
# steps:
|
37
|
+
# - uses: actions/checkout@master
|
38
|
+
# - run: 'echo $GITHUB_SHA > REVISION'
|
39
|
+
|
40
|
+
# - run: "docker pull ${DOCKER_REPO}:latest || :"
|
41
|
+
# - name: "docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest"
|
42
|
+
# run: |
|
43
|
+
# TAG=$(basename "${{ github.ref }}")
|
44
|
+
# docker pull ${DOCKER_REPO}:${TAG} || :
|
45
|
+
# docker tag ${DOCKER_REPO}:${TAG} ${DOCKER_REPO}:latest || :
|
46
|
+
# if: "${{ startsWith(github.ref, 'refs/tags/v') }}"
|
47
|
+
|
48
|
+
# - run: "docker pull ${DOCKER_REPO}:builder || :"
|
49
|
+
|
50
|
+
# - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --target builder -t ${DOCKER_REPO}:builder -f Dockerfile ."
|
51
|
+
# - run: "docker build --pull --cache-from ${DOCKER_REPO}:builder --cache-from ${DOCKER_REPO}:latest -t ${DOCKER_REPO}:${GITHUB_SHA} -f Dockerfile ."
|
52
|
+
|
53
|
+
# - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
|
54
|
+
# if: "${{ github.event_name != 'pull_request' }}"
|
55
|
+
|
56
|
+
# - run: "docker push ${DOCKER_REPO}:builder"
|
57
|
+
# if: "${{ github.ref == 'refs/heads/master' }}"
|
58
|
+
# - run: "docker push ${DOCKER_REPO}:${GITHUB_SHA}"
|
59
|
+
# if: "${{ github.event_name != 'pull_request' }}"
|
60
|
+
|
61
|
+
#docker-push:
|
62
|
+
# name: docker-push
|
63
|
+
# needs: [test, integration-pebble, docker-build]
|
64
|
+
# if: "${{ github.event_name == 'push' || github.event_name == 'create' }}"
|
65
|
+
# runs-on: ubuntu-latest
|
66
|
+
# steps:
|
67
|
+
# - run: "echo ${{ secrets.DOCKERHUB_TOKEN }} | docker login -u sorah --password-stdin"
|
68
|
+
# - run: "docker pull ${DOCKER_REPO}:${GITHUB_SHA}"
|
69
|
+
|
70
|
+
# - run: |
|
71
|
+
# docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:latest
|
72
|
+
# docker push ${DOCKER_REPO}:latest
|
73
|
+
# if: "${{ github.ref == 'refs/heads/master' }}"
|
74
|
+
# - run: |
|
75
|
+
# TAG=$(basename "${{ github.ref }}")
|
76
|
+
# docker tag ${DOCKER_REPO}:${GITHUB_SHA} ${DOCKER_REPO}:${TAG}
|
77
|
+
# docker push ${DOCKER_REPO}:${TAG}
|
78
|
+
# if: "${{ startsWith(github.ref, 'refs/tags/v') }}"
|
data/Dockerfile
CHANGED
data/Gemfile
CHANGED
data/README.md
CHANGED
@@ -1,6 +1,6 @@
|
|
1
1
|
# NginxOmniauthAdapter - Use omniauth for nginx `auth_request`
|
2
2
|
|
3
|
-
[![
|
3
|
+
[![ci](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml/badge.svg)](https://github.com/sorah/nginx_omniauth_adapter/actions/workflows/ci.yml)
|
4
4
|
|
5
5
|
Use [omniauth](https://github.com/intridea/omniauth) for your nginx's authentication via ngx_http_auth_request_module.
|
6
6
|
|
@@ -19,7 +19,7 @@ $ cd example/
|
|
19
19
|
$ foreman start
|
20
20
|
```
|
21
21
|
|
22
|
-
http://ngx-auth-test.
|
22
|
+
http://ngx-auth-test.lo.nkmiusercontent.com:18080/
|
23
23
|
|
24
24
|
(make sure to have nginx on your PATH)
|
25
25
|
|
@@ -54,6 +54,7 @@ Then write `config.ru` then deploy it. (see ./config.ru for example)
|
|
54
54
|
environment variable is available only on included config.ru (or Docker image).
|
55
55
|
|
56
56
|
- `:providers`: omniauth provider names.
|
57
|
+
- `:provider_http_header` `$NGX_OMNIAUTH_PROVIDER_HTTP_HEADER` (string): Name of HTTP header to specify OmniAuth provider to be used (see below). Defaults to 'x-ngx-omniauth-provider`.
|
57
58
|
- `:secret` `$NGX_OMNIAUTH_SESSION_SECRET`: Rack session secret. Should be set when not on dev mode
|
58
59
|
- `:host` `$NGX_OMNIAUTH_HOST`: URL of adapter. This is used for redirection. Should include protocol (e.g. `http://example.com`.)
|
59
60
|
- If this is not specified, adapter will perform redirect using given `Host` header.
|
@@ -62,6 +63,11 @@ environment variable is available only on included config.ru (or Docker image).
|
|
62
63
|
- `:app_refresh_interval` `NGX_OMNIAUTH_APP_REFRESH_INTERVAL` (integer): Interval to require refresh session cookie on app domain (in second, default 1 day).
|
63
64
|
- `:adapter_refresh_interval` `NGX_OMNIAUTH_ADAPTER_REFRESH_INTERVAL` (integer): Interval to require re-logging in on adapter domain (in second, default 3 days).
|
64
65
|
|
66
|
+
### Working with multiple OmniAuth providers
|
67
|
+
|
68
|
+
When multiple providers are passed to `:providers`, nginx_omniauth_adapter defaults to the first one in list.
|
69
|
+
Other providers in list will only be activated for requests with `x-ngx-omniauth-provider` header (key is configurable via `:provider_http_header`).
|
70
|
+
|
65
71
|
### Included config.ru (or Docker)
|
66
72
|
|
67
73
|
You can set configuration via environment variables.
|
data/config.ru
CHANGED
@@ -74,6 +74,7 @@ end
|
|
74
74
|
|
75
75
|
run NginxOmniauthAdapter.app(
|
76
76
|
providers: providers,
|
77
|
+
provider_http_header: ENV['NGX_OMNIAUTH_PROVIDER_HTTP_HEADER'] || 'x-ngx-omniauth-provider',
|
77
78
|
secret: ENV['NGX_OMNIAUTH_SECRET'],
|
78
79
|
host: ENV['NGX_OMNIAUTH_HOST'],
|
79
80
|
allowed_app_callback_url: allowed_app_callback_url,
|
data/example/Procfile
CHANGED
@@ -1,3 +1,3 @@
|
|
1
1
|
nginx: nginx -c `pwd`/nginx.conf
|
2
|
-
adapter: bundle exec env RACK_ENV=development NGX_OMNIAUTH_HOST=http://ngx-auth.
|
2
|
+
adapter: bundle exec env RACK_ENV=development NGX_OMNIAUTH_HOST=http://ngx-auth.lo.nkmiusercontent.com:18080 rackup -p 18081 -o 127.0.0.1 ../config.ru
|
3
3
|
app: bundle exec ruby test_backend.rb -p 18082 -o 127.0.0.1
|
data/example/nginx-site.conf
CHANGED
@@ -6,7 +6,7 @@ upstream auth_adapter {
|
|
6
6
|
}
|
7
7
|
server {
|
8
8
|
listen 127.0.0.1:18080;
|
9
|
-
server_name ngx-auth.
|
9
|
+
server_name ngx-auth.lo.nkmiusercontent.com;
|
10
10
|
|
11
11
|
location / {
|
12
12
|
proxy_pass http://auth_adapter;
|
@@ -20,7 +20,7 @@ upstream app {
|
|
20
20
|
}
|
21
21
|
server {
|
22
22
|
listen 127.0.0.1:18080;
|
23
|
-
server_name ngx-auth-test.
|
23
|
+
server_name ngx-auth-test.lo.nkmiusercontent.com;
|
24
24
|
|
25
25
|
# Restricted area
|
26
26
|
location / {
|
data/example/test_backend.rb
CHANGED
@@ -7,7 +7,7 @@ get '/' do
|
|
7
7
|
{
|
8
8
|
provider: request.env['HTTP_X_NGX_OMNIAUTH_PROVIDER'],
|
9
9
|
user: request.env['HTTP_X_NGX_OMNIAUTH_USER'],
|
10
|
-
info: JSON.parse(request.env['HTTP_X_NGX_OMNIAUTH_INFO'].unpack('
|
10
|
+
info: JSON.parse(request.env['HTTP_X_NGX_OMNIAUTH_INFO'].unpack('m0')[0]),
|
11
11
|
}.to_json
|
12
12
|
end
|
13
13
|
|
@@ -45,6 +45,10 @@ module NginxOmniauthAdapter
|
|
45
45
|
adapter_config[:providers]
|
46
46
|
end
|
47
47
|
|
48
|
+
def provider_http_header
|
49
|
+
adapter_config[:provider_http_header] || 'x-ngx-omniauth-provider'
|
50
|
+
end
|
51
|
+
|
48
52
|
def allowed_back_to_url
|
49
53
|
adapter_config[:allowed_back_to_url] || /./
|
50
54
|
end
|
@@ -259,7 +263,7 @@ module NginxOmniauthAdapter
|
|
259
263
|
headers(
|
260
264
|
'x-ngx-omniauth-provider' => current_user[:provider],
|
261
265
|
'x-ngx-omniauth-user' => current_user[:uid],
|
262
|
-
'x-ngx-omniauth-info' => [current_user[:info].to_json].pack('
|
266
|
+
'x-ngx-omniauth-info' => [current_user[:info].to_json].pack('m0'),
|
263
267
|
)
|
264
268
|
|
265
269
|
content_type :text
|
@@ -283,7 +287,18 @@ module NginxOmniauthAdapter
|
|
283
287
|
get '/auth' do
|
284
288
|
set_flow_id!
|
285
289
|
|
286
|
-
|
290
|
+
provider_requested = request.env["HTTP_#{provider_http_header.gsub('-', '_').upcase}"]
|
291
|
+
if provider_requested
|
292
|
+
if providers.include?(provider_requested.to_sym)
|
293
|
+
provider = provider_requested.to_sym
|
294
|
+
else
|
295
|
+
halt 401, {'Content-Type' => 'text/plain'}, 'requested provider not available'
|
296
|
+
end
|
297
|
+
else
|
298
|
+
# default to the first provider in list
|
299
|
+
provider = providers[0]
|
300
|
+
end
|
301
|
+
|
287
302
|
session[:back_to] = sanitized_back_to_param
|
288
303
|
session[:app_callback] = sanitized_app_callback_param
|
289
304
|
|
@@ -296,8 +311,8 @@ module NginxOmniauthAdapter
|
|
296
311
|
log(message: 'auth_refresh_app', back_to: params[:back_to], callback: params[:callback])
|
297
312
|
update_session!
|
298
313
|
else
|
299
|
-
log(message: 'auth', provider:
|
300
|
-
redirect "#{adapter_host}/auth/#{
|
314
|
+
log(message: 'auth', provider: provider, back_to: params[:back_to], callback: params[:callback])
|
315
|
+
redirect "#{adapter_host}/auth/#{provider}"
|
301
316
|
end
|
302
317
|
end
|
303
318
|
|
@@ -19,7 +19,7 @@ Gem::Specification.new do |spec|
|
|
19
19
|
spec.require_paths = ["lib"]
|
20
20
|
|
21
21
|
spec.add_dependency "sinatra"
|
22
|
-
spec.add_dependency "omniauth"
|
22
|
+
spec.add_dependency "omniauth", '< 2'
|
23
23
|
|
24
24
|
spec.add_development_dependency "bundler"
|
25
25
|
spec.add_development_dependency "rake"
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: nginx_omniauth_adapter
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 1.
|
4
|
+
version: 1.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Shota Fukumori (sora_h)
|
8
|
-
autorequire:
|
8
|
+
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-10-16 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: sinatra
|
@@ -28,16 +28,16 @@ dependencies:
|
|
28
28
|
name: omniauth
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- - "
|
31
|
+
- - "<"
|
32
32
|
- !ruby/object:Gem::Version
|
33
|
-
version: '
|
33
|
+
version: '2'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- - "
|
38
|
+
- - "<"
|
39
39
|
- !ruby/object:Gem::Version
|
40
|
-
version: '
|
40
|
+
version: '2'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: bundler
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
@@ -108,13 +108,14 @@ dependencies:
|
|
108
108
|
- - ">="
|
109
109
|
- !ruby/object:Gem::Version
|
110
110
|
version: '0'
|
111
|
-
description:
|
111
|
+
description:
|
112
112
|
email:
|
113
113
|
- her@sorah.jp
|
114
114
|
executables: []
|
115
115
|
extensions: []
|
116
116
|
extra_rdoc_files: []
|
117
117
|
files:
|
118
|
+
- ".github/workflows/ci.yml"
|
118
119
|
- ".gitignore"
|
119
120
|
- ".rspec"
|
120
121
|
- ".travis.yml"
|
@@ -123,7 +124,6 @@ files:
|
|
123
124
|
- LICENSE.txt
|
124
125
|
- README.md
|
125
126
|
- Rakefile
|
126
|
-
- circle.yml
|
127
127
|
- config.ru
|
128
128
|
- example/Procfile
|
129
129
|
- example/nginx-site.conf
|
@@ -139,7 +139,7 @@ homepage: https://github.com/sorah/nginx_omniauth_adapter
|
|
139
139
|
licenses:
|
140
140
|
- MIT
|
141
141
|
metadata: {}
|
142
|
-
post_install_message:
|
142
|
+
post_install_message:
|
143
143
|
rdoc_options: []
|
144
144
|
require_paths:
|
145
145
|
- lib
|
@@ -154,9 +154,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
154
154
|
- !ruby/object:Gem::Version
|
155
155
|
version: '0'
|
156
156
|
requirements: []
|
157
|
-
|
158
|
-
|
159
|
-
signing_key:
|
157
|
+
rubygems_version: 3.4.0.dev
|
158
|
+
signing_key:
|
160
159
|
specification_version: 4
|
161
160
|
summary: omniauth adapter for ngx_http_auth_request_module
|
162
161
|
test_files: []
|
data/circle.yml
DELETED
@@ -1,35 +0,0 @@
|
|
1
|
-
machine:
|
2
|
-
services:
|
3
|
-
- docker
|
4
|
-
ruby:
|
5
|
-
version: 2.2.3
|
6
|
-
|
7
|
-
dependencies:
|
8
|
-
cache_directories:
|
9
|
-
- bin
|
10
|
-
- ~/docker
|
11
|
-
pre:
|
12
|
-
- sudo apt-get install nginx
|
13
|
-
- if [ ! -d bin ]; then mkdir bin; fi
|
14
|
-
- if [ ! -x bin/git-set-mtime ]; then curl -o bin/git-set-mtime https://drone.io/github.com/rosylilly/git-set-mtime/files/artifacts/bin/linux_amd64/git-set-mtime && chmod +x bin/git-set-mtime; fi
|
15
|
-
- docker login -u "${DOCKER_USER}" -p "${DOCKER_PASSWORD}" -e "${DOCKER_EMAIL}" https://quay.io
|
16
|
-
- bin/git-set-mtime
|
17
|
-
- mkdir -p ~/docker
|
18
|
-
- if [[ -e ~/docker/cache.tar ]]; then docker load -i ~/docker/cache.tar; fi
|
19
|
-
- docker pull quay.io/sorah/rbenv:2.2
|
20
|
-
- BASE_ID="$(docker inspect -f '{{.Id}}' quay.io/sorah/rbenv:2.2)"; if [[ "_${BASE_ID}" != "_$(cat ~/docker/cache.id)" ]]; then docker save quay.io/sorah/rbenv:2.2 > ~/docker/cache.tar && echo "${BASE_ID}" > ~/docker/cache.id; fi
|
21
|
-
- docker pull quay.io/sorah/nginx_omniauth_adapter:latest
|
22
|
-
- docker build -t quay.io/sorah/nginx_omniauth_adapter:${CIRCLE_SHA1} .
|
23
|
-
|
24
|
-
test:
|
25
|
-
override:
|
26
|
-
- bundle exec env ADAPTER_DOCKER=quay.io/sorah/nginx_omniauth_adapter:${CIRCLE_SHA1} rspec spec/integration_spec.rb
|
27
|
-
- "echo '==== LOG ====' && cat /tmp/nginx_omniauth_helper.spec.log"
|
28
|
-
|
29
|
-
deployment:
|
30
|
-
production:
|
31
|
-
branch: master
|
32
|
-
commands:
|
33
|
-
- docker tag -f quay.io/sorah/nginx_omniauth_adapter:${CIRCLE_SHA1} quay.io/sorah/nginx_omniauth_adapter:latest
|
34
|
-
- docker push quay.io/sorah/nginx_omniauth_adapter:${CIRCLE_SHA1}
|
35
|
-
- docker push quay.io/sorah/nginx_omniauth_adapter:latest
|